efi SecureBoot not working after update of 18.04

[franknfurter2]

Hallo,

on my System I have dual boot installed. Fist I installed Windows 10 and afterwards Ubuntu 16 (Ubuntu Studio). Some weeks ago I did an upgrade to 18.04, where I had a trouble with the update of grub. So this was the message:

####################################
Your system has UEFI Secure Boot enabled in firmware, and the following kernels present on your system are unsigned:

4.4.0-135-lowlatency


These kernels cannot be verified under Secure Boot. To ensure your system remains bootable, GRUB will not be upgraded on your disk until these kernels are removed or replaced with signed kernels.

->installed grub-efi-amd64 package post-installation script subprocess returned error exit status 1
####################################

So I moved these kernal files to a different folder and grub update worked fine. I was still able to boot my system with SecureBoot on.

After a while, an update forces me to enter a password, to reboot, and enter the password again in my bios. That had something to do with MOK. Still my system worked fine.

At Okt, 13th I updated again and did a reboot. Since then, my system will not Secureboot anymore. I tried boot-repair, but nothing will help. It just run into a black screen when Secureboot is set in BIOS. As an evidence, I attached extracts from journal here showing the differences.

I really have no idea how to fix this.

So here it the journal extract: Journalctl_SecureBoot.txt

and here the boot-repair report

http://paste.ubuntu.com/p/pgmvbFjG6d/

[franknfurter2]

Ok, it's 22 hours ago since I posted this. So nobody can deal with this, is that true?

I have some further news to this. I found out, that the setting of CSM in bios had an effect. So if it is enabled, the system won't secureboot with the ubuntu boot loader but will do this with the windows loader. When I switch CSM in bios to "disabled" I am able to boot in secureboot with the ubuntu boot loader (shim).

But what is this? Before the ubuntu update I had CSM enabled, I have never touched that setting in bios.

Can somebody explain please?

[ubfan1]

Did you use the signed version of the package? e.g. linux-signed-image-4.4.0-137-lowlatency

[franknfurter2]

Dear ubfan,

sure I am using signed kernels, because otherwise I would not be able to SecureBoot. The Problem is to my opinion not the kernal, boot process does not start grub, it seems, when csm is enabled in bios. The new attachment shows the installed packages that are somehow signed. I think some of them are not necessary.

Again:

• When rebooting with SecureBoot and CSM enabled, no GRUB menu, just blank, black screen
• When rebooting with SecureBoot and CSM disabled, GRUB menu and Secure booted system
• When rebooting with SecureBoot disabled and CSM on, Grub menu and not secure booted system (as expected)

see Attachment here
Bildschirmfoto_2018-10-22_19-02-16.png

[oldfred]

CSM is BIOS boot.
CSM - UEFI Compatibility Support Module (CSM), which emulates a BIOS mode

The only way you might be booting with CSM on, is that UEFI, tries that first, sees you have no BIOS boot loader in gpt's protective MBR and reverts to an UEFI boot.

Almost all systems will not let you turn on CSM, if Secure Boot is on. CSM is not secure as it is the old BIOS boot.
But a few BIOS, do seem to want CSM on to boot, but you have to select UEFI boot.

You are showing some signed kernels, but grub menu is not using them.
I might run the suggested repair:

Code:

=================== Suggested repair
The default repair of the Boot-Repair utility would reinstall the grub-efi-amd64-signed of sda5, using the following options:        sda2/boot/efi,
Additional repair would be performed: unhide-bootmenu-10s   fix-windows-boot use-standard-efi-file  restore-efi-backups

If you have installed any proprietary drivers for video or WiFi, then you probably cannot turn secure boot on as they are not signed, so Ubuntu cannot fully say system is secure.

[ubfan1]

I assume sdb is just a data disk, although it has a Windows boot block on it. With sda being gpt, you are booting Windows in UEFI mode (should work with secure boot). Ubuntu on sda is installed in UEFI mode, BUT the kernels listed in grub are NOT the signed ones (they do not have "signed" in their names). This would have actually worked when shim/grub allowed unsigned kernels (modules) to boot, but that changed several years ago -- I thought earlier than 16.04, but I may be wrong). In any case, CSM is legacy support, and you don't seem to need that. You do seem to need the kernel packages which have "signed" in their names -- which is what the error message stated.

[franknfurter2]

Thanks everybody for reply and let us go further with this.

Signed or unsigned kernel:
-------------------------------------------------------
Last journalctl of booting with CSM disabled and SecureBoot enabled shows:

Okt 22 15:57:08 Zuse2016 kernel: efi: EFI v2.50 by American Megatrends
Okt 22 15:57:08 Zuse2016 kernel: efi: ESRT=0x8b1add98 ACPI=0x8a217000 ACPI 2.0=0x8a217000 SMBIOS=0x8b1ab000 SMBIOS 3.0=0x8b1aa000
Okt 22 15:57:08 Zuse2016 kernel: secureboot: Secure boot enabled
Okt 22 15:57:08 Zuse2016 kernel: Kernel is locked down from EFI secure boot; see man kernel_lockdown.7

What does this kernel_lockdown mean?

uname -a shows
Linux Zuse2016 4.15.0-36-lowlatency #39-Ubuntu SMP PREEMPT Tue Sep 25 00:16:08 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

And take a look at this new attachment showing, that the normal kernels are also signed and the kernels with "signed" in their name are transitional packages:



Note! I am using ubuntu 18.04. Are you really sure, that with SecureBoot on, unsigned kernels are loaded?

CSM:
-------------------------------------------------
First of all and again I have to say, that before the last update of Ubuntu, CSM was enabled and System was booting with SecureBoot enabled. After update booting hangs with not showing Grub menu. So if kernel_lockdown means that Grub loads an unsigned kernel, there has been misunderstanding on my site. But kernel comes into play when Grub has started and a Grub menu is showing up. Isn't it so?

So do i really have to clear every (legacy) boot entry in the GPT? If boot-repair has not done it, me myself didn't install legacy boot entries in GPT either.

Oh dear. Where will this all lead me to?

[oldfred]

I do not use Secure boot.
What does this say?
see
man kernel_lockdown.7

I thought you had installed the signed kernels. You are just posting the synaptic list of kernels. You do need to install a signed kernel.

If not using signed kernel not sure then what is happening with your system.
I did not think it really was UEFI Secure boot unless you had signed kernels.

[franknfurter2]

Ok, I will have a look at man kernel_lockdown.7

The green icon in front of each row in synaptic means "installed".

[ubfan1]

Do the signed kernels exist in the /boot directory? If so, just run sudo update-grub.