As a new user of MOK, I attempted to setup without proper research. I started following this post: https://superuser.com/a/1513506
When the MOK management screen appeared, I decided I better research this more before I enroll this key. So, I chose "Continue boot" instead of "Enroll MOK". This caused me to be unable to boot the Linux side of my dual boot.
After several more days of research and trial and error, I cannot figure out how to re-enable the mokutil manager so that it displays upon the addition of a new key.
Can anyone help me figure out what happened?
Details:
fred@surface:~$ efibootmgr -v
BootCurrent: 0005
Timeout: 0 seconds
BootOrder: 0005,0004,0001,0000,0002
Boot0000* Internal Storage FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(50670071-478f-4be7-ad13-8754f379c62f)SDD.
Boot0001* USB Storage FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(50670071-478f-4be7-ad13-8754f379c62f)USB.
Boot0002* PXE Network FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(50670071-478f-4be7-ad13-8754f379c62f)PXE.
Boot0003* SurfaceFrontPage FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(4042708a-0f2d-4823-ac60-0d77b3111889)
Boot0004* Windows Boot Manager HD(1,GPT,a4a42fc0-6009-46e0-baab-d62828287113,0x800,0x82000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}....................
Boot0005* debian HD(1,GPT,a4a42fc0-6009-46e0-baab-d62828287113,0x800,0x82000)/File(\EFI\debian\shimx64.efi)
fred@surface:~$
***
fred@surface:~$ hexdump -C /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
00000000 06 00 00 00 01 |.....|
00000005
***
fred@surface:~$ hexdump -C /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c
00000000 06 00 00 00 00 |.....|
00000005
fred@surface:~$
***
fred@surface:~$ mokutil --sb-state
SecureBoot enabled
***
root@surface:~# apt install linux-surface-secureboot-mok
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
linux-surface-secureboot-mok
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 5,616 B of archives.
After this operation, 18.4 kB of additional disk space will be used.
Get:1 https://pkg.surfacelinux.com/debian release/main amd64 linux-surface-secureboot-mok amd64 20231003-1 [5,616 B]
Fetched 5,616 B in 2s (3,179 B/s)
Selecting previously unselected package linux-surface-secureboot-mok.
(Reading database ... 109345 files and directories currently installed.)
Preparing to unpack .../linux-surface-secureboot-mok_20231003-1_amd64.deb ...
Unpacking linux-surface-secureboot-mok (20231003-1) ...
Setting up linux-surface-secureboot-mok (20231003-1) ...
The secure-boot certificate has been installed to
/usr/share/linux-surface-secureboot/surface.cer
It will now be automatically enrolled for you and guarded with the password
surface
To finish the enrollment process you need to reboot, where you will then be
