How can I tell if Ubuntu has booted securely?

I understand that I can reboot, enter the UEFI firmware (formerly BIOS) settings and look for options enabling UEFI boot and forcing secure boot. However, given an already booted system (e.g., a server I do not wish to reboot), how would I tell if Ubuntu has booted securely?

I am aware of another question asking about EFI boot, which I found useful. I have also read the article about how Ubuntu implements UEFI secure boot (suprisingly, with the assistance of Microsoft). However, these sources have not answered my question. I understand that if the system attempts to secure boot, but fails, that it will restart. How can I tell what the shim and subsequent boot loaders have done to verify the boot loader chain, including the Linux kernel?

For extra credit, is there a way to see which certificate authorities (e.g., Microsoft and Canonical) that were used to authenticate the boot loaders?

Thanks!

Solution 1:

In order to query Secure boot status you may run:

mokutil --sb-state

Source: http://manpages.ubuntu.com/manpages/impish/man1/mokutil.1.html

For extra credit, is there a way to see which certificate authorities (e.g., Microsoft and Canonical) that were used to authenticate the boot loaders?

This is answered in the link you included in the question. Quoting:

amd64: A shim binary signed by Microsoft and grub binary signed by Canonical are provided in the Ubuntu main archive as shim-signed or grub-efi-amd64-signed.