Provided command to import key does not work. Instructions not very clear.

[Fuzzillogic]

The provided command $ sudo mokutil --import TUXEDO\ Computers\ GmbH\ Secure\ Boot\ Signing.crt --timeout -1 does not work as such; mokutil then simply shows the help page. It seems mokutil only accepts one command per invocation. Thus, I split the command into two: $ sudo mokutil --import TUXEDO\ Computers\ GmbH\ Secure\ Boot\ Signing.crt and $ sudo mokutil --timeout -1. I use Kubuntu 22.04 (updated from 20.04, which was installed via WebFAI).

Also, the instruction "Use the menu to verify the imported key" is not very clear. I had to guess what I had to do to proceed. And finally, typo: "Repead" → "Repeat".

[marekoid]

I experienced the same issue with the command and moreover the steps don't work for me as MOKManager is not launching after the restart.

I'm not sure about the step:

Make sure shim is installed and you have booted from it

In BIOS the only option that seems relevant is UEFI NVME Drive BBS Priorities and I tried the steps with changing it to UEFI OS as the 1st priority (replacing the other option [tuxedo] there). The outcome was always (even when removing [tuxedo] altogether) to get my instance of the OS launched where I tried with the mokutil command. There was no luck though in getting MOKManager after restart.

I also checked boot options available in Grub and there's nothing relevant.

@Fuzzillogic it seems that you have managed to successfully complete the steps, do you have any idea what am I missing? Besides helping me that would probably also help others by getting more steps refined.

[marekoid]

By reading that it seems that MOKManager can fail to launch many times and then randomly work. I tried probably more than 10 times already though. @Matombo perhaps you could share any insight here?

[marekoid]

The MOK key enrollment screen has finally shown for me after I clicked on "your computer requires to restart to apply updates" icon in the "status and notifications" area (bottom left of the screen). Not sure if using that restart button is different than restarting in other ways, or if it was a bug that MOK was not showing up earlier that has been fixed by an update or if just restart after installing certain updates is different... I actually didn't remember one-time password I set over a month earlier when trying to enroll Tuxedo's key so I had to boot OS normally. There was many more updates that I installed, added Tuxedo's key for MOK enrollment again and then I used the restart option accessible via KDE search. It has shown MOK enrollment which I did and then changed in BIOS to use Secure Boot.

I noticed some time later though that in Tuxedo Control Center that fan control and temp readings are no longer available. It's likely related to Secure Boot as when I try to reinstall tuxedo-control-center and its dependency tuxedo-keyboard that contains various I/O drivers (doing apt purge on them first), I'm being prompted to enroll another key to MOK. Which is quite concerning considering the instructions here don't mention the need to enroll any other keys and only packages coming from Tuxedo are involved here and I would expect the same key to be used to sign them.

That's the key I'm being prompted to enroll, @Matombo can it be trusted based on its fingerprint?

@Fuzzillogic not sure if you are running Tuxedo OS as you mentioned Kubuntu but if yes or if you have Tuxedo Control Center installed are fan/temp options working for you there?

Fan control seems to still work fine for me, even during intense computations that utilize all CPU power, chip temp is displayed in System Monitor and it's being stopped from exceeding 100C by fans increasing their speed. They seem to work quieter though than what they used to when being controlled by default settings in Tuxedo Control Center which probably was aiming to keep the temp a bit lower.

[jlnr]

I have tried the first command (didn't bother with the --timeout) and rebooted using the standard KDE button for doing so. I was immediately asked to enroll the new Tuxedo key in addition to Canonical's. Afterwards, I've enabled secure boot in the BIOS.

I guess it worked? Booting works, although a new red line is printed before the login screen appears:

[FAILED] Failed to start LSB: VirtualBox Linux kernel module.

No problem, I don't need or want VirtualBox. Not sure why these packages come pre-installed if there is no GUI for it? I'll try to remove everything related to VirtualBox (guest additions too) and see if it makes this new error go away. Edit: Seems like it!

Besides that, the CPU temperature and fan speed are not visible in TCC 2.1.1 anymore. This new TCC version worked fine for me before enabling secure boot. I also think that my laptop has gotten quite a bit louder, but I'm not in the mood to come up with a way to quantify this.

This is all on an IBP14 Gen8 with no dGPU, running the latest Tuxedo OS 2. It would be great if this secure boot situation could be clarified.

[Matombo]

You also need to enroll you mok key for dkms to work which is missing in the guide.

[jlnr]

@Matombo, do you know the easiest way to do this on Tuxedo OS 2? After reading some older articles linked from this SuperUser answer, I thought that simply running sudo dpkg-reconfigure tuxedo-drivers would do the trick given the recent Ubuntu base system. At least it automatically guided me through the process of enrolling a module signing key. But although mokutil -l lists a new key, TCC is still semi-broken.

[Matombo]

While writing a short instruction on how to also enroll the DKMS MOK key I spotted that we run in a DKMS bug on TUXEDO OS causing the DKMS modules to not be signed by it. I will update you once we have a workaround live and will then also update the ReadMe here with a more complete and better tested step by step guide.

[jlnr]

That's great to hear. Thank you & guten Rutsch!

[Matombo]

Issue is identified and will be fixed with the dkms package released yesterday and the next tuxedo kernel 6.5.0-10018 released soon (like this or next week).

The instructions are updated already. You should already be able to enroll both required keys and with the kernel update secure boot should just start to work.

Closing, but ofc feel free to open a new issue if 6.5.0-10018 does not fix the issue.

[jlnr]

Works as expected, many thanks 🙏🏻