search

lcp / mokutil

The utility to manipulate machine owner keys
GNU General Public License v3.0
60 stars 37 forks source link

mokutil manager utility never loads on reboot #75

Closed FredEckert closed 9 months ago

FredEckert commented 9 months ago

Hi:

As a new user of MOK, I attempted to setup without proper research. I started following this post: https://superuser.com/a/1513506

When the MOK management screen appeared, I decided I better research this more before I enroll this key. So, I chose "Continue boot" instead of "Enroll MOK". This caused me to be unable to boot the Linux side of my dual boot.

After days of research, I found this post: https://github.com/linux-surface/linux-surface/discussions/1256#discussioncomment-7145112

This allowed me to re-enable Linux boot.

I am now following this official instruction: https://github.com/linux-surface/linux-surface/wiki/Secure-Boot#using-the-provided-secure-boot-certificate

After several more days of research and trial and error, I cannot figure out how to re-enable the mokutil manager so that it displays upon the addition of a new key.

Can anyone help me figure out what happened?

Details:

fred@surface:~$  efibootmgr -v
BootCurrent: 0005
Timeout: 0 seconds
BootOrder: 0005,0004,0001,0000,0002
Boot0000* Internal Storage  FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(50670071-478f-4be7-ad13-8754f379c62f)SDD.
Boot0001* USB Storage   FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(50670071-478f-4be7-ad13-8754f379c62f)USB.
Boot0002* PXE Network   FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(50670071-478f-4be7-ad13-8754f379c62f)PXE.
Boot0003* SurfaceFrontPage  FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(4042708a-0f2d-4823-ac60-0d77b3111889)
Boot0004* Windows Boot Manager  HD(1,GPT,a4a42fc0-6009-46e0-baab-d62828287113,0x800,0x82000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}....................
Boot0005* debian    HD(1,GPT,a4a42fc0-6009-46e0-baab-d62828287113,0x800,0x82000)/File(\EFI\debian\shimx64.efi)
fred@surface:~$ 

***
fred@surface:~$ hexdump -C /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
00000000  06 00 00 00 01                                    |.....|
00000005

***
fred@surface:~$ hexdump -C /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c
00000000  06 00 00 00 00                                    |.....|
00000005
fred@surface:~$ 

***
fred@surface:~$ mokutil --sb-state 
SecureBoot enabled

***
root@surface:~# apt install linux-surface-secureboot-mok
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  linux-surface-secureboot-mok
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 5,616 B of archives.
After this operation, 18.4 kB of additional disk space will be used.
Get:1 https://pkg.surfacelinux.com/debian release/main amd64 linux-surface-secureboot-mok amd64 20231003-1 [5,616 B]
Fetched 5,616 B in 2s (3,179 B/s)                        
Selecting previously unselected package linux-surface-secureboot-mok.
(Reading database ... 109345 files and directories currently installed.)
Preparing to unpack .../linux-surface-secureboot-mok_20231003-1_amd64.deb ...
Unpacking linux-surface-secureboot-mok (20231003-1) ...
Setting up linux-surface-secureboot-mok (20231003-1) ...

The secure-boot certificate has been installed to

    /usr/share/linux-surface-secureboot/surface.cer

It will now be automatically enrolled for you and guarded with the password

    surface

To finish the enrollment process you need to reboot, where you will then be
asked to enroll the certificate. During the import, you will be prompted for
the password mentioned above. Please make sure that you are indeed adding
the right key and confirm by entering 'surface'.

Note that you can always manage your secure-boot keys, including the one
just enrolled, from inside Linux via the 'mokutil' tool.

***
ls -l /sys/firmware/efi/efivars/Mok*
/sys/firmware/efi/efivars/MokAuth-605dab50-e046-4300-abb6-3dd810dd8b23
/sys/firmware/efi/efivars/MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23
/sys/firmware/efi/efivars/MokListTrustedRT-605dab50-e046-4300-abb6-3dd810dd8b23
/sys/firmware/efi/efivars/MokListXRT-605dab50-e046-4300-abb6-3dd810dd8b23
/sys/firmware/efi/efivars/MokNew-605dab50-e046-4300-abb6-3dd810dd8b23
/sys/firmware/efi/efivars/MokSB-605dab50-e046-4300-abb6-3dd810dd8b23

***
root@surface:~# mokutil --list-enrolled
[key 1]
SHA1 Fingerprint: 53:61:0c:f8:1f:bd:7e:0c:eb:67:91:3c:9e:f3:e7:94:a9:63:3e:cb
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ed:54:a1:d5:af:87:48:94:8d:9f:89:32:ee:9c:7c:34
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Debian Secure Boot CA
        Validity
            Not Before: Aug 16 18:09:18 2016 GMT
            Not After : Aug  9 18:09:18 2046 GMT
        Subject: CN=Debian Secure Boot CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9d:95:d4:8b:9b:da:10:ac:2e:ca:82:37:c1:a4:
                    cb:4a:c3:1b:42:93:c2:7a:29:d3:6e:dd:64:af:80:
                    af:ea:66:a2:1b:61:9c:83:0c:c5:6b:b9:35:25:ff:
                    c5:fb:e8:29:43:de:ce:4b:3d:c6:12:4d:b1:ef:26:
                    43:95:68:cd:04:11:fe:c2:24:9b:de:14:d8:86:51:
                    e8:38:43:bd:b1:9a:15:e5:08:6b:f8:54:50:8b:b3:
                    4b:5f:fc:14:e4:35:50:7c:0b:b1:e2:03:84:a8:36:
                    48:e4:80:e8:ea:9f:fa:bf:c5:18:7b:5e:ce:1c:be:
                    2c:80:78:49:35:15:c0:21:cf:ef:66:d5:8a:96:08:
                    2b:66:2f:48:17:b1:e7:ec:82:8f:07:e6:ca:e0:5f:
                    71:24:39:50:0a:8e:d1:72:28:50:a5:9d:21:f4:e3:
                    61:ba:09:03:66:c8:df:4e:26:36:0b:15:0f:63:1f:
                    2b:af:ab:c4:28:a2:56:64:85:8d:a6:55:41:ae:3c:
                    88:95:dd:d0:6d:d9:29:db:d8:c4:68:b5:fc:f4:57:
                    89:6b:14:db:e0:ef:ee:40:0d:62:1f:ea:58:d4:a3:
                    d8:ba:03:a6:97:2e:c5:6b:13:a4:91:77:a6:b5:ad:
                    23:a7:eb:0a:49:14:46:7c:76:e9:9e:32:b4:89:af:
                    57:79
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Authority Information Access: 
                CA Issuers - URI:https://dsa.debian.org/secure-boot-ca
            X509v3 Authority Key Identifier: 
                6C:CE:CE:7E:4C:6C:0D:1F:61:49:F3:DD:27:DF:CC:5C:BB:41:9E:A1
            Netscape Cert Type: critical
                SSL Client, SSL Server, S/MIME, Object Signing, SSL CA, S/MIME CA, Object Signing CA
            X509v3 Extended Key Usage: 
                Code Signing
            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier: 
                6C:CE:CE:7E:4C:6C:0D:1F:61:49:F3:DD:27:DF:CC:5C:BB:41:9E:A1
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        77:96:3e:47:c9:ce:09:cf:8b:89:ce:59:ed:26:0e:26:0b:b9:
        ad:a9:2b:bd:a1:eb:88:79:02:ff:31:de:fe:f5:6a:07:ef:61:
        13:11:70:1e:bf:9c:4e:66:6c:e1:62:12:97:01:57:65:47:dd:
        4a:c6:f7:f4:de:a8:f1:13:62:cc:83:57:ac:3c:a6:91:15:af:
        55:26:72:69:2e:14:cd:dd:4d:b3:d1:60:24:2d:32:4f:19:6c:
        11:5e:f2:a3:f2:a1:5f:62:0f:30:ae:ad:f1:48:66:64:7d:36:
        44:0d:06:34:3d:2e:af:8e:9d:c3:ad:c2:91:d8:37:e0:ee:7a:
        5f:82:3b:67:8e:00:8a:c4:a4:df:35:16:c2:72:2b:4c:51:d7:
        93:93:9e:ba:08:0d:59:97:f2:e2:29:a0:44:4d:ea:ee:f8:3e:
        02:60:ca:15:cf:4e:9a:25:91:84:3f:b7:5a:c7:ee:bc:6b:80:
        a3:d9:fd:b2:6d:7a:1e:63:14:eb:ef:f1:b0:40:25:d5:e8:0e:
        81:eb:6b:f7:cb:ff:e5:21:00:22:2c:2e:9a:35:60:12:4b:5b:
        5f:38:46:84:0c:06:9c:cf:72:93:62:18:ee:5c:98:d6:b3:7d:
        06:25:39:95:df:4e:60:76:b0:06:7b:08:b0:6e:e3:64:9f:21:
        56:ad:39:0f

