[Bug 1776068] Re: Can't remove enrolled keys and change SecureBoot state
ๆๅไป(Buo-ren Lin)
1776068 at bugs.launchpad.net
Sun Feb 16 09:14:39 UTC 2025
@wesinator
> but when I am in OS and i check for shim secure boot state i got this
>
> $ mokutil --sb-state
> SecureBoot disabled
This queries the SecureBoot state of the _mainboard firmware_, not the
state of the key validation functionality in the shim bootloader.
> i want to delete it in MokManager I got again error 0xEd or something
similar
The proper way to delete an enrolled machine owner key is to:
1. Export all the enrolled machine owner keys to the working directory
by running the following command:
```
mokutil --export
```
2. Verify the machine owner key to be removed by using the following
command:
```
openssl x509 -in _certificate_file_ -noout -text
```
3. Revoke the machine owner key by running the following command:
```
sudo mokutil --delete _certificate_file_
```
then complete the single-time machine owner presence validation by:
1. Reboot the system.
2. When the blue background countdown prompt appears, press any key to enter the Perform MOK management menu.
3. Select the Delete MOK option in the Perform MOK management menu.
4. View details of all machine owner keys to be deleted to avoid misoperation, then select the Continue option to continue.
5. Select the Yes option in the Delete the key(s)? prompt.
6. Enter the password specified in the `mokutil --delete` command.
7. Select the Reboot option in the Perform MOK management menu.
Refer to the following webpage for more information:
https://gitlab.com/brlin/mokutil-workspace
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to mokutil in Ubuntu.
Matching subscriptions: mokutil-bugs
https://bugs.launchpad.net/bugs/1776068
Title:
Can't remove enrolled keys and change SecureBoot state
Status in mokutil package in Ubuntu:
New
Bug description:
I have UEFI Secure Boot enabled and when I boot to the linux I don't
see message 'You are booting in insecure mode' or something like that,
but when I am in OS and i check for shim secure boot state i got this.
$ mokuitil --sb-state
SecureBoot disabled
when I want to enable I got error in MokManager that secure boot state
is not empty or something like that. Which I think means that I have
enabled shim secure boot state but with above command it's wrong
output. From there i can --disable-validation (with message at boot
that it is in insecure mode)and after that i can --enable-validation
which will give me still SecureBoot disabled without message at boot.
With hexdump first line finishes with 0 which means that shims secure
boot state is disabled. If it's 1 it would be enabled. This is i think
the problem with output, probably.
$ hexdump /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
0000000 0006 0000 0000
0000005
Problem 2!
with dmesg I see that i have enrolled trusted key
Loaded UEFI:MokListRT cert 'Canonical Ltd. Master Certificate
Authority: ad91990bc22ab1f517048c23b6655a268e345a63' linked to
secondary sys keyring
and with $mokutil --list-enrolled i see that key. but when i want to
delete it in MokManager I got again error 0xEd or something similar. I
tried manually to delete through --export and through mokutil --reset.
Nothing worked. I don't know whether i can even delete this key and
what is it. But I want to delete all keys signed by me.
I want to delete this key because when i import trusted keys from UEFI
motherboard there is the same key with the same ID. but it's from db
list.
Thanks for help.
Thanks.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1776068/+subscriptions
More information about the foundations-bugs
mailing list