asked to enroll the certificate. During the import, you will be prompted for
the password mentioned above. Please make sure that you are indeed adding
the right key and confirm by entering 'surface'.
Note that you can always manage your secure-boot keys, including the one
just enrolled, from inside Linux via the 'mokutil' tool.
***
ls -l /sys/firmware/efi/efivars/Mok*
/sys/firmware/efi/efivars/MokAuth-605dab50-e046-4300-abb6-3dd810dd8b23
/sys/firmware/efi/efivars/MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23
/sys/firmware/efi/efivars/MokListTrustedRT-605dab50-e046-4300-abb6-3dd810dd8b23
/sys/firmware/efi/efivars/MokListXRT-605dab50-e046-4300-abb6-3dd810dd8b23
/sys/firmware/efi/efivars/MokNew-605dab50-e046-4300-abb6-3dd810dd8b23
/sys/firmware/efi/efivars/MokSB-605dab50-e046-4300-abb6-3dd810dd8b23
***
root@surface:~# mokutil --list-enrolled
[key 1]
SHA1 Fingerprint: 53:61:0c:f8:1f:bd:7e:0c:eb:67:91:3c:9e:f3:e7:94:a9:63:3e:cb
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
ed:54:a1:d5:af:87:48:94:8d:9f:89:32:ee:9c:7c:34
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Debian Secure Boot CA
Validity
Not Before: Aug 16 18:09:18 2016 GMT
Not After : Aug 9 18:09:18 2046 GMT
Subject: CN=Debian Secure Boot CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:9d:95:d4:8b:9b:da:10:ac:2e:ca:82:37:c1:a4:
cb:4a:c3:1b:42:93:c2:7a:29:d3:6e:dd:64:af:80:
af:ea:66:a2:1b:61:9c:83:0c:c5:6b:b9:35:25:ff:
c5:fb:e8:29:43:de:ce:4b:3d:c6:12:4d:b1:ef:26:
43:95:68:cd:04:11:fe:c2:24:9b:de:14:d8:86:51:
e8:38:43:bd:b1:9a:15:e5:08:6b:f8:54:50:8b:b3:
4b:5f:fc:14:e4:35:50:7c:0b:b1:e2:03:84:a8:36:
48:e4:80:e8:ea:9f:fa:bf:c5:18:7b:5e:ce:1c:be:
2c:80:78:49:35:15:c0:21:cf:ef:66:d5:8a:96:08:
2b:66:2f:48:17:b1:e7:ec:82:8f:07:e6:ca:e0:5f:
71:24:39:50:0a:8e:d1:72:28:50:a5:9d:21:f4:e3:
61:ba:09:03:66:c8:df:4e:26:36:0b:15:0f:63:1f:
2b:af:ab:c4:28:a2:56:64:85:8d:a6:55:41:ae:3c:
88:95:dd:d0:6d:d9:29:db:d8:c4:68:b5:fc:f4:57:
89:6b:14:db:e0:ef:ee:40:0d:62:1f:ea:58:d4:a3:
d8:ba:03:a6:97:2e:c5:6b:13:a4:91:77:a6:b5:ad:
23:a7:eb:0a:49:14:46:7c:76:e9:9e:32:b4:89:af:
57:79
Exponent: 65537 (0x10001)
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:https://dsa.debian.org/secure-boot-ca
X509v3 Authority Key Identifier:
6C:CE:CE:7E:4C:6C:0D:1F:61:49:F3:DD:27:DF:CC:5C:BB:41:9E:A1
Netscape Cert Type: critical
SSL Client, SSL Server, S/MIME, Object Signing, SSL CA, S/MIME CA, Object Signing CA
X509v3 Extended Key Usage:
Code Signing
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
6C:CE:CE:7E:4C:6C:0D:1F:61:49:F3:DD:27:DF:CC:5C:BB:41:9E:A1
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
77:96:3e:47:c9:ce:09:cf:8b:89:ce:59:ed:26:0e:26:0b:b9:
ad:a9:2b:bd:a1:eb:88:79:02:ff:31:de:fe:f5:6a:07:ef:61:
13:11:70:1e:bf:9c:4e:66:6c:e1:62:12:97:01:57:65:47:dd:
4a:c6:f7:f4:de:a8:f1:13:62:cc:83:57:ac:3c:a6:91:15:af:
