Unable to disable secure boot with mokutil in 16.04
Problem, new in 16.04:
When I run the command sudo mokutil --disable-validation
to disable secure boot validation within Ubuntu, I am asked to type a password twice and then get the message
Failed to request new MokSB state
Google reveals very little about this obscure error message!
Consequences:
I cannot install nvidia drivers as a result - when the system reboots after the driver install I can't log in, and have to bring up a terminal to purge the drivers and reboot. I have never seen the post-boot interface for disabling secure boot (which I expected to see and was asked to set a password for). This sequence of events (no disabling of secure boot and then failed login) happens whether I select to install third party drivers (and "disable secure boot") during Ubuntu installation, or install them from the Additional Drivers menu, or install nvidia-364 from the graphics drivers ppa. (From what I can tell, Ubuntu is actually offering to disable secure boot validation within Ubuntu and leave the motherboard's secure boot setting unchanged - the terminology isn't helpful.)
Background:
I have an ASUS Sabertooth Mark 2 desktop with Nvidia GTX 970 that I dual boot with Windows 10 (using the BIOS boot override to choose the OS). Secure boot is enabled in the BIOS and I want to keep it that way for Windows at least. Ubuntu (15.10 and earlier) worked fine as the Shim (and grub?) were signed for secure boot, but no checking was done later in the boot process (when the nvidia drivers come into play). Ubuntu 16.04 newly enables checking throughout the boot process, but it's tripping up when it gets to the nvidia drivers.
nvidia 16.04 secure-boot
add a comment |
Problem, new in 16.04:
When I run the command sudo mokutil --disable-validation
to disable secure boot validation within Ubuntu, I am asked to type a password twice and then get the message
Failed to request new MokSB state
Google reveals very little about this obscure error message!
Consequences:
I cannot install nvidia drivers as a result - when the system reboots after the driver install I can't log in, and have to bring up a terminal to purge the drivers and reboot. I have never seen the post-boot interface for disabling secure boot (which I expected to see and was asked to set a password for). This sequence of events (no disabling of secure boot and then failed login) happens whether I select to install third party drivers (and "disable secure boot") during Ubuntu installation, or install them from the Additional Drivers menu, or install nvidia-364 from the graphics drivers ppa. (From what I can tell, Ubuntu is actually offering to disable secure boot validation within Ubuntu and leave the motherboard's secure boot setting unchanged - the terminology isn't helpful.)
Background:
I have an ASUS Sabertooth Mark 2 desktop with Nvidia GTX 970 that I dual boot with Windows 10 (using the BIOS boot override to choose the OS). Secure boot is enabled in the BIOS and I want to keep it that way for Windows at least. Ubuntu (15.10 and earlier) worked fine as the Shim (and grub?) were signed for secure boot, but no checking was done later in the boot process (when the nvidia drivers come into play). Ubuntu 16.04 newly enables checking throughout the boot process, but it's tripping up when it gets to the nvidia drivers.
nvidia 16.04 secure-boot
1
You may need to disable Secure Boot using the firmware's own user interface. Details on how to do this vary from one machine to another. For several examples, see this page of mine.
– Rod Smith
May 11 '16 at 12:26
Hi Rod, is it not possible just to disable the validation for ubuntu, whilst leaving secure boot on in the bios (to secure Windows 10)? I suspect that my motherboard is refusing to save the EFI variables needed to trigger the disabling of validation on the next reboot. Is it not possible to start mokmanager.efi manually from grub (without the mokutil command and password setting) and disable validation from there?
– starmine
Jul 2 '16 at 23:13
add a comment |
Problem, new in 16.04:
When I run the command sudo mokutil --disable-validation
to disable secure boot validation within Ubuntu, I am asked to type a password twice and then get the message
Failed to request new MokSB state
Google reveals very little about this obscure error message!
Consequences:
I cannot install nvidia drivers as a result - when the system reboots after the driver install I can't log in, and have to bring up a terminal to purge the drivers and reboot. I have never seen the post-boot interface for disabling secure boot (which I expected to see and was asked to set a password for). This sequence of events (no disabling of secure boot and then failed login) happens whether I select to install third party drivers (and "disable secure boot") during Ubuntu installation, or install them from the Additional Drivers menu, or install nvidia-364 from the graphics drivers ppa. (From what I can tell, Ubuntu is actually offering to disable secure boot validation within Ubuntu and leave the motherboard's secure boot setting unchanged - the terminology isn't helpful.)
