Centos 7.5: MOK Manager does not show up

[v_samadi]

I'm going to install VMWARE‌ drivers, i.e. vmmon and vmnet, on my CentOS. However since their signature and certificate are not installed on CentOS, I had to sign them myself and install my sign/certificate on my machine using mockutil, like this:

Code: Select all

mokutil --import MOK.der 

running

Code: Select all

mokutil --list-new 

list my keys however after rebooting my machine Mok Manager does not show up and I don't know what is wrong. Some noted that it might be because of wrong efi boot loader priority, and here is my boot loader priority:

Code: Select all

[root@DESKTOP-123 sam]# efibootmgr -v
BootCurrent: 0009
Timeout: 1 seconds
BootOrder: 0009,000A,0006,0003,0002,0005,0008
Boot0002* WDC WD10PURX-64E5EY0  BBS(HD,,0x0)..BO
Boot0003* ST9500325AS   BBS(HD,,0x0)..BO
Boot0005* ST3500418AS   BBS(HD,,0x0)..BO
Boot0006* ADATA SP600   BBS(HD,,0x0)..BO
Boot0008* SMI USB DISK 1100 BBS(HD,,0x0)..BO
Boot0009* CentOS    HD(1,GPT,681a763c-b8af-447c-abb6-75151c5ebdd7,0x800,0x64000)/File(\EFI\CENTOS\SHIM.EFI)..BO
Boot000A* UEFI: SMI USB DISK 1100, Partition 1  PciRoot(0x0)/Pci(0x14,0x0)/USB(10,0)/HD(1,MBR,0xa868970b,0x70,0x1d4bf90)..BO

which default is set to boot option 0009 which loads \EFI\CENTOS\SHIM.EFI but it does not bring up Mok Manager to install and enroll new keys. Can anyone guess what may be wrong?

Since I noticed that it may be due to BIOS‌ problems, I must notice that an ASUS Z-170A mainboard is installed on my machine and secure boot is enabled according to my BIOS reports.

[TrevorH]

It's a bug, discussion in https://bugs.centos.org//view.php?id=14050 along with instructions on how to backlevel the packages so that you can get it to work.

Edit: I was just told that it's not necessary to downgrade any more and it can be fixed using

Code: Select all

cp /boot/efi/EFI/centos/mmx64.efi /boot/efi/EFI/centos/MokManager.efi
cp /boot/efi/EFI/BOOT/fbx64.efi /boot/efi/EFI/BOOT/fallback.efi

[v_samadi]

Thanks for your workaround. It did helped me a lot
BTW, do you know any references which can I understand logic about efi, uefi, secure boot and boot loaders?

I'm accustomed to old BIOS boot process and I cannot understand clearly what is going on behind the scene in UEFI boot loaders.

[TrevorH]

Not me, I disable UEFI on everything if I can.

[toracat]

BTW, do you know any references which can I understand logic about efi, uefi, secure boot and boot loaders?

Some of the links from my memo:

https://www.redhat.com/en/blog/uefi-secure-boot
https://wiki.archlinux.org/index.php/GR ... menu_entry
https://www.happyassassin.net/2014/01/2 ... work-then/
https://en.opensuse.org/openSUSE:UEFI

[toracat]

@v_samadi,

As noted in https://bugs.centos.org//view.php?id=14050 , @arrfab has built a version of shim that supposedly fixes the issue. Can you give it a try and provide feedback?