Is re-enabling Secure Boot in UEFI secure?

boot grub2 uefi secure-boot 16.04

A while ago, I had to disable Secure Boot in UEFI in order to install a third-party driver.

Now that this third-party driver isn't required anymore (due to kernel updates), I have uninstalled it.

Having removed that unsigned driver, I thought it might be a good idea now to enable Secure Boot again. Is it? Or could malware have caused damage in the meantime, e.g. adding new Secure Boot keys, so that Secure Boot is not "secure" anymore after it has been disabled once?


Yes, you can safely re-enable Secure Boot. It is very unlikely that something has been damaged.
Afterwards change the default boot loader from grubx64.efi to shimx64.efi in BIOS | UEFI.
Otherwise Ubuntu tries to boot with the unsigned boot loader - which of course does not work.
Alternatively you can do it before changing the Secure Boot settings with built-in efibootmgr:

To list the currently active boot loader files - execute this command : sudo efibootmgr -v
Change the boot order by running sudo efibootmgr -o XXXX,YYYY (X,Y = entry number)
In case shimx64.efi is not listed, you can add it by executing (X = disk | Y = EFI partition) :
sudo efibootmgr -c -w -d /dev/sdXY -p 1 -L "ubuntu" -l '\EFI\ubuntu\shimx64.efi


I wouldn't bother. Re-enabling Secure boot won't improve your Ubuntu security in any measurable way (although if it makes you feel better, I don't perceive any harm in doing so).

If you do want to re-enable it you should subscribe to this bug and wait until the bug is fixed as prior to that you are accomplishing nothing from an Ubuntu perspective.

Edit: The aforementioned bug has been reported fixed as of 30 Mar 2017 17:45:23 in the package grub2 - 2.02~beta3-4ubuntu2

and also in the package grub2-signed - 1.80 as of 04 Apr 2017 10:28:34

The deb file (created for Zesty) is available here. Since you are running Xenial, it might be safest to wait for a package developed specifically for your release (or at the very least create a current backup ) to avoid any unexpected consequences brought about by installing a .deb designed for Zesty on a Xenial system.

Related

mouse focus problem
How to "properly" downgrade LibreOffice versions
Unity stopped working after zeitgeist uninstall
Freshclam is Using Lots of Mobile Data
Run shell script on startup or boot
A file manager with free icon placing option
Light Display Manager as login account [closed]
Why is Ubuntu shipped with firefox?
What's the difference between the snap folder in /home/UserName and the snap folder in root (/)?
nvidia-settings lost after reboot
Screen lock shuts down all applications in 17.10
Show *realtime* mouse cursor coordinates? (Cursor mod / overlay) Also, copy to clipboard?