BIOS — Secure Boot Setup on Dual / Single Boot machines

3 min readFeb 8, 2024

Secure Boot, a feature present in the BIOS menu of most systems, mandates that all system-level drivers must be “signed” or approved as authentic software. While this ensures the integrity of the system, it poses a challenge for Ubuntu users who may need unsigned drivers for components like wireless cards, video cards, or specialized hardware. These unsigned drivers, crucial for proper functionality, won’t load when Secure Boot is enabled. To address this, users must obtain signed versions of each driver to enable their smooth operation.

An easy fix would be to disable secure boot, but this would cause issues in loading windows. In addition, if you’re working as a part of an Org which needs secure boot to be enable as a part of security requirements, we’d need to enroll keys to make sure the user is authentic and is installing drivers / packages after getting it “signed” using a key.

There are a few simple steps / commands below that can help achieve this :

Install mokutil

sudo apt install -y mokutil

Check secure boot state

sudo mokutil --sb-state

Disable validation

sudo mokutil --disable-validation

The above command asks you to enter a password that will be used later.

Reboot the system

sudo reboot

You’ll be introduced a blue screen once the machine reboots, click on ‘Change Secure Boot state’ option and disable it.

Enter different characters of your password (which was set during sudo mokutil — disable-validation) as prompted

Once the above steps are done, the machine will reboot and then you can Install drivers / packages that you need, for example I will be installing Nvidia drivers