shim fails to load MokManager

Support for security such as Firewalls and securing linux
chassap1
Posts: 13
Joined: 2017/10/24 14:23:59

shim fails to load MokManager

Postby chassap1 » 2018/03/27 15:40:44

I imported a cer file using mkutil. When I rebooted with secure boot, I was expecting the MokManager (mmx64.efi) to run to finish enrolling the key. I believe there is some error message but it goes away so quickly.

as a work around, I booted into an EFI shell and manually ran mmx64 from the command line.

it looks like this is a bug in other distributions.

can anyone confirm its a bug in CentOS? is it fixed? is there an rpm patch I can install? Thanks.

User avatar
toracat
Forum Moderator
Posts: 7267
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: shim fails to load MokManager

Postby toracat » 2018/03/27 21:58:29

Most likely you were hit by CentOS bug #14050. Hopefully this will be taken care of with the next point release 7.5.
CentOS Forum FAQ

chassap1
Posts: 13
Joined: 2017/10/24 14:23:59

Re: shim fails to load MokManager

Postby chassap1 » 2018/03/28 15:32:21

Thanks. I down rev'ed the mokutil and shim. it now starts the MokManager after reboot.

I have another question. I don't seem to be able to delete an existing item. Secure boot is off. Any ideas or am I doing something wrong. I typed the following:

mokutil --list-enrolled
I have one certificate in the list.
mokutil -- export
saved a file MOK-0001.der
mokutil --delete MOK-001.der
ask for password
mokutil --list-delete
displays file

reboot
MokManager starts. go thru the menus to delete.
Error Failed to retrieve MokList
click ok
Failed to delete keys
continue boot

mokutil --list-enrolled
still there.

tried
mokutil --reboot
that also fails in MokManager

chassap1
Posts: 13
Joined: 2017/10/24 14:23:59

Re: shim fails to load MokManager

Postby chassap1 » 2018/03/28 17:07:54

I was able to enroll my certificate with the MokManager without any errors.

I tried to delete the original certificate. It appeared to work without any errors when there were 2 certificates. but after I rebooted, it still seemed to be there when I used:

mokutil --list-enrolled

I did a

mokutil --reset

it seemed to have deleted my certificate but not the original one.

Is there something that prevents the Red Hat certificate from being removed?