How can I tell if Ubuntu has booted securely?

rlhelinski

1/1/23, 2:04 PM

I understand that I can reboot, enter the UEFI firmware (formerly BIOS) settings and look for options enabling UEFI boot and forcing secure boot. However, given an already booted system (e.g., a server I do not wish to reboot), how would I tell if Ubuntu has booted securely?

I am aware of another question asking about EFI boot, which I found useful. I have also read the article about how Ubuntu implements UEFI secure boot (suprisingly, with the assistance of Microsoft). However, these sources have not answered my question. I understand that if the system attempts to secure boot, but fails, that it will restart. How can I tell what the shim and subsequent boot loaders have done to verify the boot loader chain, including the Linux kernel?

For extra credit, is there a way to see which certificate authorities (e.g., Microsoft and Canonical) that were used to authenticate the boot loaders?

Thanks!

113

1 + 0

security

uefi

secure-boot

Score:2

Ubuntu

ChanganAuto

1/1/23, 2:16 PM

In order to query Secure boot status you may run:

mokutil --sb-state

Source: http://manpages.ubuntu.com/manpages/impish/man1/mokutil.1.html

For extra credit, is there a way to see which certificate authorities (e.g., Microsoft and Canonical) that were used to authenticate the boot loaders?

This is answered in the link you included in the question. Quoting:

amd64: A shim binary signed by Microsoft and grub binary signed by Canonical are provided in the Ubuntu main archive as shim-signed or grub-efi-amd64-signed.

0 + 2

rlhelinski

1/1/23, 6:35 PM

Regarding the shim binary signed by Microsoft and the grub binary signed by Canonical, that only applies to the case where the computer is shipped with keys in the firmware for Microsoft. It is possible for the user to load there own keys as described in the section, "MOK generation and signing process". Therefore, a user may want to query `mokutil` or similar for the specific key signatures that were used for the shim and the grub binary.

rlhelinski

1/2/23, 4:37 AM

It looks like this information, at least for the grub binary, is listed in the output of `mokutil --list-enrolled`.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How can I tell if Ubuntu has booted securely?

TH: ฉันจะรู้ได้อย่างไรว่า Ubuntu บูตอย่างปลอดภัยหรือไม่

RO: Cum pot spune dacă Ubuntu a pornit în siguranță?

RU: Как узнать, безопасно ли загрузилась Ubuntu?

VI: Làm cách nào để biết Ubuntu đã khởi động an toàn chưa?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.