search

ValdikSS / Super-UEFIinSecureBoot-Disk

Super UEFIinSecureBoot Disk: Boot any OS or .efi file without disabling UEFI Secure Boot
734 stars 112 forks source link

Screen Freezes on "Perform MOK management" screen #11

Closed JazzTech closed 2 years ago

JazzTech commented 3 years ago

I have an MSI X570 ACE motherboard with a 5950X processor and the latest MSI BIOS firmware loaded.

I am attempting to register the ENROLL_THIS_KEY_IN_MOKMANAGER.cer keys in MOK Manager.

With SECURE BOOT=STANDARD (Enabled) in the UEFI BIOS, I booted from a USB drive loaded with the Super-UEFIinSecureBoot-Disk_v3 image.

When my system boots up, I see the expected Access Denied error message. But when I get to the Perform MOK management screen and select Enroll key from disk, the screen freezes and I have to power down the PC to reboot. I can't get to the screen that shows the ENROLL_THIS_KEY_IN_MOKMANAGER.cer file selection to register the keys.

ValdikSS commented 3 years ago

Try to use bootx64.efi and mmx64.efi from here: https://kojipkgs.fedoraproject.org//packages/shim/15.4/5/x86_64/shim-x64-15.4-5.x86_64.rpm

JazzTech commented 3 years ago

I put the BOOTX64.EFI (keeping the case the same) and mmx64.efi into the /EFI/BOOT directory. When I rebooted, I saw a Verification failed: (0x1A) Security Violation error screen. I suspect that I might need to put one (or both) of those files in a different directory, but not sure where.

JazzTech commented 3 years ago

I found a solution of sorts that got my MOK keys registered for my PC, though it required booting into Linux to get it accomplished. There is still an issue with the UEFIinSecureBoot image and my PC, but I do have a temporary work-around.

Note: I'll be happy to help you debug the issue by removing the MOK keys, if you are interested in pursuing this further.

For the work-around:

I found this Fedora page, which mentioned using the mokutil command to initiate the MOK key registration process and then using the MOKManager to complete the enrollment.

  1. First, I disabled Secure Boot in the UEFI BIOS to allow me to run from my USB drive.
  2. In an Ubuntu LiveDVD environment, I copied the ENROLL_THIS_KEY_IN_MOKMANAGER.cer certificate from the USB drive to my desktop, and then ran this command:

sudo mokutil --import ~/Desktop/ENROLL_THIS_KEY_IN_MOKMANAGER.cer

  1. I was then prompted for a private password for the imported keys.
  2. After that, I rebooted to the Super-UEFIinSecureBoot-Disk_v3 USB drive. This time, MOKManager acted differently, and prompted me to enroll the queued MOK keys I had just imported in my previous Ubuntu session. I selected enrolling the MOK key, and then re-entered my key password. The MOKManager process now completed the enrollment without freezing.
  3. I finally re-enabled Secure Boot in my UEFI BIOS, and I can now boot into Super-UEFIinSecureBoot-Disk_v3 without a security failure.
ValdikSS commented 3 years ago

I put the BOOTX64.EFI (keeping the case the same) and mmx64.efi into the /EFI/BOOT directory. When I rebooted, I saw a Verification failed: (0x1A) Security Violation error screen. I suspect that I might need to put one (or both) of those files in a different directory, but not sure where.

And it didn't ask to enroll the key on that screen?

JazzTech commented 3 years ago

No, that screen didn't ask to enroll a key - it would just keep rebooting to that same screen.

ValdikSS commented 2 years ago

Try https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk/releases/tag/3-2

JazzTech commented 2 years ago

Hi, @ValdikSS - I have been using the MOK management with a pre-packaged tool (Ventoy on ventoy.net).

I would like to try out your fixes. Is there an easy way to merger your updates into the Ventoy boot partition?

ValdikSS commented 2 years ago

@JazzTech, you can unpack the image and copy over files in EFI/BOOT, namely bootx64.efi, grubx64.efi, mmx64.efi

ValdikSS commented 2 years ago

Should be fixed in the 3-4.

Arcitec commented 1 year ago

Solved: https://github.com/ventoy/Ventoy/issues/1243#issuecomment-1366812283