Ubuntu: "Booting in insecure mode" with SecureBoot enabled

I have just installed Ubuntu 15.10, after having been with 16.04 LTS for some time to try it out. While I was using 16.04, I tried to install Nvidia Drivers and got told that I needed to disable SecureBoot for that, so I provided a password and on the next reboot some software asked for it. However, my BIOS settings still showed SecureBoot to be enabled, and I could still see how if I tried to boot from anything that wasn't signed, it would refuse to do so.

However, when I reinstalled Ubuntu 15.10 (completely deleting everything related to 16.04, including grub in the EFI partition), every time I boot I get a Booting in insecure mode message.

I have checked everything, and both: Windows and the BIOS setting report SecureBoot to be enabled


Solution 1:

If you want get rid of the message about Insecure Boot you need to enable secure boot. To do this you need turn on validation in module MOK (Machine Owner Key):

sudo mokutil --enable-validation

You will be asked to enter twice temporary password and than after reboot get a possibility to change validation state.

If validation is enabled than no more message about insecure boot appears. But remember, you will not be able to run any unsigned drivers: nVidia drivers and VirtualBox will not be working.

To disable validation type:

sudo mokutil --disable-validation

and then reboot.

If you disable validation and have in BIOS Secure Boot switched ON, still you will not be able to boot anything that wasn't signed. Even though your ubuntu has validation disable but "is seen" by BIOS (UEFI) as signed because of shim-signed package. Shim package while your ubuntu is booting checks what is the MOK state and if validation is disabled shows message "Booting in insecure mode".

Solution 2:

You can check the status of Secure Boot by -

$ mokutil --sb-state

For you, the output might be -

SecureBoot enabled
SecureBoot validation is disabled in shim

You need to use the following command to re-enable Secure Boot validation, which will eventually not show the text "booting in insecure mode".

$ sudo mokutil --enable-validation

Here, the command will ask you to enter a password. This password is not your login password but just a temporary password. You need to set a password which will be asked in the following steps.

Now, restart and follow the instruction shown on Perform MOK management blue screen.
Select Change Secure Boot state.

Sources -
https://wiki.debian.org/SecureBoot
https://wiki.ubuntu.com/UEFI/SecureBoot