lcp / mokutil

The utility to manipulate machine owner keys
GNU General Public License v3.0
70 stars 38 forks source link

Cannot remove keys from Mokutil #32

Closed johnnyjacq16 closed 3 years ago

johnnyjacq16 commented 4 years ago

When I run the command mokutil --list-enroll , then mokutil --reset and reboot to remove the key from MokManager upon boot I get the error shown below: ERROR "Failed to set variable: (0xE) Not Found"

After fully booting up the keys have not been removed.

lcp commented 4 years ago

Did "mokutil -l" list only one key? If so, it's the key embedded in shim binary and mirrored to MokListRT, so it cannot be removed.

smudgered commented 3 years ago

variation of the problem. I don't want to reset and lose all my keys, mostly generated by openSUSE. But I've noticed that I have a stuck key that mokutil is unable to delete generating message Failed to get file status sudo mokutil --delete MOK-0006.der Failed to get file status, MOK-0006.der sudo mokutil --list-delete MokDel is empty Its not a big deal at the moment.But if I have to reinstall, it could become a nuisance. That particular key didn't work due to lack of extended signing,which is now required by suse. But i don't think that is the reason as when I forgot before it was no problem to delete the obsolete key.

lcp commented 3 years ago

variation of the problem. I don't want to reset and lose all my keys, mostly generated by openSUSE. But I've noticed that I have a stuck key that mokutil is unable to delete generating message Failed to get file status sudo mokutil --delete MOK-0006.der Failed to get file status, MOK-0006.der sudo mokutil --list-delete MokDel is empty

It seems mokutil failed to read the file. Could you post the output of "ls -l MOK-0006.der"?

Its not a big deal at the moment.But if I have to reinstall, it could become a nuisance. That particular key didn't work due to lack of extended signing,which is now required by suse. But i don't think that is the reason as when I forgot before it was no problem to delete the obsolete key.

smudgered commented 3 years ago

It worked this time. I didn't expect that. Once more, having deleted the old ones, I exported the der files (which I assumed, I think now erroneously, was like exporting a log or txt file). And ran the ls -l command. Then just to triple check I ran the --delete command and it worked suddenly.

xxx@localhost:~> sudo mokutil --export
[sudo] password for root: 
xxx@localhost:~> ls -l MOK*
-rw-r--r-- 1 root root 1177 Feb 26 11:52 MOK-0004.der
-rw-r--r-- 1 root root  890 Feb 26 11:52 MOK-0005.der
-rw-r--r-- 1 root root  777 Feb 26 11:52 MOK-0006.der
-rw-r--r-- 1 root root  798 Feb 26 11:52 MOK-0007.der
-rw-r--r-- 1 root root 1144 Feb 26 11:52 MOK-0008.der
xxx@localhost:~> sudo mokutil --delete MOK-0006.der
input password: 
input password again: 
 xxx@localhost:~> 

Here is what I think. It may not be well advertised/documented, or else I just missed it, but maybe you need to export the der files and run the command from within the directory in which the der files have been exported to (almost certainly user's home dir).

The der file(s) that is exported seems to provide a necessary reference for mokutil to delete what it needs to delete elsewhere. Exporting is not just for checking/confirming as one might intuitively suppose unless informed otherwise.

Another process is running so I haven't rebooted yet, but I imagine I will get the MOK blue screen options ok when I do.

Thanks for getting back so quickly. I hope this helps.

lcp commented 3 years ago

Good to know that mokutil works for you now :)

I should find some time to overhaul the document...