Background:
I have an ASUS Sabertooth Mark 2 desktop with Nvidia GTX 970 that I dual boot with Windows 10 (using the BIOS boot override to choose the OS). Secure boot is enabled in the BIOS and I want to keep it that way for Windows at least. Ubuntu (15.10 and earlier) worked fine as the Shim (and grub?) were signed for secure boot, but no checking was done later in the boot process (when the nvidia drivers come into play). Ubuntu 16.04 newly enables checking throughout the boot process, but it's tripping up when it gets to the nvidia drivers.
nvidia 16.04 secure-boot
Problem, new in 16.04:
When I run the command sudo mokutil --disable-validation
to disable secure boot validation within Ubuntu, I am asked to type a password twice and then get the message
Failed to request new MokSB state
Google reveals very little about this obscure error message!
Consequences:
I cannot install nvidia drivers as a result - when the system reboots after the driver install I can't log in, and have to bring up a terminal to purge the drivers and reboot. I have never seen the post-boot interface for disabling secure boot (which I expected to see and was asked to set a password for). This sequence of events (no disabling of secure boot and then failed login) happens whether I select to install third party drivers (and "disable secure boot") during Ubuntu installation, or install them from the Additional Drivers menu, or install nvidia-364 from the graphics drivers ppa. (From what I can tell, Ubuntu is actually offering to disable secure boot validation within Ubuntu and leave the motherboard's secure boot setting unchanged - the terminology isn't helpful.)
Background:
I have an ASUS Sabertooth Mark 2 desktop with Nvidia GTX 970 that I dual boot with Windows 10 (using the BIOS boot override to choose the OS). Secure boot is enabled in the BIOS and I want to keep it that way for Windows at least. Ubuntu (15.10 and earlier) worked fine as the Shim (and grub?) were signed for secure boot, but no checking was done later in the boot process (when the nvidia drivers come into play). Ubuntu 16.04 newly enables checking throughout the boot process, but it's tripping up when it gets to the nvidia drivers.
nvidia 16.04 secure-boot
nvidia 16.04 secure-boot
edited May 8 '16 at 10:54
Hizqeel
1,72751221
1,72751221
asked May 8 '16 at 9:48
starminestarmine
21113
21113
1
You may need to disable Secure Boot using the firmware's own user interface. Details on how to do this vary from one machine to another. For several examples, see this page of mine.
– Rod Smith
May 11 '16 at 12:26
Hi Rod, is it not possible just to disable the validation for ubuntu, whilst leaving secure boot on in the bios (to secure Windows 10)? I suspect that my motherboard is refusing to save the EFI variables needed to trigger the disabling of validation on the next reboot. Is it not possible to start mokmanager.efi manually from grub (without the mokutil command and password setting) and disable validation from there?
– starmine
Jul 2 '16 at 23:13
add a comment |
1
You may need to disable Secure Boot using the firmware's own user interface. Details on how to do this vary from one machine to another. For several examples, see this page of mine.
– Rod Smith
May 11 '16 at 12:26
Hi Rod, is it not possible just to disable the validation for ubuntu, whilst leaving secure boot on in the bios (to secure Windows 10)? I suspect that my motherboard is refusing to save the EFI variables needed to trigger the disabling of validation on the next reboot. Is it not possible to start mokmanager.efi manually from grub (without the mokutil command and password setting) and disable validation from there?
– starmine
Jul 2 '16 at 23:13
1
1
You may need to disable Secure Boot using the firmware's own user interface. Details on how to do this vary from one machine to another. For several examples, see this page of mine.
– Rod Smith
May 11 '16 at 12:26
You may need to disable Secure Boot using the firmware's own user interface. Details on how to do this vary from one machine to another. For several examples, see this page of mine.