55:26:72:69:2e:14:cd:dd:4d:b3:d1:60:24:2d:32:4f:19:6c:
11:5e:f2:a3:f2:a1:5f:62:0f:30:ae:ad:f1:48:66:64:7d:36:
44:0d:06:34:3d:2e:af:8e:9d:c3:ad:c2:91:d8:37:e0:ee:7a:
5f:82:3b:67:8e:00:8a:c4:a4:df:35:16:c2:72:2b:4c:51:d7:
93:93:9e:ba:08:0d:59:97:f2:e2:29:a0:44:4d:ea:ee:f8:3e:
02:60:ca:15:cf:4e:9a:25:91:84:3f:b7:5a:c7:ee:bc:6b:80:
a3:d9:fd:b2:6d:7a:1e:63:14:eb:ef:f1:b0:40:25:d5:e8:0e:
81:eb:6b:f7:cb:ff:e5:21:00:22:2c:2e:9a:35:60:12:4b:5b:
5f:38:46:84:0c:06:9c:cf:72:93:62:18:ee:5c:98:d6:b3:7d:
06:25:39:95:df:4e:60:76:b0:06:7b:08:b0:6e:e3:64:9f:21:
56:ad:39:0f
***
root@surface:~# mokutil --list-new
[key 1]
SHA1 Fingerprint: 05:f6:aa:10:9c:1c:62:67:1e:75:bd:75:d3:d0:51:47:20:63:c0:81
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
43:3e:21:a6:6d:1a:2a:a6:84:02:e2:07:2d:af:4e:41:93:6a:23:3e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=XX, L=Default City, O=Default Company Ltd, CN=linux-surface
Validity
Not Before: Jan 20 21:08:24 2020 GMT
Not After : Jan 17 21:08:24 2030 GMT
Subject: C=XX, L=Default City, O=Default Company Ltd, CN=linux-surface
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ae:18:1a:4e:2a:a3:0e:0b:17:f9:6d:f7:e2:46:
ae:99:53:18:cd:fa:f1:8d:db:e1:11:2e:c7:dc:69:
3d:c5:23:4d:99:0e:ef:18:78:d1:77:e8:ec:6a:41:
50:03:f9:ad:ab:21:69:23:0e:4f:80:7d:7d:47:69:
06:52:83:8f:06:dd:f9:18:4f:5f:e4:72:f5:f6:d1:
9d:bf:dd:e1:89:19:9b:b8:8a:65:86:67:0c:55:bd:
92:00:a6:98:fd:70:b8:33:eb:6a:40:d2:38:b5:80:
e4:90:d7:2b:dc:9b:92:c8:e1:65:f9:9c:eb:5f:64:
80:70:89:3b:96:3c:20:d2:3b:32:ab:90:9b:51:7c:
b1:2e:be:b5:99:c1:1b:e0:41:c1:cc:6d:81:20:07:
ca:51:08:27:9d:9b:e7:57:66:7a:fe:55:7a:20:1a:
71:e2:7b:52:af:9b:f0:9b:83:4a:e5:6b:8d:73:94:
59:be:dd:e8:41:a9:ff:73:81:bd:d4:96:13:71:84:
a5:03:26:03:20:a9:78:c6:a0:0c:cb:d1:5f:c6:02:
9e:61:b1:c1:dc:b2:55:57:20:8c:fa:c6:4a:7f:d7:
59:96:02:26:c7:ce:46:e6:15:e5:fc:31:f4:bc:6d:
e6:1c:b2:23:b7:a0:39:5b:bb:bb:b4:dc:68:74:6c:
28:7c:96:3c:8c:df:53:90:e8:18:16:a3:40:97:4b:
21:2a:d8:c9:9a:9f:52:f0:33:f5:a2:e7:d3:aa:2a:
36:86:42:de:42:d7:70:68:a5:27:cb:ab:18:25:4f:
71:40:2d:1e:31:7e:f9:97:fc:31:66:94:33:31:93:
39:0a:d5:5d:46:9d:2d:b7:92:e8:a8:36:fa:e0:a7:
65:0a:fa:cf:e5:3f:5e:cf:ef:be:19:4b:6a:05:d2:
72:ba:b0:76:93:b0:e6:23:a1:a6:1d:25:05:a1:d1:
6c:5d:b8:29:c8:dd:20:38:e4:f4:da:61:3a:11:91:
23:f9:12:e3:76:d3:b6:a4:65:75:6e:6c:b6:bf:bc:
e1:bf:5e:6b:f7:43:25:95:60:e1:fd:b2:28:75:71:
8f:12:85:65:31:5a:4c:fa:e0:28:06:77:90:cf:96:
c7:4b:df:6f:4b:50:a7:c7:e2:1e:c7:89:0d:52:01:
25:0c:d5:8d:07:e4:1e:03:74:30:ef:85:4f:64:85:
cc:a5:24:7a:59:41:17:07:cd:5a:cf:47:1a:3e:b1:
14:59:5b:71:c0:de:52:39:d5:cf:e1:13:04:61:94:
9d:1f:7a:13:d1:56:46:f5:c6:aa:31:41:2e:b2:fb:
18:aa:a5:a5:68:c5:bb:b5:3f:01:af:fa:df:c9:52:
92:d0:3b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
24:EF:5C:44:44:99:BA:0A:A6:F2:A8:BE:A4:25:8F:06:5F:EA:4E:C6
X509v3 Authority Key Identifier:
24:EF:5C:44:44:99:BA:0A:A6:F2:A8:BE:A4:25:8F:06:5F:EA:4E:C6
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
83:ed:ff:6e:04:d0:8c:f9:20:9d:e5:6a:2e:83:17:b6:c2:ef:
22:4d:db:61:2a:a5:22:4b:6c:86:68:9c:a3:5d:76:c7:7f:88:
69:ab:37:d9:fc:ef:d9:2c:99:49:ea:e8:c9:31:68:19:7d:11:
61:7a:b3:bf:7a:15:7d:7a:7d:6f:4c:a5:ed:82:c5:8d:b6:1b:
a9:2e:99:0c:f5:a5:c5:94:95:ac:9c:4d:ba:9e:f4:23:59:de:
34:2c:5a:c3:39:04:41:39:0d:ec:89:ee:5a:e5:ec:8d:c6:b0:
02:fe:6f:67:9d:a2:23:a2:3a:2b:6d:5a:7d:c1:53:43:b2:f7:
bf:5e:79:ee:5e:84:e3:e8:3a:d6:8d:e4:01:20:51:70:e0:36:
1a:76:dd:8a:8a:c4:c9:40:38:42:97:61:b4:bc:1d:68:a4:9a:
98:47:92:fc:79:41:14:c7:48:83:1b:17:a0:e0:49:ac:f1:13:
40:3e:27:11:f9:65:52:b5:1f:9d:4a:2a:8e:c4:c1:52:3a:f3:
80:1a:fa:81:3a:00:f5:15:e7:66:79:28:49:e4:f2:9c:49:24:
06:49:05:91:4f:2a:08:38:5e:a8:a0:dd:ae:5f:c8:ce:09:43:
81:04:c8:f0:1d:98:3c:c3:ed:24:b8:93:b6:9e:d9:32:c2:38:
eb:38:a8:e7:06:57:27:fb:28:41:96:58:cd:d0:0c:55:ee:42:
8e:4f:49:0d:7a:fa:b9:f6:31:18:48:df:bd:61:4d:6c:f2:1b:
30:46:57:1e:b5:c3:24:60:e3:5b:66:a9:e0:19:1c:c6:8b:b2:
e3:7c:06:eb:40:14:37:2b:0b:8f:ba:db:b5:f5:34:f8:8e:67:
11:0f:d9:21:ad:75:1c:b2:52:5c:51:b9:dc:a9:28:ff:01:ed:
e8:ea:7b:5b:5f:ea:e0:b9:5c:8d:9e:39:bc:6a:97:ba:25:bd:
6a:f3:f8:c0:b8:a5:f5:f8:c2:cd:f8:e5:e3:4c:f0:eb:ea:a0:
37:0b:20:29:98:56:6a:81:af:ab:5b:5d:eb:a4:46:65:86:67:
ca:85:b3:d6:85:e0:b3:4e:00:c5:30:f8:f0:d8:7e:79:ea:24:
65:8b:a5:be:31:08:85:3c:e8:1d:ed:35:e8:08:37:cc:47:c6:
0e:de:a8:dd:a4:9e:fd:6a:0b:0d:bb:f7:60:0c:ca:b0:3d:69:
11:02:29:56:14:74:74:dc:d2:34:2c:ef:c8:d5:df:67:61:c0:
94:80:ff:fc:4d:e8:6e:87:41:e0:4b:06:e9:c5:f8:31:31:3d:
9a:00:31:bc:48:47:f8:bc:e3:cc:84:aa:32:b6:9c:77:c0:14:
40:3a:de:4a:46:cc:d6:96
Previewing this post I see the new key is 4096bit, I seem to recall reading something about only using 2048bit keys.
Hi:
As a new user of MOK, I attempted to setup without proper research. I started following this post: https://superuser.com/a/1513506
When the MOK management screen appeared, I decided I better research this more before I enroll this key. So, I chose "Continue boot" instead of "Enroll MOK". This caused me to be unable to boot the Linux side of my dual boot.
After days of research, I found this post: https://github.com/linux-surface/linux-surface/discussions/1256#discussioncomment-7145112
This allowed me to re-enable Linux boot.
I am now following this official instruction: https://github.com/linux-surface/linux-surface/wiki/Secure-Boot#using-the-provided-secure-boot-certificate
After several more days of research and trial and error, I cannot figure out how to re-enable the mokutil manager so that it displays upon the addition of a new key.
Can anyone help me figure out what happened?
Details:
Previewing this post I see the new key is 4096bit, I seem to recall reading something about only using 2048bit keys.