Is re-enabling Secure Boot in UEFI secure?

A while ago, I had to disable Secure Boot in UEFI in order to install a third-party driver.

Now that this third-party driver isn't required anymore (due to kernel updates), I have uninstalled it.

Having removed that unsigned driver, I thought it might be a good idea now to enable Secure Boot again. Is it? Or could malware have caused damage in the meantime, e.g. adding new Secure Boot keys, so that Secure Boot is not "secure" anymore after it has been disabled once?


Yes, you can safely re-enable Secure Boot. It is very unlikely that something has been damaged.
Afterwards change the default boot loader from grubx64.efi to shimx64.efi in BIOS | UEFI.
Otherwise Ubuntu tries to boot with the unsigned boot loader - which of course does not work.
Alternatively you can do it before changing the Secure Boot settings with built-in efibootmgr:

To list the currently active boot loader files - execute this command : sudo efibootmgr -v
Change the boot order by running sudo efibootmgr -o XXXX,YYYY (X,Y = entry number)
In case shimx64.efi is not listed, you can add it by executing (X = disk | Y = EFI partition) :
sudo efibootmgr -c -w -d /dev/sdXY -p 1 -L "ubuntu" -l '\EFI\ubuntu\shimx64.efi


I wouldn't bother. Re-enabling Secure boot won't improve your Ubuntu security in any measurable way (although if it makes you feel better, I don't perceive any harm in doing so).

If you do want to re-enable it you should subscribe to this bug and wait until the bug is fixed as prior to that you are accomplishing nothing from an Ubuntu perspective.

Edit: The aforementioned bug has been reported fixed as of 30 Mar 2017 17:45:23 in the package grub2 - 2.02~beta3-4ubuntu2

and also in the package grub2-signed - 1.80 as of 04 Apr 2017 10:28:34

The deb file (created for Zesty) is available here. Since you are running Xenial, it might be safest to wait for a package developed specifically for your release (or at the very least create a current backup ) to avoid any unexpected consequences brought about by installing a .deb designed for Zesty on a Xenial system.