Can't boot Ubuntu 18.04.2 LTS or its LiveUSB after enrolling MOKDo I need to reinstall OS if changing motherboard?Can't boot Ubuntu 19.04 or its LiveUSB after enrolling MOKHow To Consolidate Multiple MOK Keys Or Delete Unnecessary Ones?Can't boot LiveUSB in Windows 8.1Mok Management Will Not Load on BootMOK manager utility won't show up on reboot on Ubuntu 16.04 (dual boot)Can't boot Ubuntu 19.04 or its LiveUSB after enrolling MOKLooking for a mokutil workaround to sign virtualbox kernel modules

Ultra-Relativistic and Non-Relativistic cases for energy of a particle

what would allow for the use of cannons but not handheld guns

Urgently need pre-paid debit card to pay debt collector

MobileDevice.pkg untrusted, cannot open Xcode after OS X update

How to create numeronyms in bash

What advantages do the absolute encoders gain by employing Gray code transmission instead of binary code?

Google Search Console is making up URLs which don't exist in my Sitemap and then complains that these pages have error

If I attempt to use the Teleport spell to teleport into an area warded by the Forbiddance spell, is my spell slot expended?

What other "Sections" are there in Starfleet?

Kitchen rewire gone wrong

Are snow shoes useful in mountaineering?

Busted my bike hub & derailleur (I think) - how bad is it?

Word or phrase for turning the tide against a rival in a competition in the last moments

When performing an Investigation check to look for traps, do you activate any traps if you roll under the DC?

Should I take a "positive, but not enthusiastically strong" letter of recommendation?

Approx 1948 Brasil Brazil Airliner...what is it? Taildragger?

What was the stated reason for giving Trump this award?

Does sleeping fewer hours than needed causes Common Cold?

How to call my own phone with a loud ringing tone (in order to find it in my house) even if it is in silent mode?

Regular expression grep -r 'emm*[a-f].[^ta]$'

What is the history of the Eldritch Knight as a class/character option?

Authentication versus Authorisation

Z80 CPU address lines not stable

What does "To die quietly of old age would be to go there on foot" mean?



Can't boot Ubuntu 18.04.2 LTS or its LiveUSB after enrolling MOK


Do I need to reinstall OS if changing motherboard?Can't boot Ubuntu 19.04 or its LiveUSB after enrolling MOKHow To Consolidate Multiple MOK Keys Or Delete Unnecessary Ones?Can't boot LiveUSB in Windows 8.1Mok Management Will Not Load on BootMOK manager utility won't show up on reboot on Ubuntu 16.04 (dual boot)Can't boot Ubuntu 19.04 or its LiveUSB after enrolling MOKLooking for a mokutil workaround to sign virtualbox kernel modules






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









1

















I'm unable to boot Ubuntu 18.04.2 LTS or its Live USB after enrolling MOK. Here are the steps that led to this situation.



  1. Clean install of Ubuntu 18.04.2 LTS on Dell Precision T7910 workstation. No other OS installed on this machine.

  2. The OS installed using a UEFI LiveUSB. Secure Boot ON.

  3. Installed nvidia-430 proprietary driver for an Nvidia Titan-X graphics card. Installation prompted me for a password to enroll with MOK. When rebooting, MOK Management screen asked for the password to enroll the key. I successfully enrolled the key. I've rebooted the system several times since. Everything worked fine.

  4. Had a motherboard failure. Replaced with a new motherboard. System booted fine after resetting the Dell Service Tag. Rebooted a couple of times with Secure Boot ON. No problems.

  5. Replaced the Nvidia graphics card with an AMD card. Default driver in Ubuntu worked fine. But I wanted to use the latest driver. Downloaded the driver from AMD website. Installation prompted me to set a password to enroll the key with MOK. Rebooted the machine. Enrolled the key with MOK using the same password. Upon rebooting, I'm now faced with the following error following which, the machine shuts off.


Unable to trigger tcg2 final events table: Invalid Parameter



Something has gone seriously wrong: import_mok_state() failed



: Invalid Parameter




Booting from Ubuntu's LiveUSB installer shows the same error message followed by machine shutdown. I get this error message regardless of whether Secure Boot is set to ON or OFF.



