MOK enrollment silently fails #105
Comments
|
Would it work after turning off Secure Boot? Just wonder if the firmware clear all BS variables it doesn't know when Secure Boot is enabled... |
|
No, I've tried the steps with Secure Boot enabled and disabled, and the behavior is the same (except for an extra message when MokManager loads saying that secure boot is disabled). |
|
That sounds bad :-( |
|
Hi too have this problem on a HP Elitebook 8470p. SecureBoot is enabled. I did the following: sudo efivar -l > efivars.txt.1 Before reboot the key is listed as new. MokManager.efi is then started and shows the certificate. It enrolls without errors and warnings. After reboot however, the key is not listed in /proc/keys. This is with 0.3.0-0ubuntu4 (Ubuntu 17.10) |
|
The enrolled keys are stored in the UEFI variable and viewable with "mokutil -l" which reads data from "/sys/firmware/efi/efivars/MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23". |
|
There is no sign of my enrolled MOK in "/sys/firmware/efi/efivars/MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23". It only contains the "Canonical Ltd. Master Certificate Authority" key. Could it be that MokManager tries to save the MOK in UEFI vars but fails silently? The HP EliteBook 8470p BIOS is from 2012. I read similar reports with some other HP laptops. Furthermore, I suppose that not many people are trying to enroll their own MOK? |
|
It could be either variable writing failed silently or the firmware cleared the variables it doesn't know. I heard some firmware vendor did the later before. |
|
Ok, too bad... so it seems that I will not be able to use a MOK for driver signing on this laptop :-( |
|
I've the same problem with HP ZBook 15 Workstation. The last BIOS/UEFI update is from 2018, so the firmware is not old. I've exactly the same problem: mokutil seems to work fine. Shim prompts me to enroll the key. I can view the key info and it is OK. Shim verbose mode is enabled. I tell it to enroll the key, it received the password. There is no errors. But, the key is not added. I guess if the variables were cleared, shim would not see a new key should be enrolled at all, correct?! Also, it seems that Fedora own key is already added to 605dab50-e046-4300-abb6-3dd810dd8b23-MokListRT var; or not? |
|
The attribute of the mok request is BS+RT+NV while the attribute of MokList is BS+NV, so the firmware may just clear BS+NV variables. As for the fedora key, shim copies the built-in key to MokListRT for every booting, so the built-in key always shows in |
|
Thank you for clarification. Is there anything I can do to debug the problem even more? Is there any workaround for enrolling the key, so that we can get custom kernel modules verified? (without enrolling our own keys in UEFI itself instead of factory ones)? |
|
To be honest, I don't have a good idea now since I don't have the contact to HP firmware team :-\ |
Is this HP ZBook 15 a recent laptop? The BIOS of my HP Elitebook 8470p is also from 2018, thanks to the Meltdown and Spectre bugs. But, the laptop is still from 2013 and MOK enrollment doesn't work with the new BIOS either. |
|
No, it is probably 3 or 4 years old. I just thought that you mean you BIOS is old :) |
|
@strangeflower @hedayat My colleague helped me to contact the HP firmware team, and they are looking into the issue. Would you mind to provide the BIOS version? |
|
|
My laptop (Elitebook 8470p) has: dmidecode output: |
|
Thanks! I provided the information to HP firmware team. Hope we can find the root cause. |
|
@lcp That's great, thanks for putting effort into this! |
|
I wrote a test program and will provide it to HP to reproduce the issue. Here is the logic of the program:
For a functional system, it will set MokList at the first boot and ask the user to delete MokList after reset. If anyone is willing to test the program, here are the links: Source code: |
|
I tested it, and it always says that MokList doesn't exist (as expected!). |
|
I also ran a test. WriteMok always reports that the MokList doesn't exist. BTW, I disabled SecureBoot before testing because WriteMok.efi is not signed. |
|
Per HP firmware team, the implementation of SetVariable() in those laptops couldn't handle EFI_VARIABLE_APPEND_WRITE properly. It would just return EFI_SUCCESS without writing the content to the flash. We previously checked EFI_INVALID_PARAMETER for some Lenovo machines but this is not enough for your HP machines :- So, we should drop EFI_VARIABLE_APPEND_WRITE to avoid faulty implementation. Here is the updated WriteMok: If it works, I'll submit a patch to remove EFI_VARIABLE_APPEND_WRITE. |
|
Thanks it works. BTW, does it mean that they don't care to fix their UEFI to at least return an error code in this case?! This is certainly a bug! |
|
It works on my laptop too. In Ubuntu 17.10 I can see the key: I see the certificate is encoded in WriteMok.c in ca_list_bin. How did you encode this? I would like to try and install my own MOK :-) |
|
@hedayat I'm not sure if they will fix it or not, but it's faster to change MokManager than to wait for the firmware update. @strangeflower The certificate is created randomly in my machine, so you'd be better to run WriteMok2 again and delete it :) The ca_lis_bin is a x509 certificate in DER format with the signature database header. The binary can be generated with efisiglist from pesign and then you can use "xxd -i" to convert the binary file into a C array. I'll write a patch for MokManager and add the comment to remind the developers not to use EFI_VARIABLE_APPEND_WRITE. |
When writing MokList with EFI_VARIABLE_APPEND_WRITE, some HP laptops may just return EFI_SUCCESS without writing the content into the flash, so we have no way to detect if MokList is updated or not. Now we always read MokList first and write it back with the new content. rhboot#105 Signed-off-by: Gary Lin <[email protected]>
|
I patched shim v14 (v15 and later won´t compile on my machine) and built it on Ubuntu 17.10 with:
MokManager (mmx64) enrolls the MOK key successfully and driver signing works. |
|
I can second that, as I failed using efisiglist (resulted in corrupted MokList apparently! :P). I tried shim master. |
|
I forgot to mention that you may need this pesign patch. |
When writing MokList with EFI_VARIABLE_APPEND_WRITE, some HP laptops may just return EFI_SUCCESS without writing the content into the flash, so we have no way to detect if MokList is updated or not. Now we always read MokList first and write it back with the new content. #105 Signed-off-by: Gary Lin <[email protected]>
|
I'm new to all this. So, forgive me if I saw anything stupid. My key is showing up in mokutil --list-enrolled. But, it hasn't shown up in /proc/keys. So, how should i proceed to get around this error? |
|
If the key shows in |
When writing MokList with EFI_VARIABLE_APPEND_WRITE, some HP laptops may just return EFI_SUCCESS without writing the content into the flash, so we have no way to detect if MokList is updated or not. Now we always read MokList first and write it back with the new content. #105 Signed-off-by: Gary Lin <[email protected]> Upstream-commit-id: f442c84
|
I'm happy that I found this thread. Please see my StackExchange post ? I have my public DER with |
Might sound silly but, how do we verify & enable this? Operating system configurations instead of manual kernel compilation. From Debian. |
I don't seem to have a /sys/firmware/efi/efivars/MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23 file and I keep getting the root@myMachineName:/sys/firmware/efi/efivars# mokutil -l
MokListRT is emptyerror. Maybe I need to do mokutil --reset to get that file? |
mokutil --reset Didn't do me any good. I still can't enroll keys via mokutil and the reboot process that jrmrjnck describes. |
|
Similar issue here on an AMD lenovo laptop S540-13ARE with Phoenix UEFI firmware. |
|
Oh never mind. I copied P.S. Couldn't / shouldn't shim / |
|
For me (Lenovo ThinkPad T480) it seems the MOK is enrolled as it shown during setup mode & MOK manager verbose log but it's seems the MOK db is always ignored no matter if I set |
|
Hi, May anyone please guide me what am i doing wrong? |
I'm trying to enroll a new MOK, but it doesn't take effect even though none of the tools show any error. It may be a UEFI implementation bug, but the error checking in MokManager seems decent, so I'm not sure what could be failing.
OS: Fedora 27
HW: HP Elitebook 840 G2
BIOS: M71 v 1.21 (latest available)
efivar -lmokutil --list-enrolleddoes not show new MOK, only the existing Fedora Secure Boot CA key. The new MOK is no longer shown under --list-new and the MokNew/MokAuth vars are gone.The text was updated successfully, but these errors were encountered: