I've installed Ubuntu several times in computers without UEFI thus without Secure Boot, but this time I am confused. I install Ubuntu 20.04 LTS in HP Envy 15, dual-boot with the existing Wind***. I've read several QA and explanation about MOK, but I'm still not sure. Let me tell the story. I appreciate your patience reading my story.
In this step, there were choices to install third-party software, I checked it and was asked to enter a password, twice of course. I entered a password. It said that I will be assisted to setup later.
Question 1: What password is this actually? Is it BIOS password, or password used to sign the grub, or simply a confirmation password I need to enter later after reboot?
Question 2: Is this a one-time password, or can I change this password later? How to change it?
After the installation process finished, I restarted the computer. And then, a blue screen appeared, something like MOK Management. There were four options: continue boot, enroll key, enroll key from disk, and enroll key from hash.
Question 3: Is this bluescreen part of firmware, or part of Grub?
Question 4: What is "key" actually? Was it the password I entered before?
Not sure what to choose, I chose option number 2, "enroll key". I expected an input prompt for a password, but it was not. Instead, there were two options, one of them was "view" something.
Question 5: Was the enrollment done automatically? Without entering anything such as a password or key?
I was confused then, while looking for an enlightenment on the internet, the computer screen turned off itself, I thought it was such an auto-sleep or auto-restart because I didn't do anything. After resumed/restarted, it was MOK Management again, but then, the second option was "reset" MOK list or something, instead of "enroll key". I chose "reset", I entered the password, and an error message appeared, something like no data or no something. After that, I chose "continue boot", and I entered Ubuntu desktop successfully. However, there was no assistance to install third party software like the installation wizard said. By the way, the auto-sleep or auto-restart happened several times because I continued searching on the internet although nothing really helped.
Question 6: How to verify that everything is okay (UEFI or Secure Boot is not messed with something password or key, third-party software is installed/activated successfully)?
Question 7: In MOK Management menu, what are enroll key, enroll from disk, and enroll from hash?
Thank you. Please guide me if asking too many question is prohibited in askubuntu.
Bonus: if someone is looking for Ubuntu compatibility with HP Envy 15: overall it is compatible, except:
- Mute-microphone key (on the keyboard) is not working
- Fingerprint scanner is not working (not recognized)
- Boot up is too long until GRUB appears
- Screen brightness is not saved (always reset to 100% every boot)
I agree this MOK management could have been explained better by the Ubiquity installer, as I have struggled with it myself.
Q1: What password is this actually? Is it BIOS password, or password used to sign the grub, or simply a confirmation password I need to enter later after reboot?
A1: This is the password to confirm enrolling the MOK key for your third-party drivers or software. You will only have to use this password once, so you can choose an easy one, as long as it's at least 8 characters long.
Q2: Is this a one-time password, or can I change this password later? How to change it?
A2: See above. You will only use it once, so no need to change it.
Q3: Is this bluescreen part of firmware, or part of Grub?
A3: It's a part of Shim, Linux bootloader for UEFI systems. It boots GRUB, that then boots GNU/Linux.
Q4: What is "key" actually? Was it the password I entered before?
A4: No, the key is a long combinations of characters that's connected to the third-party drivers you're installing. Ubuntu also has this key, in fact, but it is signed by Microsoft themselves, so you need not manually enroll it. But any third-party drivers (like nVIDIA video drivers etc) need to be signed manually, which is what the Ubiquity installer does when prompting you to create a password for the new key. You need this password to confirm to the MOK management tool that it is really you who wants to enroll this key and not a malicious program or a hacker.
Q5: Was the enrollment done automatically? Without entering anything such as a password or key?
A5: If you haven't entered your password, then the enrollment hasn't been done. I think you should have chosen the other option beside 'view', but then the screen is set to expire after several seconds of inactivity, which is what happened.
Q6: How to verify that everything is okay (UEFI or Secure Boot is not messed with something password or key, third-party software is installed/activated successfully)?
A6: You can confirm that the key wasn't installed properly by opening up a terminal (Ctrl+Alt+T) and typing:
This will list all the enrolled keys, which in your case should be none.
Now, as for whether you really need to enroll this key, this depends on what exactly the 'third-party-software' was. This could have been some hardware drivers, in which case your PC might not work as well as it could have and you should install these drivers and then enroll the key associated with them. Does your Hp Envy have an nVidia GPU? If so, the proprietary driver for this videocard was definitely among the third-party software you failed to install by not enrolling the MOK key successfully. You can remedy this by pressing the Super (Windows) key and typing Additional Drivers, then selecting the application Additional Drivers, choosing 'proprietary-tested' from the list there and installing it. This will prompt you to enroll the MOK key again, and this time you can finish it.
Hope this helps.