I can successfully boot the LiveUSB in legacy mode. But then I can't use the efibootmgr utility (see the 2nd answer here) to fix the loaders in the EFI partition. In order to use the efibootmgr utility, I need to boot in UEFI mode. But attempting to boot Ubuntu Live USB in UEFI mode results in the error message above and system shutdown.



I found another related thread here. However, since I can't boot from the LiveUSB in UEFI mode, I can't perform any EFI operations.



I was able to boot system rescue cd with Secure Boot ON. I deleted all partitions on the boot disk. Tried to reinstall Ubuntu from LiveUSB but faced with the same error message. I successfully installed Windows 10 which booted fine in secure mode. Next, I deleted all partitions again and decided to take a closer look at all the BIOS settings.



Turned on TPM. And now I can boot from the LiveUSB in Secure Boot mode. But if I turn off TPM, it reverts to the earlier error message. With TPM on, I reinstalled the OS from the LiveUSB. Chose to install additional video drivers which asked me to set a password for enrolling keys with Mok. Upon reboot, Mok Manager showed up and asked me for the password to enroll keys. I complied and now I can boot Ubuntu from the boot disk (as long as TPM is set to ON).



Questions:



  1. Why does TPM need to be ON for secure boot to work fine? It wasn't
    ON the first time I installed ubuntu and secure boot was working fine.

  2. Now that I am able to secure boot to the OS, are there things I could do to make secure boot work without TPM?





uefi secure-boot tpm







share|improve this question




























  • you shouldn't have installed the driver from website. for both Nvidia and AMD the cleanest and most up-to-date way is through PPA. for future reference : sudo add-apt-repository ppa:oibaf/graphics-drivers -y && sudo apt-get update then open software and Updates and go to the drivers tab and install it.

    – tatsu
    Jun 10 at 7:45











  • Thanks @tatsu. I'll keep this in mind in the future. Any clue why my system now requires TPM to be ON in order to boot? With TPM OFF, regardless of whether Secure Boot is ON or OFF, I can neither boot from the boot disk nor from the LiveUSB; both generate the error message shown above.

    – AC-DC
    Jun 10 at 13:53












  • no unfortunately.

    – tatsu
    Jun 10 at 13:54

















1

















I'm unable to boot Ubuntu 18.04.2 LTS or its Live USB after enrolling MOK. Here are the steps that led to this situation.



  1. Clean install of Ubuntu 18.04.2 LTS on Dell Precision T7910 workstation. No other OS installed on this machine.

  2. The OS installed using a UEFI LiveUSB. Secure Boot ON.

  3. Installed nvidia-430 proprietary driver for an Nvidia Titan-X graphics card. Installation prompted me for a password to enroll with MOK. When rebooting, MOK Management screen asked for the password to enroll the key. I successfully enrolled the key. I've rebooted the system several times since. Everything worked fine.

  4. Had a motherboard failure. Replaced with a new motherboard. System booted fine after resetting the Dell Service Tag. Rebooted a couple of times with Secure Boot ON. No problems.

  5. Replaced the Nvidia graphics card with an AMD card. Default driver in Ubuntu worked fine. But I wanted to use the latest driver. Downloaded the driver from AMD website. Installation prompted me to set a password to enroll the key with MOK. Rebooted the machine. Enrolled the key with MOK using the same password. Upon rebooting, I'm now faced with the following error following which, the machine shuts off.


Unable to trigger tcg2 final events table: Invalid Parameter



Something has gone seriously wrong: import_mok_state() failed



: Invalid Parameter




Booting from Ubuntu's LiveUSB installer shows the same error message followed by machine shutdown. I get this error message regardless of whether Secure Boot is set to ON or OFF.



I can successfully boot the LiveUSB in legacy mode. But then I can't use the efibootmgr utility (see the 2nd answer here) to fix the loaders in the EFI partition. In order to use the efibootmgr utility, I need to boot in UEFI mode. But attempting to boot Ubuntu Live USB in UEFI mode results in the error message above and system shutdown.



