Ubuntu
mokutil package

[INVALID] Secureboot password entered during installation not valid post-install

Asked by iGadget

Also reported here: https://askubuntu.com/questions/1269731/unable-to-access-uefi-setup-menu-after-installing-ubuntu-20-04-secure-boot

During the installation of Ubuntu 20.04 on my Lenovo Flex-2 Pro 15 laptop back in April, I was prompted to enable Secure Boot. Even though I had already gone through the procedure during the installation of Ubuntu 18.04 back in 2018, I just followed the steps, entered a new password (with special characters as per a good, strong password policy) and wrote it down in case I ever needed it.

All fine, up until today when I tried booting from a USB stick and I was greeted with an "Enter Password" prompt. I tried filling in the password I had written down, but for every special character (i.e. space, exclamation mark) I entered, the system returned a loud beep, to indicate these characters were not allowed. So, to little surprise, the password I entered was not accepted.

I tried entering the password without special characters, I tried any previous passwords I had used for secure boot, all to no avail.

So apparently something went terribly wrong in between the steps of creating the password and storing it to chip (and/or the check of the password validity).

Question is, how do I fix this? And should I report this as a bug?

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu mokutil Edit question
Assignee:
No assignee Edit question
Solved by:
iGadget
Solved:
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said : 		#1

I understand that you have installed Ubuntu 20.04 on your hard disk.
Now you try booting a different operating system from a USB stick.
How is one related to the other?
How should Ubuntu interfere with the operating system on the USB stick, if Ubuntu is not running at that moment?

What kind of password was that?

What happens when you try booting from the hard disk?

What happens if you enter BIOS setup?

Revision history for this message
iGadget (igadget) said : 		#2

Thanks for your quick reply, Manfred.

The way (as I understand it) the two are related is that during the process of enabling SecureBoot, the password was also set for both access to the UEFI settings and the boot options. So I'm now able to access neither.

Of course I don't know if mokutil was responsible for this or some other tool used in the process of setting up SecureBoot during the Ubuntu 20.04 installation.

The password I entered during the SecureBoot setup process contains special characters like spaces and exclamation marks, if that's what you mean with your question.

Booting from the harddisk works fine, but only to the default Ubuntu 20.04 installation. I'm unable to access i.e. the GRUB menu (I tried pressing/holding SHIFT, C, Escape to no avail, the system just boots).

As said, I'm unable to access the UEFI / BIOS setup, since I'm then once again prompted to enter the password.

Revision history for this message
iGadget (igadget) said : 		#3

Perhaps I should add this piece of info as well, not sure if it's related:

Since the installation of Ubuntu 20.04, the time between pressing the power button and the appearance of the LENOVO logo on screen is unusually long, i.e. more than 30 seconds. The screen is completely black during that time. This was not the case when I had Ubuntu 18.04 installed. As soon as the logo appears, the system is fairy quick to boot the OS. I never thought much of it since I only reboot the system (suspend/resume FTW!) when an update requires me to or the system crashes.

Also, if I press any other key than F2 / setup or F12 / boot menu (which produce said password prompt), the black screen stays indefinitely and the system never boots.

Revision history for this message
Manfred Hampl (m-hampl) said : 		#4

What exactly do you see at the password promt when attempting to enter BIOS?
Does it ask for the BIOS password, or for the password for a MOK key?

Have you tried revoking the password with the command
mokutil --clear-password
on Ubuntu?

Revision history for this message
iGadget (igadget) said : 		#5

Oh dear... Now that was a very typical PEBCAK issue. In no way had mokutil anything to do with my BIOS / UEFI setup password. The password I needed *was* actually a different one and I had noted it perfectly in my password manager. I feel so silly now...
But at least I'm happy I did not skip asking the question before submitting a bug report.

Revoking the password with the 'mokutil --clear-password' command worked fine, but was ultimately completely unneeded.

So... the only real 'issue' I'm experiencing is the thing I mentioned in #3 - (re)booting has become very slow since 20.04. I do not even dare saying 'combined with SecureBoot' anymore, but I do suspect it. A little. How to debug this?

Revision history for this message
Manfred Hampl (m-hampl) said : 		#6

If there is a big delay between powering on and the appearance of the Lenovo logo, then this is not caused by Ubuntu, because Ubuntu is not yet running at that moment.

You might investigate whether there is an updated BIOS version available for your system.