search

lcp / mokutil

The utility to manipulate machine owner keys
GNU General Public License v3.0
60 stars 37 forks source link

Can't remove key #59

Open latot opened 1 year ago

latot commented 1 year ago

Hi all, I know there is other issued about this, sadly didn't works here.

I was trying to install https://github.com/lwfinger/rtw89

Then, I put a password, but was a bad/short one, so I tried to remove it, then it started.

mokutil -l
#This will show only one key, the one I want to remove
mokutil --reset
#enter password, acepted
#reboot the pc
#Select Reset MOK in BIOS
#Accept reset MokList
#Password
#ERROR: Failed to set variable: (0XE) Not Found
#Failed to erase keys
mokutil -l #Still shows one key

Here other try:

mkdir backup
cd backup
mokutil --export
dir
> MOK-0001.der
mokutil --delete MOK-0001.der
#enter password
#reboot pc
#Select Remove MOK from bios
#Confirm deletion
#Password
#Failed to retrieve MokList
#Failed to delete keys
#restart
mokutil -l #still shows one key

I'm in Debian Bullseye 64, I have tried disabling UEFI, cleaning the keys from BIOS, but nothing works u.u.

Sorry if this is not very well written, the computer now is without internet, and some parts are from the bios, so I written most of it.

Thx!

lcp commented 1 year ago

Could you paste the result of openssl x509 -in MOK-0001.der -noout -text and efibootmgr -v?

In case you boot the system with shim.efi/shimx64.efi, the built-in certificate in shim will be exported to MokListRT. Since it's not really in MokList, there is no need to remove the certificate.

latot commented 1 year ago

Hi, I'm very new in this, so sorry if I put something very wrong. The key I try to remove, accept the same password I put, and, when installing the the app, it says is skipping the password (rtw89), but I don't know, if every app need its own password, or the SO has one password.

Here the data:

openssl x509 -in MOK-0001.der -noout -text
unable to load certificate
140557796488512:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
efibootmgr -v
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,0001,0002,9999
Boot0000* debian    HD(1,GPT,c23212ae-fc64-4b58-bbe8-8c0e32f9fa3a,0x800,0x82000)/File(\EFI\debian\shimx64.efi)
Boot0001* Windows Boot Manager  HD(1,GPT,c23212ae-fc64-4b58-bbe8-8c0e32f9fa3a,0x800,0x82000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}....................
Boot0002* Internal Hard Disk    PciRoot(0x0)/Pci(0x2,0x4)/Pci(0x0,0x0)/NVMe(0x1,00-A0-75-01-32-AB-AA-15)/HD(1,GPT,c23212ae-fc64-4b58-bbe8-8c0e32f9fa3a,0x800,0x82000)..BO
Boot9999* USB Drive (UEFI)  PciRoot(0x0)/Pci(0x1d,0x0)/USB(16,0)..BO
mokutil -l
[key 1]
SHA1 Fingerprint: 53:61:0c:f8:1f:bd:7e:0c:eb:67:91:3c:9e:f3:e7:94:a9:63:3e:cb
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ed:54:a1:d5:af:87:48:94:8d:9f:89:32:ee:9c:7c:34
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Debian Secure Boot CA
        Validity
            Not Before: Aug 16 18:09:18 2016 GMT
            Not After : Aug  9 18:09:18 2046 GMT
        Subject: CN=Debian Secure Boot CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:9d:95:d4:8b:9b:da:10:ac:2e:ca:82:37:c1:a4:
                    cb:4a:c3:1b:42:93:c2:7a:29:d3:6e:dd:64:af:80:
                    af:ea:66:a2:1b:61:9c:83:0c:c5:6b:b9:35:25:ff:
                    c5:fb:e8:29:43:de:ce:4b:3d:c6:12:4d:b1:ef:26:
                    43:95:68:cd:04:11:fe:c2:24:9b:de:14:d8:86:51:
                    e8:38:43:bd:b1:9a:15:e5:08:6b:f8:54:50:8b:b3:
                    4b:5f:fc:14:e4:35:50:7c:0b:b1:e2:03:84:a8:36:
                    48:e4:80:e8:ea:9f:fa:bf:c5:18:7b:5e:ce:1c:be:
                    2c:80:78:49:35:15:c0:21:cf:ef:66:d5:8a:96:08:
                    2b:66:2f:48:17:b1:e7:ec:82:8f:07:e6:ca:e0:5f:
                    71:24:39:50:0a:8e:d1:72:28:50:a5:9d:21:f4:e3:
                    61:ba:09:03:66:c8:df:4e:26:36:0b:15:0f:63:1f:
                    2b:af:ab:c4:28:a2:56:64:85:8d:a6:55:41:ae:3c:
                    88:95:dd:d0:6d:d9:29:db:d8:c4:68:b5:fc:f4:57:
                    89:6b:14:db:e0:ef:ee:40:0d:62:1f:ea:58:d4:a3:
                    d8:ba:03:a6:97:2e:c5:6b:13:a4:91:77:a6:b5:ad:
                    23:a7:eb:0a:49:14:46:7c:76:e9:9e:32:b4:89:af:
                    57:79
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Authority Information Access: 
                CA Issuers - URI:https://dsa.debian.org/secure-boot-ca

            X509v3 Authority Key Identifier: 
                keyid:6C:CE:CE:7E:4C:6C:0D:1F:61:49:F3:DD:27:DF:CC:5C:BB:41:9E:A1

            Netscape Cert Type: critical
                SSL Client, SSL Server, S/MIME, Object Signing, SSL CA, S/MIME CA, Object Signing CA
            X509v3 Extended Key Usage: 
                Code Signing
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                6C:CE:CE:7E:4C:6C:0D:1F:61:49:F3:DD:27:DF:CC:5C:BB:41:9E:A1
    Signature Algorithm: sha256WithRSAEncryption
         77:96:3e:47:c9:ce:09:cf:8b:89:ce:59:ed:26:0e:26:0b:b9:
         ad:a9:2b:bd:a1:eb:88:79:02:ff:31:de:fe:f5:6a:07:ef:61:
         13:11:70:1e:bf:9c:4e:66:6c:e1:62:12:97:01:57:65:47:dd:
         4a:c6:f7:f4:de:a8:f1:13:62:cc:83:57:ac:3c:a6:91:15:af:
         55:26:72:69:2e:14:cd:dd:4d:b3:d1:60:24:2d:32:4f:19:6c:
         11:5e:f2:a3:f2:a1:5f:62:0f:30:ae:ad:f1:48:66:64:7d:36:
         44:0d:06:34:3d:2e:af:8e:9d:c3:ad:c2:91:d8:37:e0:ee:7a:
         5f:82:3b:67:8e:00:8a:c4:a4:df:35:16:c2:72:2b:4c:51:d7:
         93:93:9e:ba:08:0d:59:97:f2:e2:29:a0:44:4d:ea:ee:f8:3e:
         02:60:ca:15:cf:4e:9a:25:91:84:3f:b7:5a:c7:ee:bc:6b:80:
         a3:d9:fd:b2:6d:7a:1e:63:14:eb:ef:f1:b0:40:25:d5:e8:0e:
         81:eb:6b:f7:cb:ff:e5:21:00:22:2c:2e:9a:35:60:12:4b:5b:
         5f:38:46:84:0c:06:9c:cf:72:93:62:18:ee:5c:98:d6:b3:7d:
         06:25:39:95:df:4e:60:76:b0:06:7b:08:b0:6e:e3:64:9f:21:
         56:ad:39:0f

Thx!

lcp commented 1 year ago

Okay, per the output of mokutil -l, the certificate is from Debian shim: Subject: CN=Debian Secure Boot CA. Since it's the built-in certificate in shimx64.efi, it's not really in MokList. Maybe I should add the FAQ in README :)