I found another related thread here. However, since I can't boot from the LiveUSB in UEFI mode, I can't perform any EFI operations.



I was able to boot system rescue cd with Secure Boot ON. I deleted all partitions on the boot disk. Tried to reinstall Ubuntu from LiveUSB but faced with the same error message. I successfully installed Windows 10 which booted fine in secure mode. Next, I deleted all partitions again and decided to take a closer look at all the BIOS settings.



Turned on TPM. And now I can boot from the LiveUSB in Secure Boot mode. But if I turn off TPM, it reverts to the earlier error message. With TPM on, I reinstalled the OS from the LiveUSB. Chose to install additional video drivers which asked me to set a password for enrolling keys with Mok. Upon reboot, Mok Manager showed up and asked me for the password to enroll keys. I complied and now I can boot Ubuntu from the boot disk (as long as TPM is set to ON).



Questions:



  1. Why does TPM need to be ON for secure boot to work fine? It wasn't
    ON the first time I installed ubuntu and secure boot was working fine.

  2. Now that I am able to secure boot to the OS, are there things I could do to make secure boot work without TPM?





uefi secure-boot tpm







share|improve this question




























  • you shouldn't have installed the driver from website. for both Nvidia and AMD the cleanest and most up-to-date way is through PPA. for future reference : sudo add-apt-repository ppa:oibaf/graphics-drivers -y && sudo apt-get update then open software and Updates and go to the drivers tab and install it.

    – tatsu
    Jun 10 at 7:45











  • Thanks @tatsu. I'll keep this in mind in the future. Any clue why my system now requires TPM to be ON in order to boot? With TPM OFF, regardless of whether Secure Boot is ON or OFF, I can neither boot from the boot disk nor from the LiveUSB; both generate the error message shown above.

    – AC-DC
    Jun 10 at 13:53












  • no unfortunately.

    – tatsu
    Jun 10 at 13:54













1












1








1








I'm unable to boot Ubuntu 18.04.2 LTS or its Live USB after enrolling MOK. Here are the steps that led to this situation.



  1. Clean install of Ubuntu 18.04.2 LTS on Dell Precision T7910 workstation. No other OS installed on this machine.

  2. The OS installed using a UEFI LiveUSB. Secure Boot ON.

  3. Installed nvidia-430 proprietary driver for an Nvidia Titan-X graphics card. Installation prompted me for a password to enroll with MOK. When rebooting, MOK Management screen asked for the password to enroll the key. I successfully enrolled the key. I've rebooted the system several times since. Everything worked fine.

  4. Had a motherboard failure. Replaced with a new motherboard. System booted fine after resetting the Dell Service Tag. Rebooted a couple of times with Secure Boot ON. No problems.

  5. Replaced the Nvidia graphics card with an AMD card. Default driver in Ubuntu worked fine. But I wanted to use the latest driver. Downloaded the driver from AMD website. Installation prompted me to set a password to enroll the key with MOK. Rebooted the machine. Enrolled the key with MOK using the same password. Upon rebooting, I'm now faced with the following error following which, the machine shuts off.


Unable to trigger tcg2 final events table: Invalid Parameter



Something has gone seriously wrong: import_mok_state() failed



: Invalid Parameter




Booting from Ubuntu's LiveUSB installer shows the same error message followed by machine shutdown. I get this error message regardless of whether Secure Boot is set to ON or OFF.



I can successfully boot the LiveUSB in legacy mode. But then I can't use the efibootmgr utility (see the 2nd answer here) to fix the loaders in the EFI partition. In order to use the efibootmgr utility, I need to boot in UEFI mode. But attempting to boot Ubuntu Live USB in UEFI mode results in the error message above and system shutdown.



I found another related thread here. However, since I can't boot from the LiveUSB in UEFI mode, I can't perform any EFI operations.



I was able to boot system rescue cd with Secure Boot ON. I deleted all partitions on the boot disk. Tried to reinstall Ubuntu from LiveUSB but faced with the same error message. I successfully installed Windows 10 which booted fine in secure mode. Next, I deleted all partitions again and decided to take a closer look at all the BIOS settings.



