Cannot enroll keys due to Shim IEFI Key Management not showing up after reboot
There are several ways you can proceed, but they might not all work equally well, depending on your hardware and needs:
- Some EFIs provide an option to launch arbitrary programs. You can use this feature to launch MokManager (
MokManager.efi
ormmx64.efi
in the same directory that holdsshimx64.efi
andgrubx64.efi
). This is likely to be the most direct approach, but this EFI feature is relatively rare, and even if it's present, there's no standardization on where it's located in the EFI's menu system, so you'll have to go looking for it. - Prepare a USB flash drive with a FAT filesystem, create an
EFI/BOOT
directory on that drive, and copy some files from the/boot/efi/EFI/ubuntu
directory to theEFI/BOOT
directory on the USB flash drive: Copyshimx64.efi
and rename it tobootx64.efi
in its new location and copyMokManager.efi
ormmx64.efi
without renaming it. (Your Ubuntu probably hasmmx64.efi
, but I don't recall when it was renamed.) You can then boot to the USB flash drive, which should launch MokManager. - You can use an EFI shell program to do the job. Some EFIs have such a program built-in, but this is just as rare as the ability to launch arbitrary programs. If yours doesn't have such a feature, you can download one from the Internet -- see this Arch Linux wiki page for some pointers. Put the program on a FAT USB flash drive, named
EFI/BOOT/bootx64.efi
. You should then be able to boot the USB flash drive into the shell and use it to run MokManager. Note, however, that you'll need to temporarily disable Secure Boot to run the EFI shell. You'll also need to learn enough of the EFI shell to navigate to the MokManager binary and run it. (This shell is similar to a DOS or Windows command prompt. The Arch wiki provides some tips on how to use it.) - You can boot using my rEFInd boot manager on a USB flash drive or CD-R. This should give you an icon to launch MokManager, or at least an EFI shell. As with launching an EFI shell directly, you'll need to temporarily disable Secure Boot for this option to work.
- You can install rEFInd to your hard disk by using the PPA or Debian package. When you reboot, MokManager should launch, enabling you to enroll rEFInd's keys and your own keys. This is a drastic method, since it will leave rEFInd in control of your boot process. Thus, unless you're sure you want to switch to rEFInd as your main boot manager, this is not a good option. I mention it only for completeness.
I'd try the options in more-or-less this order, although you can use your own judgment and skip something if you don't like the way it sounds or know it won't work.