shim fails to load MokManager
shim fails to load MokManager
I imported a cer file using mkutil. When I rebooted with secure boot, I was expecting the MokManager (mmx64.efi) to run to finish enrolling the key. I believe there is some error message but it goes away so quickly.
as a work around, I booted into an EFI shell and manually ran mmx64 from the command line.
it looks like this is a bug in other distributions.
can anyone confirm its a bug in CentOS? is it fixed? is there an rpm patch I can install? Thanks.
as a work around, I booted into an EFI shell and manually ran mmx64 from the command line.
it looks like this is a bug in other distributions.
can anyone confirm its a bug in CentOS? is it fixed? is there an rpm patch I can install? Thanks.
Re: shim fails to load MokManager
Most likely you were hit by CentOS bug #14050. Hopefully this will be taken care of with the next point release 7.5.
CentOS Forum FAQ
Re: shim fails to load MokManager
Thanks. I down rev'ed the mokutil and shim. it now starts the MokManager after reboot.
I have another question. I don't seem to be able to delete an existing item. Secure boot is off. Any ideas or am I doing something wrong. I typed the following:
mokutil --list-enrolled
I have one certificate in the list.
mokutil -- export
saved a file MOK-0001.der
mokutil --delete MOK-001.der
ask for password
mokutil --list-delete
displays file
reboot
MokManager starts. go thru the menus to delete.
Error Failed to retrieve MokList
click ok
Failed to delete keys
continue boot
mokutil --list-enrolled
still there.
tried
mokutil --reboot
that also fails in MokManager
I have another question. I don't seem to be able to delete an existing item. Secure boot is off. Any ideas or am I doing something wrong. I typed the following:
mokutil --list-enrolled
I have one certificate in the list.
mokutil -- export
saved a file MOK-0001.der
mokutil --delete MOK-001.der
ask for password
mokutil --list-delete
displays file
reboot
MokManager starts. go thru the menus to delete.
Error Failed to retrieve MokList
click ok
Failed to delete keys
continue boot
mokutil --list-enrolled
still there.
tried
mokutil --reboot
that also fails in MokManager
Re: shim fails to load MokManager
I was able to enroll my certificate with the MokManager without any errors.
I tried to delete the original certificate. It appeared to work without any errors when there were 2 certificates. but after I rebooted, it still seemed to be there when I used:
mokutil --list-enrolled
I did a
mokutil --reset
it seemed to have deleted my certificate but not the original one.
Is there something that prevents the Red Hat certificate from being removed?
I tried to delete the original certificate. It appeared to work without any errors when there were 2 certificates. but after I rebooted, it still seemed to be there when I used:
mokutil --list-enrolled
I did a
mokutil --reset
it seemed to have deleted my certificate but not the original one.
Is there something that prevents the Red Hat certificate from being removed?
Re: shim fails to load MokManager
@chassap1,
As noted in https://bugs.centos.org//view.php?id=14050 , @arrfab has built a version of shim that supposedly fixes the issue. Can you give it a try and provide feedback?
As noted in https://bugs.centos.org//view.php?id=14050 , @arrfab has built a version of shim that supposedly fixes the issue. Can you give it a try and provide feedback?
CentOS Forum FAQ
Re: shim fails to load MokManager
These packages are now in the CR repo, signed with the distro GPG key and available for anyone to test. The more people that test them, the better.
Code: Select all
[root@centos7 ~]# yum --disablerepo=\* --enablerepo=cr list available
Loaded plugins: priorities
cr | 3.3 kB 00:00:00
cr/7/x86_64/primary_db | 3.1 kB 00:00:15
Available Packages
mokutil.x86_64 12-2.el7 cr
shim-ia32.x86_64 12-2.el7 cr
shim-unsigned-ia32.x86_64 12-2.el7 cr
shim-unsigned-x64.x86_64 12-2.el7 cr
shim-x64.x86_64 12-2.el7 cr
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
-
- Posts: 37
- Joined: 2017/08/14 04:21:54
Re: shim fails to load MokManager
I'm not sure if I should start my own thread or continue here. It's related. I have a fresh install of CentOS 7.5.1804. I run an update, it pulls in the latest shim, mokutils, etc. But when I reboot, I cannot get into my os at all without using a recovery disk.
The error message on the screen shows:
I had to boot off the installation media to get to a recovery console. I had to setup networking, then remove the latest kernel, then downgrade shim and mokutil to the previous version.
I than had to work around the current bug in the old version to install my organizations MOK.
I know it does not sound like a lot of work, but it took about 3 hours to do this.
I was not using the unsigned rpm versions because I didn't know what they where at the time. Is there a chance that these unsigned versions will fix the issue? I would really not like to run an outdated kernel for long on this system. However, if the unsigned rpm versions simply allow the manager screen to display after a key has been enrolled and the system rebooted, I feel this might not fix my issue.
This appears to be a confirmed bug on redhats bug tracker, but the only suggestion is to downgrade.
Thanks.
The error message on the screen shows:
Code: Select all
Unable to trigger tcg2 final events table: Invalid Parameter
Something has gone seriously wrong: Invalid Parameter
Shim was unable to measure state into the TMP
I than had to work around the current bug in the old version to install my organizations MOK.
I know it does not sound like a lot of work, but it took about 3 hours to do this.
I was not using the unsigned rpm versions because I didn't know what they where at the time. Is there a chance that these unsigned versions will fix the issue? I would really not like to run an outdated kernel for long on this system. However, if the unsigned rpm versions simply allow the manager screen to display after a key has been enrolled and the system rebooted, I feel this might not fix my issue.
This appears to be a confirmed bug on redhats bug tracker, but the only suggestion is to downgrade.
Thanks.
-- Niklaus Wirth's Law: software is getting slower more rapidly than hardware becomes faster.
Re: shim fails to load MokManager
I've seen this on Lenovo T460p laptop provided by my empoloyer.
The workaround which works for me is to switch TPM from Intel PTT to discrete TPM 1.2 chip in the BIOS. Downgrade is also another option but unfortunately this prevents kernel upgrade.
The workaround which works for me is to switch TPM from Intel PTT to discrete TPM 1.2 chip in the BIOS. Downgrade is also another option but unfortunately this prevents kernel upgrade.
-
- Posts: 37
- Joined: 2017/08/14 04:21:54
Re: shim fails to load MokManager
Are you saying you have two TPM chips in your laptop? In my server, I only have the one add-on TPM controller.
-- Niklaus Wirth's Law: software is getting slower more rapidly than hardware becomes faster.
Re: shim fails to load MokManager
I think there is TPM 1.2 discrete chip. Additionally it looks like the chipset on that laptop can emulate TPM 2.0 chip. I have no idea how it is accomplished but I have a switch in the BIOS between the two and as I wrote - it makes a difference.