Unable to disable secure boot with mokutil in 16.04












4














Problem, new in 16.04:



When I run the command sudo mokutil --disable-validation to disable secure boot validation within Ubuntu, I am asked to type a password twice and then get the message




Failed to request new MokSB state




Google reveals very little about this obscure error message!



Consequences:



I cannot install nvidia drivers as a result - when the system reboots after the driver install I can't log in, and have to bring up a terminal to purge the drivers and reboot. I have never seen the post-boot interface for disabling secure boot (which I expected to see and was asked to set a password for). This sequence of events (no disabling of secure boot and then failed login) happens whether I select to install third party drivers (and "disable secure boot") during Ubuntu installation, or install them from the Additional Drivers menu, or install nvidia-364 from the graphics drivers ppa. (From what I can tell, Ubuntu is actually offering to disable secure boot validation within Ubuntu and leave the motherboard's secure boot setting unchanged - the terminology isn't helpful.)



Background:



I have an ASUS Sabertooth Mark 2 desktop with Nvidia GTX 970 that I dual boot with Windows 10 (using the BIOS boot override to choose the OS). Secure boot is enabled in the BIOS and I want to keep it that way for Windows at least. Ubuntu (15.10 and earlier) worked fine as the Shim (and grub?) were signed for secure boot, but no checking was done later in the boot process (when the nvidia drivers come into play). Ubuntu 16.04 newly enables checking throughout the boot process, but it's tripping up when it gets to the nvidia drivers.










share|improve this question




















  • 1




    You may need to disable Secure Boot using the firmware's own user interface. Details on how to do this vary from one machine to another. For several examples, see this page of mine.
    – Rod Smith
    May 11 '16 at 12:26










  • Hi Rod, is it not possible just to disable the validation for ubuntu, whilst leaving secure boot on in the bios (to secure Windows 10)? I suspect that my motherboard is refusing to save the EFI variables needed to trigger the disabling of validation on the next reboot. Is it not possible to start mokmanager.efi manually from grub (without the mokutil command and password setting) and disable validation from there?
    – starmine
    Jul 2 '16 at 23:13
















4














Problem, new in 16.04:



When I run the command sudo mokutil --disable-validation to disable secure boot validation within Ubuntu, I am asked to type a password twice and then get the message




Failed to request new MokSB state




Google reveals very little about this obscure error message!



Consequences:



I cannot install nvidia drivers as a result - when the system reboots after the driver install I can't log in, and have to bring up a terminal to purge the drivers and reboot. I have never seen the post-boot interface for disabling secure boot (which I expected to see and was asked to set a password for). This sequence of events (no disabling of secure boot and then failed login) happens whether I select to install third party drivers (and "disable secure boot") during Ubuntu installation, or install them from the Additional Drivers menu, or install nvidia-364 from the graphics drivers ppa. (From what I can tell, Ubuntu is actually offering to disable secure boot validation within Ubuntu and leave the motherboard's secure boot setting unchanged - the terminology isn't helpful.)



Background:



I have an ASUS Sabertooth Mark 2 desktop with Nvidia GTX 970 that I dual boot with Windows 10 (using the BIOS boot override to choose the OS). Secure boot is enabled in the BIOS and I want to keep it that way for Windows at least. Ubuntu (15.10 and earlier) worked fine as the Shim (and grub?) were signed for secure boot, but no checking was done later in the boot process (when the nvidia drivers come into play). Ubuntu 16.04 newly enables checking throughout the boot process, but it's tripping up when it gets to the nvidia drivers.










share|improve this question




















  • 1




    You may need to disable Secure Boot using the firmware's own user interface. Details on how to do this vary from one machine to another. For several examples, see this page of mine.
    – Rod Smith
    May 11 '16 at 12:26










  • Hi Rod, is it not possible just to disable the validation for ubuntu, whilst leaving secure boot on in the bios (to secure Windows 10)? I suspect that my motherboard is refusing to save the EFI variables needed to trigger the disabling of validation on the next reboot. Is it not possible to start mokmanager.efi manually from grub (without the mokutil command and password setting) and disable validation from there?
    – starmine
    Jul 2 '16 at 23:13














4












4








4


3





Problem, new in 16.04:



When I run the command sudo mokutil --disable-validation to disable secure boot validation within Ubuntu, I am asked to type a password twice and then get the message




Failed to request new MokSB state




Google reveals very little about this obscure error message!



Consequences:



I cannot install nvidia drivers as a result - when the system reboots after the driver install I can't log in, and have to bring up a terminal to purge the drivers and reboot. I have never seen the post-boot interface for disabling secure boot (which I expected to see and was asked to set a password for). This sequence of events (no disabling of secure boot and then failed login) happens whether I select to install third party drivers (and "disable secure boot") during Ubuntu installation, or install them from the Additional Drivers menu, or install nvidia-364 from the graphics drivers ppa. (From what I can tell, Ubuntu is actually offering to disable secure boot validation within Ubuntu and leave the motherboard's secure boot setting unchanged - the terminology isn't helpful.)



Background:



I have an ASUS Sabertooth Mark 2 desktop with Nvidia GTX 970 that I dual boot with Windows 10 (using the BIOS boot override to choose the OS). Secure boot is enabled in the BIOS and I want to keep it that way for Windows at least. Ubuntu (15.10 and earlier) worked fine as the Shim (and grub?) were signed for secure boot, but no checking was done later in the boot process (when the nvidia drivers come into play). Ubuntu 16.04 newly enables checking throughout the boot process, but it's tripping up when it gets to the nvidia drivers.










share|improve this question















Problem, new in 16.04:



When I run the command sudo mokutil --disable-validation to disable secure boot validation within Ubuntu, I am asked to type a password twice and then get the message




Failed to request new MokSB state




Google reveals very little about this obscure error message!



Consequences:



I cannot install nvidia drivers as a result - when the system reboots after the driver install I can't log in, and have to bring up a terminal to purge the drivers and reboot. I have never seen the post-boot interface for disabling secure boot (which I expected to see and was asked to set a password for). This sequence of events (no disabling of secure boot and then failed login) happens whether I select to install third party drivers (and "disable secure boot") during Ubuntu installation, or install them from the Additional Drivers menu, or install nvidia-364 from the graphics drivers ppa. (From what I can tell, Ubuntu is actually offering to disable secure boot validation within Ubuntu and leave the motherboard's secure boot setting unchanged - the terminology isn't helpful.)



Background:



I have an ASUS Sabertooth Mark 2 desktop with Nvidia GTX 970 that I dual boot with Windows 10 (using the BIOS boot override to choose the OS). Secure boot is enabled in the BIOS and I want to keep it that way for Windows at least. Ubuntu (15.10 and earlier) worked fine as the Shim (and grub?) were signed for secure boot, but no checking was done later in the boot process (when the nvidia drivers come into play). Ubuntu 16.04 newly enables checking throughout the boot process, but it's tripping up when it gets to the nvidia drivers.







nvidia 16.04 secure-boot






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited May 8 '16 at 10:54









Hizqeel

1,72751221




1,72751221










asked May 8 '16 at 9:48









starminestarmine

21113




21113








  • 1




    You may need to disable Secure Boot using the firmware's own user interface. Details on how to do this vary from one machine to another. For several examples, see this page of mine.
    – Rod Smith
    May 11 '16 at 12:26










  • Hi Rod, is it not possible just to disable the validation for ubuntu, whilst leaving secure boot on in the bios (to secure Windows 10)? I suspect that my motherboard is refusing to save the EFI variables needed to trigger the disabling of validation on the next reboot. Is it not possible to start mokmanager.efi manually from grub (without the mokutil command and password setting) and disable validation from there?
    – starmine
    Jul 2 '16 at 23:13














  • 1




    You may need to disable Secure Boot using the firmware's own user interface. Details on how to do this vary from one machine to another. For several examples, see this page of mine.
    – Rod Smith
    May 11 '16 at 12:26










  • Hi Rod, is it not possible just to disable the validation for ubuntu, whilst leaving secure boot on in the bios (to secure Windows 10)? I suspect that my motherboard is refusing to save the EFI variables needed to trigger the disabling of validation on the next reboot. Is it not possible to start mokmanager.efi manually from grub (without the mokutil command and password setting) and disable validation from there?
    – starmine
    Jul 2 '16 at 23:13








1




1




You may need to disable Secure Boot using the firmware's own user interface. Details on how to do this vary from one machine to another. For several examples, see this page of mine.
– Rod Smith
May 11 '16 at 12:26




You may need to disable Secure Boot using the firmware's own user interface. Details on how to do this vary from one machine to another. For several examples, see this page of mine.
– Rod Smith
May 11 '16 at 12:26












Hi Rod, is it not possible just to disable the validation for ubuntu, whilst leaving secure boot on in the bios (to secure Windows 10)? I suspect that my motherboard is refusing to save the EFI variables needed to trigger the disabling of validation on the next reboot. Is it not possible to start mokmanager.efi manually from grub (without the mokutil command and password setting) and disable validation from there?
– starmine
Jul 2 '16 at 23:13




Hi Rod, is it not possible just to disable the validation for ubuntu, whilst leaving secure boot on in the bios (to secure Windows 10)? I suspect that my motherboard is refusing to save the EFI variables needed to trigger the disabling of validation on the next reboot. Is it not possible to start mokmanager.efi manually from grub (without the mokutil command and password setting) and disable validation from there?
– starmine
Jul 2 '16 at 23:13










1 Answer
1






active

oldest

votes


















0














while I did have a slightly different problem (my Broadcom Wifi driver wasn't working), the symptoms seem to be the same. I too had to enter a password during installation which was never checked after boot.



I too got the strange error message




Failed to request new MokSB state




after executing mokutil --disable-validation



However: in my case, the problem was I didn't type sudo: sudo mokutil --disable-validation.
After that reboot, Shim was starting and I was able to disable secure boot after shim without disabling secure boot in the BIOS (which is necessary for Windows dual boot).






share|improve this answer





















  • Unfortunately this still didn't work for me - I have always been using sudo, and also checked that the efivars are mounted as read-write. The problem seems to be that the disable validation command is trying to write a variable to the EFI flash storage on the motherboard itself. My motherboard is refusing to do this - it's a shame mokutil doesn't give a more detailed error message - perhaps because this motherboard storage is a very sensitive part of the system. I have left Secure Boot on and am doing without nvidia drivers. Not great, even video acceleration and vsync are missing.
    – starmine
    Jun 19 '16 at 12:58












  • Same situation here. Having to use Nouveau till a solution is found.
    – timkofu
    Apr 4 '17 at 13:13











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f769268%2funable-to-disable-secure-boot-with-mokutil-in-16-04%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














while I did have a slightly different problem (my Broadcom Wifi driver wasn't working), the symptoms seem to be the same. I too had to enter a password during installation which was never checked after boot.



I too got the strange error message




Failed to request new MokSB state




after executing mokutil --disable-validation



However: in my case, the problem was I didn't type sudo: sudo mokutil --disable-validation.
After that reboot, Shim was starting and I was able to disable secure boot after shim without disabling secure boot in the BIOS (which is necessary for Windows dual boot).






share|improve this answer





















  • Unfortunately this still didn't work for me - I have always been using sudo, and also checked that the efivars are mounted as read-write. The problem seems to be that the disable validation command is trying to write a variable to the EFI flash storage on the motherboard itself. My motherboard is refusing to do this - it's a shame mokutil doesn't give a more detailed error message - perhaps because this motherboard storage is a very sensitive part of the system. I have left Secure Boot on and am doing without nvidia drivers. Not great, even video acceleration and vsync are missing.
    – starmine
    Jun 19 '16 at 12:58












  • Same situation here. Having to use Nouveau till a solution is found.
    – timkofu
    Apr 4 '17 at 13:13
















0














while I did have a slightly different problem (my Broadcom Wifi driver wasn't working), the symptoms seem to be the same. I too had to enter a password during installation which was never checked after boot.



I too got the strange error message




Failed to request new MokSB state




after executing mokutil --disable-validation



However: in my case, the problem was I didn't type sudo: sudo mokutil --disable-validation.
After that reboot, Shim was starting and I was able to disable secure boot after shim without disabling secure boot in the BIOS (which is necessary for Windows dual boot).






share|improve this answer





















  • Unfortunately this still didn't work for me - I have always been using sudo, and also checked that the efivars are mounted as read-write. The problem seems to be that the disable validation command is trying to write a variable to the EFI flash storage on the motherboard itself. My motherboard is refusing to do this - it's a shame mokutil doesn't give a more detailed error message - perhaps because this motherboard storage is a very sensitive part of the system. I have left Secure Boot on and am doing without nvidia drivers. Not great, even video acceleration and vsync are missing.
    – starmine
    Jun 19 '16 at 12:58












  • Same situation here. Having to use Nouveau till a solution is found.
    – timkofu
    Apr 4 '17 at 13:13














0












0








0






while I did have a slightly different problem (my Broadcom Wifi driver wasn't working), the symptoms seem to be the same. I too had to enter a password during installation which was never checked after boot.