***
root@surface:~# mokutil --list-new
[key 1]
SHA1 Fingerprint: 05:f6:aa:10:9c:1c:62:67:1e:75:bd:75:d3:d0:51:47:20:63:c0:81
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            43:3e:21:a6:6d:1a:2a:a6:84:02:e2:07:2d:af:4e:41:93:6a:23:3e
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=XX, L=Default City, O=Default Company Ltd, CN=linux-surface
        Validity
            Not Before: Jan 20 21:08:24 2020 GMT
            Not After : Jan 17 21:08:24 2030 GMT
        Subject: C=XX, L=Default City, O=Default Company Ltd, CN=linux-surface
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:ae:18:1a:4e:2a:a3:0e:0b:17:f9:6d:f7:e2:46:
                    ae:99:53:18:cd:fa:f1:8d:db:e1:11:2e:c7:dc:69:
                    3d:c5:23:4d:99:0e:ef:18:78:d1:77:e8:ec:6a:41:
                    50:03:f9:ad:ab:21:69:23:0e:4f:80:7d:7d:47:69:
                    06:52:83:8f:06:dd:f9:18:4f:5f:e4:72:f5:f6:d1:
                    9d:bf:dd:e1:89:19:9b:b8:8a:65:86:67:0c:55:bd:
                    92:00:a6:98:fd:70:b8:33:eb:6a:40:d2:38:b5:80:
                    e4:90:d7:2b:dc:9b:92:c8:e1:65:f9:9c:eb:5f:64:
                    80:70:89:3b:96:3c:20:d2:3b:32:ab:90:9b:51:7c:
                    b1:2e:be:b5:99:c1:1b:e0:41:c1:cc:6d:81:20:07:
                    ca:51:08:27:9d:9b:e7:57:66:7a:fe:55:7a:20:1a:
                    71:e2:7b:52:af:9b:f0:9b:83:4a:e5:6b:8d:73:94:
                    59:be:dd:e8:41:a9:ff:73:81:bd:d4:96:13:71:84:
                    a5:03:26:03:20:a9:78:c6:a0:0c:cb:d1:5f:c6:02:
                    9e:61:b1:c1:dc:b2:55:57:20:8c:fa:c6:4a:7f:d7:
                    59:96:02:26:c7:ce:46:e6:15:e5:fc:31:f4:bc:6d:
                    e6:1c:b2:23:b7:a0:39:5b:bb:bb:b4:dc:68:74:6c:
                    28:7c:96:3c:8c:df:53:90:e8:18:16:a3:40:97:4b:
                    21:2a:d8:c9:9a:9f:52:f0:33:f5:a2:e7:d3:aa:2a:
                    36:86:42:de:42:d7:70:68:a5:27:cb:ab:18:25:4f:
                    71:40:2d:1e:31:7e:f9:97:fc:31:66:94:33:31:93:
                    39:0a:d5:5d:46:9d:2d:b7:92:e8:a8:36:fa:e0:a7:
                    65:0a:fa:cf:e5:3f:5e:cf:ef:be:19:4b:6a:05:d2:
                    72:ba:b0:76:93:b0:e6:23:a1:a6:1d:25:05:a1:d1:
                    6c:5d:b8:29:c8:dd:20:38:e4:f4:da:61:3a:11:91:
                    23:f9:12:e3:76:d3:b6:a4:65:75:6e:6c:b6:bf:bc:
                    e1:bf:5e:6b:f7:43:25:95:60:e1:fd:b2:28:75:71:
                    8f:12:85:65:31:5a:4c:fa:e0:28:06:77:90:cf:96:
                    c7:4b:df:6f:4b:50:a7:c7:e2:1e:c7:89:0d:52:01:
                    25:0c:d5:8d:07:e4:1e:03:74:30:ef:85:4f:64:85:
                    cc:a5:24:7a:59:41:17:07:cd:5a:cf:47:1a:3e:b1:
                    14:59:5b:71:c0:de:52:39:d5:cf:e1:13:04:61:94:
                    9d:1f:7a:13:d1:56:46:f5:c6:aa:31:41:2e:b2:fb:
                    18:aa:a5:a5:68:c5:bb:b5:3f:01:af:fa:df:c9:52:
                    92:d0:3b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                24:EF:5C:44:44:99:BA:0A:A6:F2:A8:BE:A4:25:8F:06:5F:EA:4E:C6
            X509v3 Authority Key Identifier: 
                24:EF:5C:44:44:99:BA:0A:A6:F2:A8:BE:A4:25:8F:06:5F:EA:4E:C6
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        83:ed:ff:6e:04:d0:8c:f9:20:9d:e5:6a:2e:83:17:b6:c2:ef:
        22:4d:db:61:2a:a5:22:4b:6c:86:68:9c:a3:5d:76:c7:7f:88:
        69:ab:37:d9:fc:ef:d9:2c:99:49:ea:e8:c9:31:68:19:7d:11:
        61:7a:b3:bf:7a:15:7d:7a:7d:6f:4c:a5:ed:82:c5:8d:b6:1b:
        a9:2e:99:0c:f5:a5:c5:94:95:ac:9c:4d:ba:9e:f4:23:59:de:
        34:2c:5a:c3:39:04:41:39:0d:ec:89:ee:5a:e5:ec:8d:c6:b0:
        02:fe:6f:67:9d:a2:23:a2:3a:2b:6d:5a:7d:c1:53:43:b2:f7:
        bf:5e:79:ee:5e:84:e3:e8:3a:d6:8d:e4:01:20:51:70:e0:36:
        1a:76:dd:8a:8a:c4:c9:40:38:42:97:61:b4:bc:1d:68:a4:9a:
        98:47:92:fc:79:41:14:c7:48:83:1b:17:a0:e0:49:ac:f1:13:
        40:3e:27:11:f9:65:52:b5:1f:9d:4a:2a:8e:c4:c1:52:3a:f3:
        80:1a:fa:81:3a:00:f5:15:e7:66:79:28:49:e4:f2:9c:49:24:
        06:49:05:91:4f:2a:08:38:5e:a8:a0:dd:ae:5f:c8:ce:09:43:
        81:04:c8:f0:1d:98:3c:c3:ed:24:b8:93:b6:9e:d9:32:c2:38:
        eb:38:a8:e7:06:57:27:fb:28:41:96:58:cd:d0:0c:55:ee:42:
        8e:4f:49:0d:7a:fa:b9:f6:31:18:48:df:bd:61:4d:6c:f2:1b:
        30:46:57:1e:b5:c3:24:60:e3:5b:66:a9:e0:19:1c:c6:8b:b2:
        e3:7c:06:eb:40:14:37:2b:0b:8f:ba:db:b5:f5:34:f8:8e:67:
        11:0f:d9:21:ad:75:1c:b2:52:5c:51:b9:dc:a9:28:ff:01:ed:
        e8:ea:7b:5b:5f:ea:e0:b9:5c:8d:9e:39:bc:6a:97:ba:25:bd:
        6a:f3:f8:c0:b8:a5:f5:f8:c2:cd:f8:e5:e3:4c:f0:eb:ea:a0:
        37:0b:20:29:98:56:6a:81:af:ab:5b:5d:eb:a4:46:65:86:67:
        ca:85:b3:d6:85:e0:b3:4e:00:c5:30:f8:f0:d8:7e:79:ea:24:
        65:8b:a5:be:31:08:85:3c:e8:1d:ed:35:e8:08:37:cc:47:c6:
        0e:de:a8:dd:a4:9e:fd:6a:0b:0d:bb:f7:60:0c:ca:b0:3d:69:
        11:02:29:56:14:74:74:dc:d2:34:2c:ef:c8:d5:df:67:61:c0:
        94:80:ff:fc:4d:e8:6e:87:41:e0:4b:06:e9:c5:f8:31:31:3d:
        9a:00:31:bc:48:47:f8:bc:e3:cc:84:aa:32:b6:9c:77:c0:14:
        40:3a:de:4a:46:cc:d6:96

dmpstore

Previewing this post I see the new key is 4096bit, I seem to recall reading something about only using 2048bit keys.

FredEckert commented 9 months ago

It turns out that this is not a mokutil issue. It is a linux distro issue. Please see https://github.com/linux-surface/linux-surface/issues/1274 for details.