mokutil is failing for almost all options

lcp / mokutil

The utility to manipulate machine owner keys

GNU General Public License v3.0

60 stars 37 forks source link

mokutil is failing for almost all options #87

Open PapaletaProfesional opened 1 month ago

PapaletaProfesional commented 1 month ago

Only some options work like --sb-state or --list-enrolled

Sample results:

--reset
Failed to write MokAuth
Failed to issue a reset request

--password
input password:
input password again:
Failed to write MokPW: Invalid argument

--import MOK.der
input password:
input password again:
Failed to enroll new keys

Does anyone have any suggestions on what I'm doing wrong?

I have Secure Boot enabled correctly and it works but I can't use mokutil well.

I have a HP ENVY 700-310ns:

Intel i7-4790
16GB DDR3
500GB SSD
NVIDIA GeForce GTX 1050 Ti

lcp commented 1 month ago

--reset, --password, and --import require root privilege to create the UEFI variables. As for --list-enrolled, UEFI shim should at least copies the built-in certificate to MokListRT, and I wonder why your shim didn't do so.

PapaletaProfesional commented 1 month ago

I'm running the commands as root user but it's still the same. The --list-enrolled option works fine and lists the enrolled MOK keys. I don't know why I wrote that it didn't work for me. Also, the option --sb-state works well.

lcp commented 1 month ago

Sounds like you have problem to write EFI variables into /sys/firmware/efi/efivars.

Could you try the following commands and see if you can create a testing EFI variable (MokTest)?

# echo -n "test" > test.data
# efivar -f test.data -w -n 605dab50-e046-4300-abb6-3dd810dd8b23-MokTest

The expected result:

# efivar -n 605dab50-e046-4300-abb6-3dd810dd8b23-MokTest
GUID: 605dab50-e046-4300-abb6-3dd810dd8b23
Name: "MokTest"
Attributes:
        Non-Volatile
        Boot Service Access
        Runtime Service Access
Value:
00000000  74 65 73 74                                       |test            |

The variable can be removed with the following commands:

# chattr -i /sys/firmware/efi/efivars/MokTest-605dab50-e046-4300-abb6-3dd810dd8b23
# rm /sys/firmware/efi/efivars/MokTest-605dab50-e046-4300-abb6-3dd810dd8b23

PapaletaProfesional commented 1 month ago

# efivar -f test.data -w -n 605dab50-e046-4300-abb6-3dd810dd8b23-MokTest
  efivar: Permission denied

# sudo efivar -f test.data -w -n 605dab50-e046-4300-abb6-3dd810dd8b23-MokTest
  efivar: Invalid argument

# efivar -n 605dab50-e046-4300-abb6-3dd810dd8b23-MokTest
  GUID: 605dab50-e046-4300-abb6-3dd810dd8b23
  Name: "MokTest"
  Attributes:
  Value:

It appears in /sys/firmware/efi/efivars:

ls | grep MokTest
MokTest-605dab50-e046-4300-abb6-3dd810dd8b23

And I can't delete it:

# chattr -i /sys/firmware/efi/efivars/MokTest-605dab50-e046-4300-abb6-3dd810dd8b23

# rm /sys/firmware/efi/efivars/MokTest-605dab50-e046-4300-abb6-3dd810dd8b23
  rm: no se puede borrar '/sys/firmware/efi/efivars/MokTest-605dab50-e046-4300-abb6-3dd810dd8b23': Argumento
  inválido

# ls | grep MokTest
  MokTest-605dab50-e046-4300-abb6-3dd810dd8b23

I don't know if the variable already existed or not, but it seems that the command to create it failed, and it still appears in /sys/firmware/efi/efivars.

lcp commented 1 month ago

It's beyond the scope of mokutil. Either the kernel or the firmware caused the error.

PapaletaProfesional commented 1 month ago

I guess this problem doesn't have a solution, but thanks for trying help me! :)