I too got the strange error message




Failed to request new MokSB state




after executing mokutil --disable-validation



However: in my case, the problem was I didn't type sudo: sudo mokutil --disable-validation.
After that reboot, Shim was starting and I was able to disable secure boot after shim without disabling secure boot in the BIOS (which is necessary for Windows dual boot).






share|improve this answer












while I did have a slightly different problem (my Broadcom Wifi driver wasn't working), the symptoms seem to be the same. I too had to enter a password during installation which was never checked after boot.



I too got the strange error message




Failed to request new MokSB state




after executing mokutil --disable-validation



However: in my case, the problem was I didn't type sudo: sudo mokutil --disable-validation.
After that reboot, Shim was starting and I was able to disable secure boot after shim without disabling secure boot in the BIOS (which is necessary for Windows dual boot).







share|improve this answer












share|improve this answer



share|improve this answer










answered May 16 '16 at 12:01









StarWarriorStarWarrior

11




11












  • Unfortunately this still didn't work for me - I have always been using sudo, and also checked that the efivars are mounted as read-write. The problem seems to be that the disable validation command is trying to write a variable to the EFI flash storage on the motherboard itself. My motherboard is refusing to do this - it's a shame mokutil doesn't give a more detailed error message - perhaps because this motherboard storage is a very sensitive part of the system. I have left Secure Boot on and am doing without nvidia drivers. Not great, even video acceleration and vsync are missing.
    – starmine
    Jun 19 '16 at 12:58












  • Same situation here. Having to use Nouveau till a solution is found.
    – timkofu
    Apr 4 '17 at 13:13


















  • Unfortunately this still didn't work for me - I have always been using sudo, and also checked that the efivars are mounted as read-write. The problem seems to be that the disable validation command is trying to write a variable to the EFI flash storage on the motherboard itself. My motherboard is refusing to do this - it's a shame mokutil doesn't give a more detailed error message - perhaps because this motherboard storage is a very sensitive part of the system. I have left Secure Boot on and am doing without nvidia drivers. Not great, even video acceleration and vsync are missing.
    – starmine
    Jun 19 '16 at 12:58












  • Same situation here. Having to use Nouveau till a solution is found.
    – timkofu
    Apr 4 '17 at 13:13
















Unfortunately this still didn't work for me - I have always been using sudo, and also checked that the efivars are mounted as read-write. The problem seems to be that the disable validation command is trying to write a variable to the EFI flash storage on the motherboard itself. My motherboard is refusing to do this - it's a shame mokutil doesn't give a more detailed error message - perhaps because this motherboard storage is a very sensitive part of the system. I have left Secure Boot on and am doing without nvidia drivers. Not great, even video acceleration and vsync are missing.
– starmine
Jun 19 '16 at 12:58






Unfortunately this still didn't work for me - I have always been using sudo, and also checked that the efivars are mounted as read-write. The problem seems to be that the disable validation command is trying to write a variable to the EFI flash storage on the motherboard itself. My motherboard is refusing to do this - it's a shame mokutil doesn't give a more detailed error message - perhaps because this motherboard storage is a very sensitive part of the system. I have left Secure Boot on and am doing without nvidia drivers. Not great, even video acceleration and vsync are missing.
– starmine
Jun 19 '16 at 12:58














Same situation here. Having to use Nouveau till a solution is found.
– timkofu
Apr 4 '17 at 13:13




Same situation here. Having to use Nouveau till a solution is found.
– timkofu
Apr 4 '17 at 13:13


















draft saved

draft discarded




















































Thanks for contributing an answer to Ask Ubuntu!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f769268%2funable-to-disable-secure-boot-with-mokutil-in-16-04%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

How to change which sound is reproduced for terminal bell?

Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents

Can I use Tabulator js library in my java Spring + Thymeleaf project?