Turned on TPM. And now I can boot from the LiveUSB in Secure Boot mode. But if I turn off TPM, it reverts to the earlier error message. With TPM on, I reinstalled the OS from the LiveUSB. Chose to install additional video drivers which asked me to set a password for enrolling keys with Mok. Upon reboot, Mok Manager showed up and asked me for the password to enroll keys. I complied and now I can boot Ubuntu from the boot disk (as long as TPM is set to ON).



Questions:



  1. Why does TPM need to be ON for secure boot to work fine? It wasn't
    ON the first time I installed ubuntu and secure boot was working fine.

  2. Now that I am able to secure boot to the OS, are there things I could do to make secure boot work without TPM?





uefi secure-boot tpm







share|improve this question

















I'm unable to boot Ubuntu 18.04.2 LTS or its Live USB after enrolling MOK. Here are the steps that led to this situation.



  1. Clean install of Ubuntu 18.04.2 LTS on Dell Precision T7910 workstation. No other OS installed on this machine.

  2. The OS installed using a UEFI LiveUSB. Secure Boot ON.

  3. Installed nvidia-430 proprietary driver for an Nvidia Titan-X graphics card. Installation prompted me for a password to enroll with MOK. When rebooting, MOK Management screen asked for the password to enroll the key. I successfully enrolled the key. I've rebooted the system several times since. Everything worked fine.

  4. Had a motherboard failure. Replaced with a new motherboard. System booted fine after resetting the Dell Service Tag. Rebooted a couple of times with Secure Boot ON. No problems.

  5. Replaced the Nvidia graphics card with an AMD card. Default driver in Ubuntu worked fine. But I wanted to use the latest driver. Downloaded the driver from AMD website. Installation prompted me to set a password to enroll the key with MOK. Rebooted the machine. Enrolled the key with MOK using the same password. Upon rebooting, I'm now faced with the following error following which, the machine shuts off.


Unable to trigger tcg2 final events table: Invalid Parameter



Something has gone seriously wrong: import_mok_state() failed



: Invalid Parameter




Booting from Ubuntu's LiveUSB installer shows the same error message followed by machine shutdown. I get this error message regardless of whether Secure Boot is set to ON or OFF.



I can successfully boot the LiveUSB in legacy mode. But then I can't use the efibootmgr utility (see the 2nd answer here) to fix the loaders in the EFI partition. In order to use the efibootmgr utility, I need to boot in UEFI mode. But attempting to boot Ubuntu Live USB in UEFI mode results in the error message above and system shutdown.



I found another related thread here. However, since I can't boot from the LiveUSB in UEFI mode, I can't perform any EFI operations.



I was able to boot system rescue cd with Secure Boot ON. I deleted all partitions on the boot disk. Tried to reinstall Ubuntu from LiveUSB but faced with the same error message. I successfully installed Windows 10 which booted fine in secure mode. Next, I deleted all partitions again and decided to take a closer look at all the BIOS settings.



Turned on TPM. And now I can boot from the LiveUSB in Secure Boot mode. But if I turn off TPM, it reverts to the earlier error message. With TPM on, I reinstalled the OS from the LiveUSB. Chose to install additional video drivers which asked me to set a password for enrolling keys with Mok. Upon reboot, Mok Manager showed up and asked me for the password to enroll keys. I complied and now I can boot Ubuntu from the boot disk (as long as TPM is set to ON).



Questions:



  1. Why does TPM need to be ON for secure boot to work fine? It wasn't
    ON the first time I installed ubuntu and secure boot was working fine.

  2. Now that I am able to secure boot to the OS, are there things I could do to make secure boot work without TPM?





uefi secure-boot tpm




uefi secure-boot tpm






share|improve this question
















share|improve this question













share|improve this question




share|improve this question








edited Jun 10 at 11:57







AC-DC

















asked Jun 10 at 4:27









AC-DCAC-DC

516 bronze badges




516 bronze badges















  • you shouldn't have installed the driver from website. for both Nvidia and AMD the cleanest and most up-to-date way is through PPA. for future reference : sudo add-apt-repository ppa:oibaf/graphics-drivers -y && sudo apt-get update then open software and Updates and go to the drivers tab and install it.

    – tatsu
    Jun 10 at 7:45











  • Thanks @tatsu. I'll keep this in mind in the future. Any clue why my system now requires TPM to be ON in order to boot? With TPM OFF, regardless of whether Secure Boot is ON or OFF, I can neither boot from the boot disk nor from the LiveUSB; both generate the error message shown above.

    – AC-DC
    Jun 10 at 13:53












  • no unfortunately.

    – tatsu
    Jun 10 at 13:54

















  • you shouldn't have installed the driver from website. for both Nvidia and AMD the cleanest and most up-to-date way is through PPA. for future reference : sudo add-apt-repository ppa:oibaf/graphics-drivers -y && sudo apt-get update then open software and Updates and go to the drivers tab and install it.

    – tatsu
    Jun 10 at 7:45











  • Thanks @tatsu. I'll keep this in mind in the future. Any clue why my system now requires TPM to be ON in order to boot? With TPM OFF, regardless of whether Secure Boot is ON or OFF, I can neither boot from the boot disk nor from the LiveUSB; both generate the error message shown above.

    – AC-DC
    Jun 10 at 13:53












  • no unfortunately.

    – tatsu
    Jun 10 at 13:54
















you shouldn't have installed the driver from website. for both Nvidia and AMD the cleanest and most up-to-date way is through PPA. for future reference : sudo add-apt-repository ppa:oibaf/graphics-drivers -y && sudo apt-get update then open software and Updates and go to the drivers tab and install it.

– tatsu
Jun 10 at 7:45





you shouldn't have installed the driver from website. for both Nvidia and AMD the cleanest and most up-to-date way is through PPA. for future reference : sudo add-apt-repository ppa:oibaf/graphics-drivers -y && sudo apt-get update then open software and Updates and go to the drivers tab and install it.

– tatsu
Jun 10 at 7:45













Thanks @tatsu. I'll keep this in mind in the future. Any clue why my system now requires TPM to be ON in order to boot? With TPM OFF, regardless of whether Secure Boot is ON or OFF, I can neither boot from the boot disk nor from the LiveUSB; both generate the error message shown above.

– AC-DC
Jun 10 at 13:53






Thanks @tatsu. I'll keep this in mind in the future. Any clue why my system now requires TPM to be ON in order to boot? With TPM OFF, regardless of whether Secure Boot is ON or OFF, I can neither boot from the boot disk nor from the LiveUSB; both generate the error message shown above.

– AC-DC
Jun 10 at 13:53














no unfortunately.

– tatsu
Jun 10 at 13:54





no unfortunately.

– tatsu
Jun 10 at 13:54










1 Answer
1






active

oldest

votes


















1


















After a lot of searching, I found the following here:




The EUFI contains a database of registered trusted authorities. Users
can add their own trusted authorities to this database in order to
enable the loading of non-Microsoft operating systems.



This is where Trusted Platform Modules (TPMs) are used. TPMs can be
used to store keys, or perform encryption/signing/verification
routines. The TPM combined with the UEFI is what allows for the
verification of the boot loader, and the loading of an operating
system.




So it appears that proprietary Nvidia and AMD display drivers want to store their keys in the TPM.



TPM has two mode settings that are confusing - Active and Enabled. They mean different things. Active shows up as "TPM on" checkbox on my Dell Precision workstation. In this state, some functions of TPM are available. These include key storage and lookup. "Enabled" means that the TPM is fully functional; it can be used for things such as encrypting disks. This explains why TPM must be "on" or "active" for Ubuntu to boot (especially with proprietary display drivers) but it's not necessary to "enable" the TPM for Secure Boot.



With this understanding, I then used this article to remove old and unnecessary keys.






share|improve this answer



























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "89"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/4.0/"u003ecc by-sa 4.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );














    draft saved

    draft discarded
















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1149920%2fcant-boot-ubuntu-18-04-2-lts-or-its-liveusb-after-enrolling-mok%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown


























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1


















    After a lot of searching, I found the following here:




    The EUFI contains a database of registered trusted authorities. Users
    can add their own trusted authorities to this database in order to
    enable the loading of non-Microsoft operating systems.



    This is where Trusted Platform Modules (TPMs) are used. TPMs can be
    used to store keys, or perform encryption/signing/verification
    routines. The TPM combined with the UEFI is what allows for the
    verification of the boot loader, and the loading of an operating
    system.




    So it appears that proprietary Nvidia and AMD display drivers want to store their keys in the TPM.



    TPM has two mode settings that are confusing - Active and Enabled. They mean different things. Active shows up as "TPM on" checkbox on my Dell Precision workstation. In this state, some functions of TPM are available. These include key storage and lookup. "Enabled" means that the TPM is fully functional; it can be used for things such as encrypting disks. This explains why TPM must be "on" or "active" for Ubuntu to boot (especially with proprietary display drivers) but it's not necessary to "enable" the TPM for Secure Boot.



    With this understanding, I then used this article to remove old and unnecessary keys.






    share|improve this answer






























      1


















      After a lot of searching, I found the following here:




      The EUFI contains a database of registered trusted authorities. Users
      can add their own trusted authorities to this database in order to
      enable the loading of non-Microsoft operating systems.



      This is where Trusted Platform Modules (TPMs) are used. TPMs can be
      used to store keys, or perform encryption/signing/verification
      routines. The TPM combined with the UEFI is what allows for the
      verification of the boot loader, and the loading of an operating
      system.




      So it appears that proprietary Nvidia and AMD display drivers want to store their keys in the TPM.



      TPM has two mode settings that are confusing - Active and Enabled. They mean different things. Active shows up as "TPM on" checkbox on my Dell Precision workstation. In this state, some functions of TPM are available. These include key storage and lookup. "Enabled" means that the TPM is fully functional; it can be used for things such as encrypting disks. This explains why TPM must be "on" or "active" for Ubuntu to boot (especially with proprietary display drivers) but it's not necessary to "enable" the TPM for Secure Boot.



      With this understanding, I then used this article to remove old and unnecessary keys.






      share|improve this answer




























        1














        1










        1









        After a lot of searching, I found the following here:




        The EUFI contains a database of registered trusted authorities. Users
        can add their own trusted authorities to this database in order to
        enable the loading of non-Microsoft operating systems.



        This is where Trusted Platform Modules (TPMs) are used. TPMs can be
        used to store keys, or perform encryption/signing/verification
        routines. The TPM combined with the UEFI is what allows for the
        verification of the boot loader, and the loading of an operating
        system.




        So it appears that proprietary Nvidia and AMD display drivers want to store their keys in the TPM.



        TPM has two mode settings that are confusing - Active and Enabled. They mean different things. Active shows up as "TPM on" checkbox on my Dell Precision workstation. In this state, some functions of TPM are available. These include key storage and lookup. "Enabled" means that the TPM is fully functional; it can be used for things such as encrypting disks. This explains why TPM must be "on" or "active" for Ubuntu to boot (especially with proprietary display drivers) but it's not necessary to "enable" the TPM for Secure Boot.



        With this understanding, I then used this article to remove old and unnecessary keys.






        share|improve this answer














        After a lot of searching, I found the following here:




        The EUFI contains a database of registered trusted authorities. Users
        can add their own trusted authorities to this database in order to
        enable the loading of non-Microsoft operating systems.



        This is where Trusted Platform Modules (TPMs) are used. TPMs can be
        used to store keys, or perform encryption/signing/verification
        routines. The TPM combined with the UEFI is what allows for the
        verification of the boot loader, and the loading of an operating
        system.




        So it appears that proprietary Nvidia and AMD display drivers want to store their keys in the TPM.



        TPM has two mode settings that are confusing - Active and Enabled. They mean different things. Active shows up as "TPM on" checkbox on my Dell Precision workstation. In this state, some functions of TPM are available. These include key storage and lookup. "Enabled" means that the TPM is fully functional; it can be used for things such as encrypting disks. This explains why TPM must be "on" or "active" for Ubuntu to boot (especially with proprietary display drivers) but it's not necessary to "enable" the TPM for Secure Boot.



