Results 1 to 5 of 5
  1. #1
    ROG Enthusiast Array
    Join Date
    Feb 2014
    Reputation
    10
    Posts
    45

    Rampage V Extreme can't enroll MOK in UEFI using Linux (Ubuntu Bionic)

    Hi!

    I've recently opted for enabling secure boot on all my computers, and success came easy with all of them save my primary (the R5E). In that box, I kept getting blocked by a failure to enroll an MOK in UEFI from Linux (Ubuntu Bionic) using mokutil.

    The invocation to
    Code:
    mokutil --import ${mok_key_file}.der
    would successfully request the passwords, but then fail miserably when trying to update the UEFI variables. Running an STrace on the process I'm able to see it create the MokNew variable, as expected, but then gets an EINVAL error when trying to unlink() the same "file" (in /sys/firmware/efi/efivars). As to why it's trying to unlink() a file it just created moments earlier, I don't know.

    What I do know is that when I run an rm on the (empty, invalid) MokNew variable that failed to unlink earlier, everything is honkey dorey and I can remove the file.

    So...

    My first instinct is to think of an issue with mokutil, but then I realize that it worked flawlessly in 4 different computers with different hardware so far (I can only presume following the same create-then-unlink() pattern as is failing here).

    Then I also realize that mokutil is also unable to alter the secure boot mode (
    Code:
    mokutil --enable-validation
    or
    Code:
    mokutil --disable-validation
    ) with a similar issue (the error is "Failed to request new MokSB state"). Booting the kernel with efi_no_storage_paranoia was no help (I thought perhaps the UEFI NVRAM was running low).

    So I ask you, oh R5E gods: any ideas?

    I know I could try to import the certificate directly into the DB, but that's probably not the correct way to do the enrollment. Yes, it would work, but it's not consistent with how things SHOULD be done. And I'd very much like to keep the secure boot encryption stuff as kosher as possible.

    So...thoughts?

    Thanks!

  2. #2
    ROG Enthusiast Array
    Join Date
    Feb 2014
    Reputation
    10
    Posts
    45

    Forgot to mention: I'm on BIOS 3801. Cheers!

  3. #3
    ROG Guru: Yellow Belt Array Zarathustraa PC Specs
    Zarathustraa PC Specs
    MotherboardRampage V Extreme
    Processori7 5930k
    Memory (part number)F4-3000C15Q-32GRK
    Graphics Card #1Dragon 660ti 2GD5
    Monitor3 x VG27AH
    Storage #1850 Pro 1TB
    Storage #2850 Pro 256GB
    CPU CoolerNoctua Nh-D15
    CaseCorsair 780T
    Power SupplyCorsair AX1500i
    Keyboard Kinesis Advantage
    Mouse Logitech G502
    OS Windows 8.1, and Linux Mint
    Accessory #1 Aquaero 6xt

    Join Date
    Jan 2014
    Reputation
    10
    Posts
    201

    You can try this. https://wiki.archlinux.org/index.php/Secure_Boot

    That should sign all of the kernels correctly; but, I've always given up on enrolling the new keys.

    I have had some luck using refind, and mok in the pass. http://www.rodsbooks.com/refind/secureboot.html

  4. #4
    ROG Enthusiast Array
    Join Date
    Feb 2014
    Reputation
    10
    Posts
    45

    Quote Originally Posted by Zarathustraa View Post
    You can try this. https://wiki.archlinux.org/index.php/Secure_Boot

    That should sign all of the kernels correctly; but, I've always given up on enrolling the new keys.

    I have had some luck using refind, and mok in the pass. http://www.rodsbooks.com/refind/secureboot.html
    Thanks!! As I said above, I can get everything signed and running using the MOK from the installation if I import the key into the UEFI key DB. However, I'd just as soon avoid that since that's not what the UEFI DB is meant for.

    So I'm really just looking to see if it's a configuration issue preventing me from enrolling the keys.

    Cheers!

  5. #5
    ROG Guru: Yellow Belt Array Zarathustraa PC Specs
    Zarathustraa PC Specs
    MotherboardRampage V Extreme
    Processori7 5930k
    Memory (part number)F4-3000C15Q-32GRK
    Graphics Card #1Dragon 660ti 2GD5
    Monitor3 x VG27AH
    Storage #1850 Pro 1TB
    Storage #2850 Pro 256GB
    CPU CoolerNoctua Nh-D15
    CaseCorsair 780T
    Power SupplyCorsair AX1500i
    Keyboard Kinesis Advantage
    Mouse Logitech G502
    OS Windows 8.1, and Linux Mint
    Accessory #1 Aquaero 6xt

    Join Date
    Jan 2014
    Reputation
    10
    Posts
    201

    You just need to play around with SHIM and MOK till you can get things working. I believe this should help, even if you're not using rEFInd. http://www.rodsbooks.com/refind/secureboot.html

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •