Bug 1531961 - Booting in insecure mode reported while secure boot is apparently enabled
Summary: Booting in insecure mode reported while secure boot is apparently enabled
Status: CLOSED DUPLICATE of bug 1544794
Alias: None
Product: Fedora
Classification: Fedora
Component: shim-signed
Version: 27
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Peter Jones
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2018-01-06 22:02 UTC by Maxime Ripard
Modified: 2018-04-06 18:54 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-04-06 18:54:53 UTC
Type: Bug

Attachments (Terms of Use)

Description Maxime Ripard 2018-01-06 22:02:59 UTC
Description of problem:

On a Dell XPS13 (9360), the shim displays a message at boot that it is "Booting in insecure mode". The install has been done over the vendor Ubuntu install, using the Fedora 25 installer, and upgraded since. The issue has always been there.

Secure boot is enabled in the UEFI configuration interface.

The kernel indeed reports that it has been booted with secure boot disabled:
$ dmesg | grep Secure
[    0.000000] secureboot: Secure boot disabled

however, mokutil seems to report that secure boot is indeed enabled:
$ mokutil --sb-state
SecureBoot enabled

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Boot the machine, see your Schrödinger's boot :)

Actual results:
Secure boot is disabled

Expected results:
Secure boot is enabled

Let me know if you need anything else, thanks!

Comment 1 Adam Bishop 2018-03-07 13:03:53 UTC
I've just configured an XPS 13 (9370) and had the exactly the same thing.

It's rather concerning that something has (effectively silently, to a non-technical user) disabled an important security feature.

Comment 2 Maxime Ripard 2018-04-06 18:54:53 UTC
This has been discussed here:

You need to run mokutil --enable-validation (as root), reboot, and it should work.

*** This bug has been marked as a duplicate of bug 1544794 ***

Note You need to log in before you can comment on or make changes to this bug.