Page 1 of 2
shim fails to load MokManager
Posted: 2018/03/27 15:40:44
by chassap1
I imported a cer file using mkutil. When I rebooted with secure boot, I was expecting the MokManager (mmx64.efi) to run to finish enrolling the key. I believe there is some error message but it goes away so quickly.
as a work around, I booted into an EFI shell and manually ran mmx64 from the command line.
it looks like this is a bug in other distributions.
can anyone confirm its a bug in CentOS? is it fixed? is there an rpm patch I can install? Thanks.
Re: shim fails to load MokManager
Posted: 2018/03/27 21:58:29
by toracat
Most likely you were hit by
CentOS bug #14050. Hopefully this will be taken care of with the next point release 7.5.
Re: shim fails to load MokManager
Posted: 2018/03/28 15:32:21
by chassap1
Thanks. I down rev'ed the mokutil and shim. it now starts the MokManager after reboot.
I have another question. I don't seem to be able to delete an existing item. Secure boot is off. Any ideas or am I doing something wrong. I typed the following:
mokutil --list-enrolled
I have one certificate in the list.
mokutil -- export
saved a file MOK-0001.der
mokutil --delete MOK-001.der
ask for password
mokutil --list-delete
displays file
reboot
MokManager starts. go thru the menus to delete.
Error Failed to retrieve MokList
click ok
Failed to delete keys
continue boot
mokutil --list-enrolled
still there.
tried
mokutil --reboot
that also fails in MokManager
Re: shim fails to load MokManager
Posted: 2018/03/28 17:07:54
by chassap1
I was able to enroll my certificate with the MokManager without any errors.
I tried to delete the original certificate. It appeared to work without any errors when there were 2 certificates. but after I rebooted, it still seemed to be there when I used:
mokutil --list-enrolled
I did a
mokutil --reset
it seemed to have deleted my certificate but not the original one.
Is there something that prevents the Red Hat certificate from being removed?
Re: shim fails to load MokManager
Posted: 2018/08/27 17:24:51
by toracat
@chassap1,
As noted in
https://bugs.centos.org//view.php?id=14050 , @arrfab has built a version of shim that supposedly fixes the issue. Can you give it a try and provide feedback?
Re: shim fails to load MokManager
Posted: 2018/08/30 15:36:31
by TrevorH
These packages are now in the CR repo, signed with the distro GPG key and available for anyone to test. The more people that test them, the better.
Code: Select all
[root@centos7 ~]# yum --disablerepo=\* --enablerepo=cr list available
Loaded plugins: priorities
cr | 3.3 kB 00:00:00
cr/7/x86_64/primary_db | 3.1 kB 00:00:15
Available Packages
mokutil.x86_64 12-2.el7 cr
shim-ia32.x86_64 12-2.el7 cr
shim-unsigned-ia32.x86_64 12-2.el7 cr
shim-unsigned-x64.x86_64 12-2.el7 cr
shim-x64.x86_64 12-2.el7 cr
Re: shim fails to load MokManager
Posted: 2018/10/15 11:41:48
by Spork Schivago
I'm not sure if I should start my own thread or continue here. It's related. I have a fresh install of CentOS 7.5.1804. I run an update, it pulls in the latest shim, mokutils, etc. But when I reboot, I cannot get into my os at all without using a recovery disk.
The error message on the screen shows:
Code: Select all
Unable to trigger tcg2 final events table: Invalid Parameter
Something has gone seriously wrong: Invalid Parameter
Shim was unable to measure state into the TMP
I had to boot off the installation media to get to a recovery console. I had to setup networking, then remove the latest kernel, then downgrade shim and mokutil to the previous version.
I than had to work around the current bug in the old version to install my organizations MOK.
I know it does not sound like a lot of work, but it took about 3 hours to do this.
I was not using the unsigned rpm versions because I didn't know what they where at the time. Is there a chance that these unsigned versions will fix the issue? I would really not like to run an outdated kernel for long on this system. However, if the unsigned rpm versions simply allow the manager screen to display after a key has been enrolled and the system rebooted, I feel this might not fix my issue.
This appears to be a confirmed bug on redhats bug tracker, but the only suggestion is to downgrade.
Thanks.
Re: shim fails to load MokManager
Posted: 2018/10/31 20:14:03
by tomkep
I've seen this on Lenovo T460p laptop provided by my empoloyer.
The workaround which works for me is to switch TPM from Intel PTT to discrete TPM 1.2 chip in the BIOS. Downgrade is also another option but unfortunately this prevents kernel upgrade.
Re: shim fails to load MokManager
Posted: 2018/10/31 21:10:30
by Spork Schivago
tomkep wrote: ↑2018/10/31 20:14:03
I've seen this on Lenovo T460p laptop provided by my empoloyer.
The workaround which works for me is to switch TPM from Intel PTT to discrete TPM 1.2 chip in the BIOS. Downgrade is also another option but unfortunately this prevents kernel upgrade.
Are you saying you have two TPM chips in your laptop? In my server, I only have the one add-on TPM controller.
Re: shim fails to load MokManager
Posted: 2018/11/01 23:20:02
by tomkep
I think there is TPM 1.2 discrete chip. Additionally it looks like the chipset on that laptop can emulate TPM 2.0 chip. I have no idea how it is accomplished but I have a switch in the BIOS between the two and as I wrote - it makes a difference.