search

lcp / mokutil

The utility to manipulate machine owner keys
GNU General Public License v3.0
67 stars 37 forks source link

mokutil manager utility never loads on reboot #11

Closed YerongLi closed 6 years ago

YerongLi commented 6 years ago

Hi:

I tried this post on setting up virtualbox with secure boot enabled: https://stegard.net/2016/10/virtualbox-secure-boot-ubuntu-fail/ But on one of my ubuntu 16.04, after I finished thie step and reboot:

# mokutil --import /root/module-signing/MOK.der
input password:
input password again:

mokutil manager utility never loads on reboot. Could anyone help me figure out what happened?

I disabled fast boot with secure boot enabled.

lcp commented 6 years ago

There are two things you can check:

  1. After importing a key with mokutil, check if the request exists in /sys/firmware/efi/efivars/. If the request is created correctly, MokNew-605dab50-e046-4300-abb6-3dd810dd8b23 and MokAuth-605dab50-e046-4300-abb6-3dd810dd8b23 will be in the directory. You can also type "mokutil --list-new" to check the content of the key.

  2. Check if MokManager.efi or mmx64.efi exists in /boot/efi/EFI//.

If 1. and 2. are setup correctly, then it's likely that the firmware cleared the variables for some reason.

lcp commented 6 years ago

BTW, if the firmware provides UEFI shell, get into the shell after importing a new key and type "dmpstore -all -b" to search for MokNew, so that we can know if the firmware clears the variables or not.

YerongLi commented 6 years ago

Thanks for you message!

I found that after 

mokutil --import /root/module-signing/MOK.der

There are three Mok files in the directory /sys/firmware/efi/efivars/, and the machine does not delete them on reboot :

MokAuth-605dab50-e046-4300-abb6-3dd810dd8b23  MokNew-605dab50-e046-4300-abb6-3dd810dd8b23   MokSB-605dab50-e046-4300-abb6-3dd810dd8b23

And "mokutil --list-new" output 9 keys in total.

And in the directory /boot/efi/EFI/, there are No *.efi files.

While in /boot/efi/EFI/ubuntu directory there are several *.efi files:

fw  fwupx64.efi  grub.cfg  grubx64.efi  mmx64.efi  shimx64.efi

And in directory there is one *.efi file:

bootx64.efi

Does mmx64.efi appear in the right place?

YerongLi commented 6 years ago

Should I type in "dmpstore" command? It is not found by ubuntu 16.04

# dmpstore -all -b
No command 'dmpstore' found, did you mean:
 Command 'mpstore' from package 'mpdtoys' (universe)
dmpstore: command not found
lcp commented 6 years ago

mmx64.efi is in the right place. I originally typed /boot/efi/EFI/\<distro>/, but \<distro> was treated as tag and didn't show...

dmpstore is a command in the EFI shell, not in Linux, so you have to boot into an EFI shell (if your firmware provides it).

On the other hand, could you check if those Mok files still exist after reboot? Could you also paste the output of "efibootmgr -v"?

YerongLi commented 6 years ago

Thank you so much for your reply!

I am still not sure about the "dmpstore" and "EFI shell". But in my BIOS, I see an option "Launch EFI shell from filesystem device", and when I try to launch it, warning pops out: Not Found.

And yes, those Mok files still exist after reboot:

/sys/firmware/efi/efivars# ls Mok*
MokAuth-605dab50-e046-4300-abb6-3dd810dd8b23
MokNew-605dab50-e046-4300-abb6-3dd810dd8b23
MokSB-605dab50-e046-4300-abb6-3dd810dd8b23

My "efibootmgr -v" gives output:

# efibootmgr -v
BootCurrent: 0000
Timeout: 2 seconds
BootOrder: 0000,0001,0002
Boot0000* ubuntu    HD(1,GPT,dabc2835-8f96-4429-ba98-3abadcfcaa57,0x800,0x82000)/File(\EFI\UBUNTU\GRUBX64.EFI)
Boot0001* Windows Boot Manager  HD(1,GPT,dabc2835-8f96-4429-ba98-3abadcfcaa57,0x800,0x82000)/File(\EFI\MICROSOFT\BOOT\BOOTMGFW.EFI)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}...d................
Boot0002* ubuntu    HD(1,GPT,dabc2835-8f96-4429-ba98-3abadcfcaa57,0x800,0x82000)/File(\EFI\UBUNTU\SHIMX64.EFI)..BO
lcp commented 6 years ago

BootCurrent: 0000 BootOrder: 0000,0001,0002 Boot0000* ubuntu HD(1,GPT,dabc2835-8f96-4429-ba98-3abadcfcaa57,0x800,0x82000)/File(\EFI\UBUNTU\GRUBX64.EFI)

OK, that is why MokManager didn't show. Your system actually booted grub2 directly instead of booting through shim. Besides, it seems your system didn't really enable Secure Boot or grub2 should be blocked.

Please try "efibootmgr -o 0002,0001,0000", reboot the system and enable Secure Boot. It should work afterward.

YerongLi commented 6 years ago

@lcp Thank you so much! And yes, this reordering fixed things.

lcp commented 6 years ago

Let's close this issue :-)