mokutil - failing for almost all options
In the past I've successfully created a certificate and signed the virtualbox kernel modules for use. Now, other than --sb-state, all other parameters I try when running mokutil fail miserably.
Basic info:
- Ubuntu 17.10 64bit on an Asus X99-E motherboard.
- All commands run as root..
Sample results:
--reset
Failed to write MokAuth
Failed to issue a reset request
--list-enrolled
Failed to read MokListRT: No such file or directory
--password
input password:
input password again:
Failed to write MokPW: Invalid argument
--import MOK.der
input password:
input password again:
Failed to enroll new keys
Possibly related info:
dmesg | grep -i mok
[ 9.114419] MODSIGN: Couldn't get UEFI MokListRT
Does anyone have any suggestions what I'm doing wrong? Where are MokAuth, MokListRT, MokPW, etc.. stored that it is failing to write to them?
One possibly related bit of info. The previous, successful, use of mokutil was prior to a hardware change. I had a raid controller that was randomly ejecting drives out of my array so I cloned the partitions on the array to an external drive, replaced the card, recreated new arrays and restored the partitions. This included Ubuntu's root partition.
Other than that - the machine is as it was when things were working..
Any thoughts most welcome.
Steve.
It appears to be a UEFI bug in the motherboard. Some other UEFI/BIOS also fail to implement one of the methods required for mokutil to work. I also have an issue with an Asus X99-E USB3.1 mobo.
You can manually enroll the key, by saving it on a USB stick, booting into the bios setup and importing the key. There's a goofy interaction involving the mouse and enter key, such that it doesn't import when you think it should. But you can do so nonetheless.
This is a problem on 18.04 LTS as well and possibly also subsequent Ubuntu releases.
I have multiple ASUS X99WS/IPMI and X99WS-E motherboards and none of them work with 'mokutil'. It's some kind of bug with the board or the BIOS. I have ASUS-X299 Prime-II and it works fine.
The x99 boards are old, but the Xeon E5-2600v3 and E5-2600v4 series is really good at multiple GPU and RDMA on Infiniband or 10+g RoCe Ethernet.
The work-around is to manually enroll the key(s) in the BIOS setup:
Nvidia's driver installation will create a MOK.der file, unique to your machine, and sign the drivers (or you can do it yourself with your own). The Nvidia apt installer will place the mok files at:
/var/lib/shim-signed/mok
It will sign subsequent installations with the same key, which is handy.
The easiest method is to copy the MOK.der file to a USB key.
Reboot the machine, enter the BIOS setup, use "advanced mode" and navigate to Boot/SecureBoot/ManageKeys menus.
The key goes in the 'db' repository. So pick, "append to db" and select 'no' in the dialog box that pops up asking what you want to do. (counterintuitive to say the least). Navigate the UEFI storage path to your USB key, pick it and hit Enter. It will ask what the file is, pick "...blob".
Do a 'save and reset' (F10 key) to reboot.
Voila, your nvidia drivers will load in secure-boot.
I also had to do the Mellanox driver as well. Mellanox provides a direct download:
wget http://www.mellanox.com/downloads/ofed/mlnx_signing_key_pub.der
Copy the .der file to the USB key and do the same. (you can do more than one key append in the BIOS).