mokutil icon indicating copy to clipboard operation
mokutil copied to clipboard
verified publisher icon lcp

reset doesn't seem to work

Open ZeroChaos- opened this issue 7 years ago • 9 comments

if I --list-enrolled and then --reset and --list-enrolled again, all the hashes I've added are still there. Not being certain how this all works, I reboot and check --list-enrolled again and all the sha256 hashes are still there. Am I doing this wrong, or is this feature broken?

ZeroChaos- avatar Jul 10 '18 15:07 ZeroChaos-

Did MokManager show to ask for cleaning Mok?

lcp avatar Jul 12 '18 04:07 lcp 

secboot ~ # mokutil --reset
input password: 
input password again: 
Failed to write MokAuth
Failed to issue a reset request
secboot ~ # mount -o rw,remount /sys/firmware/efi/efivars/
secboot ~ # mokutil --reset
input password: 
input password again: 
secboot ~ #

ZeroChaos- avatar Jul 12 '18 15:07 ZeroChaos-

nothing changed during boot after that

ZeroChaos- avatar Jul 12 '18 15:07 ZeroChaos-

It may be important to note that I'm using mokutil from 20170404 git, and mmx64.efi is version 15-5 from fedora here: https://koji.fedoraproject.org/koji/buildinfo?buildID=1079378

ZeroChaos- avatar Jul 12 '18 15:07 ZeroChaos-

If /sys/firmware/efi/efivars/MokAuth-* existed after "mokutil --reset", then mokutil already did its job. I wonder why MokManager didn't show during the next boot.

Could you check "efibootmgr -v" and see if shim.efi is in the default boot option?

lcp avatar Jul 16 '18 02:07 lcp

shim is the default boot option, I have secure boot required and nothing but shim is signed so I can't really mess that one up ;-)

On Sun, Jul 15, 2018 at 10:50 PM, Gary Ching-Pang Lin < [email protected]> wrote:

If /sys/firmware/efi/efivars/MokAuth-* existed after "mokutil --reset", then mokutil already did its job. I wonder why MokManager didn't show during the next boot.

Could you check "efibootmgr -v" and see if shim.efi is in the default boot option?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/lcp/mokutil/issues/13#issuecomment-405139094, or mute the thread https://github.com/notifications/unsubscribe-auth/ABl--aniuelULygR6ZDQT7jhK1Uo-skaks5uG_-PgaJpZM4VJqTh .

ZeroChaos- avatar Jul 16 '18 14:07 ZeroChaos-

Then this is probably an issue in shim. Please report the issue to https://github.com/rhboot/shim

lcp avatar Jul 17 '18 02:07 lcp

Intuitively, I would expect mokutil --reset to remove all of the Mok* EFI vars. Is there another flag for this? Any system (eg. the Debian Buster live CD) shipped with shim but without mmx64.efi will fail to load.

khimaros avatar Sep 03 '20 19:09 khimaros

Sorry for the late reply. In the beginning, there is only MokNew and MokAuth for MokList, so "--reset" is designed for MokList. Over time, there are more Mok Vars added, and it's not good to change the option now :( The problem you had is caused by the changes in shim. I remember the older shim could skipped the loading of MokManager if it doesn't exist.

lcp avatar Sep 22 '20 01:09 lcp