I can't change the Secure Boot mode to enabled "Failed to delete Secure Boot state"

[Gasama]

Hello,

I installed Ubuntu 18.04 fresh on a System on a new System. Secure Boot is showen as enabled, in the BIOs of the Computer, but as I used the sudo mokutil --sb-state to check the status it says "SecureBoot disabled".
Then I used sudo mokutil --enable-validation to change it in the MOK Menu, but after I confirmed to enable Secure Boot, I get the Message "Failed to delete Secure Boot state".

Has anyone an Idea?

with kind regards

[lcp]

The parameter, "--enable-validation", is used to enable signature validation in shim, not BIOS, and it's not necessary to use "--enable-validation" as long as you never invoke "mokutil --disable-validation" before.

As for "SecureBoot disabled", please paste the results of these two commands:

$ hexdump -C /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
$ hexdump -C /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c

For a properly configured system, SecureBoot should be "06 00 00 00 01" and SetupMode should be "06 00 00 00 00". Otherwise, you may have a buggy firmware.

[henrikalmeida]

The parameter, "--enable-validation", is used to enable signature validation in shim, not BIOS, and it's not necessary to use "--enable-validation" as long as you never invoke "mokutil --disable-validation" before.

As for "SecureBoot disabled", please paste the results of these two commands:

$ hexdump -C /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
$ hexdump -C /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c

For a properly configured system, SecureBoot should be "06 00 00 00 01" and SetupMode should be "06 00 00 00 00". Otherwise, you may have a buggy firmware.

I am having the same issue,

the outputs:

 hexdump -C /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c 
00000000  06 00 00 00 00  

 hexdump -C /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c
00000000  06 00 00 00 00        

Using ubuntu 21.10, Secure boot is enabled in the UEFI menu (bios), I have an asus VIII hero motherboard.

[lcp]

I am having the same issue,

the outputs:

 hexdump -C /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c 
00000000  06 00 00 00 00  

 hexdump -C /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c
00000000  06 00 00 00 00        

Using ubuntu 21.10, Secure boot is enabled in the UEFI menu (bios), I have an asus VIII hero motherboard.

Looks like you have a buggy firmware :-(

Per UEFI SPEC, when SecureBoot is 0 (disabled), SetupMode has to be 1 (enabled) to allow the user to configure the key databases. When SecureBoot is 1 (enabled,), SetupMode has to be 0 (disabled) to indicate the system is ready for SecureBoot. In you case, both are 0 and I really have no idea what it is.

[henrikalmeida]

I am having the same issue,
the outputs:

 hexdump -C /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c 
00000000  06 00 00 00 00  

 hexdump -C /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c
00000000  06 00 00 00 00        

Using ubuntu 21.10, Secure boot is enabled in the UEFI menu (bios), I have an asus VIII hero motherboard.

Looks like you have a buggy firmware :-(

Per UEFI SPEC, when SecureBoot is 0 (disabled), SetupMode has to be 1 (enabled) to allow the user to configure the key databases. When SecureBoot is 1 (enabled,), SetupMode has to be 0 (disabled) to indicate the system is ready for SecureBoot. In you case, both are 0 and I really have no idea what it is.

So do you think the problem is with the firmware of my motherboard? Because the firmware is the latest version, and my motherboard is pretty decent with a good brand too (ASUS VIII hero)

I should also mention that i am also using the Nvidia drivers that i downloaded directly via their website, and i remember it said some stuff about secure boot during its installation, not sure if that has to do anything with this or not tho.

Also could downgrading my Ubuntu to something like 20.04, etc help?

[lcp]

It's nothing to do with OS but the firmware. I'd suggest to check the Secure Boot settings in the UEFI menu and see if Secure Boot is really enabled and PK/KEK/db are properly set.

[henrikalmeida]

It's nothing to do with OS but the firmware. I'd suggest to check the Secure Boot settings in the UEFI menu and see if Secure Boot is really enabled and PK/KEK/db are properly set.

The secure boot is ON in bios, does this mean that i am really using secure boot?
But i dont know how to check if PK/KEK/db are set properly

[freebiesoft]

I am having this issue at the moment. did anyone manage to find a fix?

[r-pufky]

@freebiesoft probably old, but ran into the same thing today. Just:

• enter BIOS
• delete any custom secure boot keys
• reboot
• disable secure boot
• reboot
• enable secure boot

This was able to get my one wonky system back into a state where I could load machine owner's keys and enable validation.