[Bug 1776068] Re: Can't remove enrolled keys and change SecureBoot state

spm2011 1776068 at bugs.launchpad.net
Thu Dec 20 16:14:43 UTC 2018 

Strange, I have mokutil --sb-state
SecureBoot enabled

But my kernel secure boot is disabled and the GRUB boot displays
"Booting in insecure mode"

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to mokutil in Ubuntu.
Matching subscriptions: mokutil-bugs
https://bugs.launchpad.net/bugs/1776068

Title:
  Can't remove enrolled keys and change SecureBoot state

Status in mokutil package in Ubuntu:
  New

Bug description:
  I have UEFI Secure Boot enabled and when I boot to the linux I don't
  see message 'You are booting in insecure mode' or something like that,
  but when I am in OS and i check for shim secure boot state i got this.

  $ mokuitil --sb-state
  SecureBoot disabled

  when I want to enable I got error in MokManager that secure boot state
  is not empty or something like that. Which I think means that I have
  enabled shim secure boot state but with above command it's wrong
  output. From there i can --disable-validation (with message at boot
  that it is in insecure mode)and after that i can --enable-validation
  which will give me still SecureBoot disabled without message at boot.

  With hexdump first line finishes with 0 which means that shims secure
  boot state is disabled. If it's 1 it would be enabled. This is i think
  the problem with output, probably.

  $ hexdump /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
  0000000 0006 0000 0000                         
  0000005

  
  Problem 2!

  with dmesg I see that i have enrolled trusted key

  Loaded UEFI:MokListRT cert 'Canonical Ltd. Master Certificate
  Authority: ad91990bc22ab1f517048c23b6655a268e345a63' linked to
  secondary sys keyring

  and with $mokutil --list-enrolled i see that key. but when i want to
  delete it in MokManager I got again error 0xEd or something similar. I
  tried manually to delete through --export and through mokutil --reset.
  Nothing worked. I don't know whether i can even delete this key and
  what is it. But I want to delete all keys signed by me.

  I want to delete this key because when i import trusted keys from UEFI
  motherboard there is the same key with the same ID. but it's from db
  list.

  Thanks for help.

  Thanks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1776068/+subscriptions

More information about the foundations-bugs mailing list