Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Rampage V Extreme can't enroll MOK in UEFI using Linux (Ubuntu Bionic)

GoatHumper
Level 7

‎07-23-2018 02:32 PM - last edited on ‎03-06-2024 08:19 PM by Community Admin

Hi!

I've recently opted for enabling secure boot on all my computers, and success came easy with all of them save my primary (the R5E). In that box, I kept getting blocked by a failure to enroll an MOK in UEFI from Linux (Ubuntu Bionic) using mokutil.

The invocation to 
mokutil --import ${mok_key_file}.der
would successfully request the passwords, but then fail miserably when trying to update the UEFI variables. Running an STrace on the process I'm able to see it create the MokNew variable, as expected, but then gets an EINVAL error when trying to unlink() the same "file" (in /sys/firmware/efi/efivars). As to why it's trying to unlink() a file it just created moments earlier, I don't know.

What I do know is that when I run an rm on the (empty, invalid) MokNew variable that failed to unlink earlier, everything is honkey dorey and I can remove the file.

So...

My first instinct is to think of an issue with mokutil, but then I realize that it worked flawlessly in 4 different computers with different hardware so far (I can only presume following the same create-then-unlink() pattern as is failing here).

Then I also realize that mokutil is also unable to alter the secure boot mode (
mokutil --enable-validation
or 
mokutil --disable-validation
) with a similar issue (the error is "Failed to request new MokSB state"). Booting the kernel with efi_no_storage_paranoia was no help (I thought perhaps the UEFI NVRAM was running low).

So I ask you, oh R5E gods: any ideas?

I know I could try to import the certificate directly into the DB, but that's probably not the correct way to do the enrollment. Yes, it would work, but it's not consistent with how things SHOULD be done. And I'd very much like to keep the secure boot encryption stuff as kosher as possible.

So...thoughts?

Thanks!
0 Kudos
3,474 Views
4 REPLIES 4

GoatHumper
Level 7

‎07-23-2018 02:33 PM

Forgot to mention: I'm on BIOS 3801. Cheers!
0 Kudos

Zarathustraa
Level 7

‎08-01-2018 07:38 AM

You can try this. https://wiki.archlinux.org/index.php/Secure_Boot

That should sign all of the kernels correctly; but, I've always given up on enrolling the new keys.

I have had some luck using refind, and mok in the pass. http://www.rodsbooks.com/refind/secureboot.html
0 Kudos

GoatHumper
Level 7
In response to Zarathustraa

‎08-02-2018 02:05 PM

Zarathustraa wrote:
You can try this. https://wiki.archlinux.org/index.php/Secure_Boot

That should sign all of the kernels correctly; but, I've always given up on enrolling the new keys.

I have had some luck using refind, and mok in the pass. http://www.rodsbooks.com/refind/secureboot.html


Thanks!! As I said above, I can get everything signed and running using the MOK from the installation if I import the key into the UEFI key DB. However, I'd just as soon avoid that since that's not what the UEFI DB is meant for.

So I'm really just looking to see if it's a configuration issue preventing me from enrolling the keys.

Cheers!
0 Kudos

Zarathustraa
Level 7

‎08-10-2018 09:56 AM

You just need to play around with SHIM and MOK till you can get things working. I believe this should help, even if you're not using rEFInd. http://www.rodsbooks.com/refind/secureboot.html
0 Kudos