dasharo-issues icon indicating copy to clipboard operation
dasharo-issues copied to clipboard

Published 20 hours ago verified publisher icon Dasharo

MOK key enrollment in shim doesn't work when using Ventoy

Open miczyg1 opened this issue 2 years ago • 4 comments

Dasharo version Any

Dasharo variant Any

Affected component(s) or functionality UEFI Secure Boot, shim

Brief summary When using Ventoy with Secure Boot enabled, the MOK key enrollment doesn't work, the platform hangs.

How reproducible 100%

How to reproduce

Steps to reproduce the behavior:

  1. Download and install Ventoy into USB stick https://www.ventoy.net/en/doc_start.html with Secure Boot enabled (selected in the Options panel)
  2. Plug the stick to the MSI machine and boot it.
  3. Wait for `Verification failed: (0x1A) Security Violation) screen and press enter (OK).
  4. Choose enroll key

Expected behavior After selecting Enroll key from disk next windows should pop up with possible disks to search for the keys.

Actual behavior The platform hangs when choosing to enroll key from disk.

Screenshots none

Additional context none

Solutions you've tried none

miczyg1 avatar Dec 05 '22 12:12 miczyg1

Found bugs in Shim's/MOKManagers's filesystem browser, which resulted in hangs of the shim when trying to enroll from a disk.

Fix: https://github.com/rhboot/shim/pull/622

miczyg1 avatar Dec 16 '23 12:12 miczyg1

I have observed exactly the same issue on PRO Z790-P WIFI (MS-7E06) running Dasharo (coreboot+UEFI) v0.9.1 with WD Red SN700 2000GB is installed in M2_2 slot. Disk is GPT partitioned and first partition is 1GiB large EFI System partition.

In my case the steps to reproduce were:

  1. Put shimx64.efi (from e.g. https://aur.archlinux.org/packages/shim-signed) alongside MOK-signed (or even unsigned) grubx64.efi
  2. Enable Secure Boot
  3. Boot shimx64.efi
  4. "Perform MOK management" blue screen pops up with options "Continue boot", "Enroll key from disk", "Enroll hash from disk"
  5. Select "Enroll key from disk" (or "Enroll hash from disk")
  6. Menu freezes, only physical reset helps

Working workaround is to enroll the key in userspace, so there is no need to browse disks in shim MOK manager:

  1. Disable Secure Boot
  2. boot Linux
  3. Enroll MOK key with userspace mokutil (choose some arbitrary password for later use)
  4. Reboot
  5. Enable Secure Boot
  6. Actually enroll the key from step 3 by entering the password provided in step 3

desowin avatar Feb 20 '24 19:02 desowin

Found bugs in Shim's/MOKManagers's filesystem browser, which resulted in hangs of the shim when trying to enroll from a disk.

Fix: rhboot/shim#622

@miczyg1 It looks like you have implemented a fix. If so, and if the issue no longer occurs, please consider to close the issue.

wessel-novacustom avatar Apr 15 '24 14:04 wessel-novacustom

Unless the PR with a fix is merged, the issue is relevant.

miczyg1 avatar Apr 16 '24 07:04 miczyg1