reset doesn't seem to work

[ZeroChaos-]

if I --list-enrolled and then --reset and --list-enrolled again, all the hashes I've added are still there. Not being certain how this all works, I reboot and check --list-enrolled again and all the sha256 hashes are still there. Am I doing this wrong, or is this feature broken?

[lcp]

Did MokManager show to ask for cleaning Mok?

[ZeroChaos-]

secboot ~ # mokutil --reset
input password: 
input password again: 
Failed to write MokAuth
Failed to issue a reset request
secboot ~ # mount -o rw,remount /sys/firmware/efi/efivars/
secboot ~ # mokutil --reset
input password: 
input password again: 
secboot ~ # 

[ZeroChaos-]

nothing changed during boot after that

[ZeroChaos-]

It may be important to note that I'm using mokutil from 20170404 git, and mmx64.efi is version 15-5 from fedora here: https://koji.fedoraproject.org/koji/buildinfo?buildID=1079378

[lcp]

If /sys/firmware/efi/efivars/MokAuth-* existed after "mokutil --reset", then mokutil already did its job. I wonder why MokManager didn't show during the next boot.

Could you check "efibootmgr -v" and see if shim.efi is in the default boot option?

[ZeroChaos-]

shim is the default boot option, I have secure boot required and nothing but shim is signed so I can't really mess that one up ;-)

On Sun, Jul 15, 2018 at 10:50 PM, Gary Ching-Pang Lin < notifications@github.com> wrote:

If /sys/firmware/efi/efivars/MokAuth-* existed after "mokutil --reset", then mokutil already did its job. I wonder why MokManager didn't show during the next boot.

Could you check "efibootmgr -v" and see if shim.efi is in the default boot option?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/lcp/mokutil/issues/13#issuecomment-405139094, or mute the thread https://github.com/notifications/unsubscribe-auth/ABl--aniuelULygR6ZDQT7jhK1Uo-skaks5uG_-PgaJpZM4VJqTh .

[lcp]

Then this is probably an issue in shim. Please report the issue to https://github.com/rhboot/shim

[khimaros]

Intuitively, I would expect mokutil --reset to remove all of the Mok* EFI vars. Is there another flag for this? Any system (eg. the Debian Buster live CD) shipped with shim but without mmx64.efi will fail to load.

[lcp]

Sorry for the late reply. In the beginning, there is only MokNew and MokAuth for MokList, so "--reset" is designed for MokList. Over time, there are more Mok Vars added, and it's not good to change the option now :( The problem you had is caused by the changes in shim. I remember the older shim could skipped the loading of MokManager if it doesn't exist.