– Rod Smith
May 11 '16 at 12:26
Hi Rod, is it not possible just to disable the validation for ubuntu, whilst leaving secure boot on in the bios (to secure Windows 10)? I suspect that my motherboard is refusing to save the EFI variables needed to trigger the disabling of validation on the next reboot. Is it not possible to start mokmanager.efi manually from grub (without the mokutil command and password setting) and disable validation from there?
– starmine
Jul 2 '16 at 23:13
Hi Rod, is it not possible just to disable the validation for ubuntu, whilst leaving secure boot on in the bios (to secure Windows 10)? I suspect that my motherboard is refusing to save the EFI variables needed to trigger the disabling of validation on the next reboot. Is it not possible to start mokmanager.efi manually from grub (without the mokutil command and password setting) and disable validation from there?
– starmine
Jul 2 '16 at 23:13
add a comment |
1 Answer
1
active
oldest
votes
while I did have a slightly different problem (my Broadcom Wifi driver wasn't working), the symptoms seem to be the same. I too had to enter a password during installation which was never checked after boot.
I too got the strange error message
Failed to request new MokSB state
after executing mokutil --disable-validation
However: in my case, the problem was I didn't type sudo: sudo mokutil --disable-validation
.
After that reboot, Shim was starting and I was able to disable secure boot after shim without disabling secure boot in the BIOS (which is necessary for Windows dual boot).
Unfortunately this still didn't work for me - I have always been using sudo, and also checked that the efivars are mounted as read-write. The problem seems to be that the disable validation command is trying to write a variable to the EFI flash storage on the motherboard itself. My motherboard is refusing to do this - it's a shame mokutil doesn't give a more detailed error message - perhaps because this motherboard storage is a very sensitive part of the system. I have left Secure Boot on and am doing without nvidia drivers. Not great, even video acceleration and vsync are missing.
– starmine
Jun 19 '16 at 12:58
Same situation here. Having to use Nouveau till a solution is found.
– timkofu
Apr 4 '17 at 13:13
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f769268%2funable-to-disable-secure-boot-with-mokutil-in-16-04%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
while I did have a slightly different problem (my Broadcom Wifi driver wasn't working), the symptoms seem to be the same. I too had to enter a password during installation which was never checked after boot.
I too got the strange error message
Failed to request new MokSB state
after executing mokutil --disable-validation
However: in my case, the problem was I didn't type sudo: sudo mokutil --disable-validation
.
After that reboot, Shim was starting and I was able to disable secure boot after shim without disabling secure boot in the BIOS (which is necessary for Windows dual boot).
Unfortunately this still didn't work for me - I have always been using sudo, and also checked that the efivars are mounted as read-write. The problem seems to be that the disable validation command is trying to write a variable to the EFI flash storage on the motherboard itself. My motherboard is refusing to do this - it's a shame mokutil doesn't give a more detailed error message - perhaps because this motherboard storage is a very sensitive part of the system. I have left Secure Boot on and am doing without nvidia drivers. Not great, even video acceleration and vsync are missing.
– starmine
Jun 19 '16 at 12:58
Same situation here. Having to use Nouveau till a solution is found.
– timkofu
Apr 4 '17 at 13:13
add a comment |
while I did have a slightly different problem (my Broadcom Wifi driver wasn't working), the symptoms seem to be the same. I too had to enter a password during installation which was never checked after boot.
I too got the strange error message
Failed to request new MokSB state
after executing mokutil --disable-validation
However: in my case, the problem was I didn't type sudo: sudo mokutil --disable-validation
.
After that reboot, Shim was starting and I was able to disable secure boot after shim without disabling secure boot in the BIOS (which is necessary for Windows dual boot).
Unfortunately this still didn't work for me - I have always been using sudo, and also checked that the efivars are mounted as read-write. The problem seems to be that the disable validation command is trying to write a variable to the EFI flash storage on the motherboard itself. My motherboard is refusing to do this - it's a shame mokutil doesn't give a more detailed error message - perhaps because this motherboard storage is a very sensitive part of the system. I have left Secure Boot on and am doing without nvidia drivers. Not great, even video acceleration and vsync are missing.
– starmine
Jun 19 '16 at 12:58
Same situation here. Having to use Nouveau till a solution is found.
– timkofu
Apr 4 '17 at 13:13
add a comment |
while I did have a slightly different problem (my Broadcom Wifi driver wasn't working), the symptoms seem to be the same. I too had to enter a password during installation which was never checked after boot.
I too got the strange error message
Failed to request new MokSB state
after executing mokutil --disable-validation
However: in my case, the problem was I didn't type sudo: sudo mokutil --disable-validation
.
After that reboot, Shim was starting and I was able to disable secure boot after shim without disabling secure boot in the BIOS (which is necessary for Windows dual boot).
while I did have a slightly different problem (my Broadcom Wifi driver wasn't working), the symptoms seem to be the same. I too had to enter a password during installation which was never checked after boot.
I too got the strange error message
Failed to request new MokSB state
after executing mokutil --disable-validation
However: in my case, the problem was I didn't type sudo: sudo mokutil --disable-validation
.
After that reboot, Shim was starting and I was able to disable secure boot after shim without disabling secure boot in the BIOS (which is necessary for Windows dual boot).
answered May 16 '16 at 12:01
StarWarriorStarWarrior
11
11
Unfortunately this still didn't work for me - I have always been using sudo, and also checked that the efivars are mounted as read-write. The problem seems to be that the disable validation command is trying to write a variable to the EFI flash storage on the motherboard itself. My motherboard is refusing to do this - it's a shame mokutil doesn't give a more detailed error message - perhaps because this motherboard storage is a very sensitive part of the system. I have left Secure Boot on and am doing without nvidia drivers. Not great, even video acceleration and vsync are missing.
– starmine
Jun 19 '16 at 12:58
Same situation here. Having to use Nouveau till a solution is found.
– timkofu
Apr 4 '17 at 13:13
add a comment |
Unfortunately this still didn't work for me - I have always been using sudo, and also checked that the efivars are mounted as read-write. The problem seems to be that the disable validation command is trying to write a variable to the EFI flash storage on the motherboard itself. My motherboard is refusing to do this - it's a shame mokutil doesn't give a more detailed error message - perhaps because this motherboard storage is a very sensitive part of the system. I have left Secure Boot on and am doing without nvidia drivers. Not great, even video acceleration and vsync are missing.
– starmine
Jun 19 '16 at 12:58
Same situation here. Having to use Nouveau till a solution is found.
– timkofu
Apr 4 '17 at 13:13
Unfortunately this still didn't work for me - I have always been using sudo, and also checked that the efivars are mounted as read-write. The problem seems to be that the disable validation command is trying to write a variable to the EFI flash storage on the motherboard itself. My motherboard is refusing to do this - it's a shame mokutil doesn't give a more detailed error message - perhaps because this motherboard storage is a very sensitive part of the system. I have left Secure Boot on and am doing without nvidia drivers. Not great, even video acceleration and vsync are missing.
– starmine
Jun 19 '16 at 12:58
Unfortunately this still didn't work for me - I have always been using sudo, and also checked that the efivars are mounted as read-write. The problem seems to be that the disable validation command is trying to write a variable to the EFI flash storage on the motherboard itself. My motherboard is refusing to do this - it's a shame mokutil doesn't give a more detailed error message - perhaps because this motherboard storage is a very sensitive part of the system. I have left Secure Boot on and am doing without nvidia drivers. Not great, even video acceleration and vsync are missing.
– starmine
Jun 19 '16 at 12:58
Same situation here. Having to use Nouveau till a solution is found.
– timkofu
Apr 4 '17 at 13:13
Same situation here. Having to use Nouveau till a solution is found.
– timkofu
Apr 4 '17 at 13:13
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f769268%2funable-to-disable-secure-boot-with-mokutil-in-16-04%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
You may need to disable Secure Boot using the firmware's own user interface. Details on how to do this vary from one machine to another. For several examples, see this page of mine.
– Rod Smith
May 11 '16 at 12:26
Hi Rod, is it not possible just to disable the validation for ubuntu, whilst leaving secure boot on in the bios (to secure Windows 10)? I suspect that my motherboard is refusing to save the EFI variables needed to trigger the disabling of validation on the next reboot. Is it not possible to start mokmanager.efi manually from grub (without the mokutil command and password setting) and disable validation from there?
– starmine
Jul 2 '16 at 23:13