        With this understanding, I then used this article to remove old and unnecessary keys.







        share|improve this answer













        share|improve this answer




        share|improve this answer










        answered Jun 14 at 18:50









        AC-DCAC-DC

        516 bronze badges




        516 bronze badges































            draft saved

            draft discarded















































            Thanks for contributing an answer to Ask Ubuntu!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1149920%2fcant-boot-ubuntu-18-04-2-lts-or-its-liveusb-after-enrolling-mok%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown









            -

            Popular posts from this blog

            Tamil (spriik) Luke uk diar | Nawigatjuun

            Image
            Fering ArtiikelDrawiidisk Spriiken SölringÖömrangFeringHalunderHalifreeskMooringWiringhiirderKarhiirderGooshiirderDrawiidisk SpriikTamil NaduIndienSri Lanka (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u003Eu003Cdiv class="mw-dismissable-notice-close"u003E[u003Ca tabindex="0" role="button"u003EFersteegu003C/au003E]u003C/divu003Eu003Cdiv class="mw-dismissable-notice-body"u003Eu003Cdiv id="localNotice" lang="frr" dir="ltr"u003Eu003Cdiv id="sitenotice"u003Enu003Ccenteru003Enu003Ctable class="rahmenfarbe4" style="border-style: solid; border-width: thin; width: 70%;"u003Ennu003Ctbodyu003Eu003Ctru003Enu003Ctd style="text-align:center;"u003Eu003Ca href="/wiki/Datei:Nordfriesischeflagge.svg" class="image"u003Eu003Cimg alt="Nordfriesische
            Read more

            Align equal signs while including text over equalitiesAMS align: left aligned text/math plus multicolumn alignmentMultiple alignmentsAligning equations in multiple placesNumbering and aligning an equation with multiple columnsHow to align one equation with another multline equationUsing \ in environments inside the begintabularxNumber equations and preserving alignment of equal signsHow can I align equations to the left and to the right?Double equation alignment problem within align enviromentAligned within align: Why are they right-aligned?

            Image
            Why didn't the Universal Translator speak whale? What is /dev/null and why can't I use hx on it? The work of mathematicians outside their professional environment Does the DOJ's declining to investigate the Trump-Zelensky call ruin the basis for impeachment? Are there any tricks to pushing a grand piano? Maintaining distance Does it require less energy to reach the Sun from Pluto's orbit than from Earth's orbit? Object Oriented Design: Where to place behavior that pertains to more than one type of object? Choice of solvent during thin layer chromatography How to catch creatures that can predict the next few minutes? Use floats or doubles when writing mobile games How come the Russian cognate for the Czech word "čerstvý" (fresh) means entirely the opposite thing (stale)? What are the limits on an impeached and not convicted president? How to calculate Limit of this sequence Bash-script as linux-service won't run, but executed
            Read more

            Where does the image of a data connector as a sharp metal spike originate from?Where does the concept of infected people turning into zombies only after death originate from?Where does the motif of a reanimated human head originate?Where did the notion that Dragons could speak originate?Where does the archetypal image of the 'Grey' alien come from?Where did the suffix '-Man' originate?Where does the notion of being injured or killed by an illusion originate?Where did the term “sophont” originate?Where does the trope of magic spells being driven by advanced technology originate from?Where did the term “the living impaired” originate?

            Image
            Automatically extend a Python list to N elements if it's too short? Fired for a policy I didnt know about, as well as another false reason Why isn't tilde recognised as home folder in this case? When does an Artillerist's Cannon have disadvantage? How large should a hole be for a bolt to go through? When is TeX better than LaTeX? How to determine if drill is suitable for concrete? Huygens Lander: Why The Short Battery Life? Why do people use bigger cassettes for lower gearing when they could instead use smaller chainrings? Is there a difference between downloading / installing a list of packages and downloading each packge by its own? Question about exercise 21.10 in The TeXbook How to publish a page using tridion core service client in sdl web 8.5 Can one get into trouble if one doesn't show up at the gate 30 minutes before departure (or whatever time window the boarding pass is indicating)? Does an action-reaction pair always contain the same
            Read more