Open PapaletaProfesional opened 1 month ago
--reset
, --password
, and --import
require root privilege to create the UEFI variables. As for --list-enrolled
, UEFI shim should at least copies the built-in certificate to MokListRT, and I wonder why your shim didn't do so.
I'm running the commands as root user but it's still the same. The --list-enrolled option works fine and lists the enrolled MOK keys. I don't know why I wrote that it didn't work for me. Also, the option --sb-state works well.
Sounds like you have problem to write EFI variables into /sys/firmware/efi/efivars
.
Could you try the following commands and see if you can create a testing EFI variable (MokTest)?
# echo -n "test" > test.data
# efivar -f test.data -w -n 605dab50-e046-4300-abb6-3dd810dd8b23-MokTest
The expected result:
# efivar -n 605dab50-e046-4300-abb6-3dd810dd8b23-MokTest
GUID: 605dab50-e046-4300-abb6-3dd810dd8b23
Name: "MokTest"
Attributes:
Non-Volatile
Boot Service Access
Runtime Service Access
Value:
00000000 74 65 73 74 |test |
The variable can be removed with the following commands:
# chattr -i /sys/firmware/efi/efivars/MokTest-605dab50-e046-4300-abb6-3dd810dd8b23
# rm /sys/firmware/efi/efivars/MokTest-605dab50-e046-4300-abb6-3dd810dd8b23
# efivar -f test.data -w -n 605dab50-e046-4300-abb6-3dd810dd8b23-MokTest
efivar: Permission denied
# sudo efivar -f test.data -w -n 605dab50-e046-4300-abb6-3dd810dd8b23-MokTest
efivar: Invalid argument
# efivar -n 605dab50-e046-4300-abb6-3dd810dd8b23-MokTest
GUID: 605dab50-e046-4300-abb6-3dd810dd8b23
Name: "MokTest"
Attributes:
Value:
It appears in /sys/firmware/efi/efivars:
ls | grep MokTest
MokTest-605dab50-e046-4300-abb6-3dd810dd8b23
And I can't delete it:
# chattr -i /sys/firmware/efi/efivars/MokTest-605dab50-e046-4300-abb6-3dd810dd8b23
# rm /sys/firmware/efi/efivars/MokTest-605dab50-e046-4300-abb6-3dd810dd8b23
rm: no se puede borrar '/sys/firmware/efi/efivars/MokTest-605dab50-e046-4300-abb6-3dd810dd8b23': Argumento
inválido
# ls | grep MokTest
MokTest-605dab50-e046-4300-abb6-3dd810dd8b23
I don't know if the variable already existed or not, but it seems that the command to create it failed, and it still appears in /sys/firmware/efi/efivars.
It's beyond the scope of mokutil. Either the kernel or the firmware caused the error.
I guess this problem doesn't have a solution, but thanks for trying help me! :)
Only some options work like --sb-state or --list-enrolled
Sample results:
Does anyone have any suggestions on what I'm doing wrong?
I have Secure Boot enabled correctly and it works but I can't use mokutil well.
I have a HP ENVY 700-310ns: