Secure Boot and BIOS updates

Posted: Sat Feb 09, 2019 1:11 pm
by notfred
Having spent a while battling this, I thought I'd leave a note here for others and myself next time I update my BIOS.

I have a Gigabyte B450M DS3H motherboard and a BIOS update resets all the BIOS options (clear CMOS equivalent). I'm running Ubuntu 18.04 with the nvidia graphics drivers installed and secure boot enabled.

The BIOS reset means that I have to go in to the BIOS and under the key management part of secure boot, restore the factory keys. I then need to reboot and re-enter the BIOS and I can now enable secure boot. Ubuntu then boots with secure boot enabled, but at very low resolution because it doesn't have the key that was used to sign the nvidia graphics driver.

update-secureboot-policy --enroll-key

This prompts to create a password, and then when you reboot (manually) it will run the Machine Owner Key utility to enroll the keys.

However the gotcha is that if I enable Ultra Fast Boot then the keyboard doesn't work apart from in Ubuntu, so I can't actually run the MOK utility and I can't enter the BIOS to reset it.

grub-reboot uefi-firmware

This changes the boot order for the next reboot only to be the BIOS configuration screen, where I can now disable Ultra Fast Boot and have a working keyboard for the MOK utility. I need to do this before doing the "update-secureboot-policy --enroll-key"!