shim fails to load MokManager

Support for security such as Firewalls and securing linux
Post Reply
chassap1
Posts: 14
Joined: 2017/10/24 14:23:59

shim fails to load MokManager

Post by chassap1 » 2018/03/27 15:40:44

I imported a cer file using mkutil. When I rebooted with secure boot, I was expecting the MokManager (mmx64.efi) to run to finish enrolling the key. I believe there is some error message but it goes away so quickly.

as a work around, I booted into an EFI shell and manually ran mmx64 from the command line.

it looks like this is a bug in other distributions.

can anyone confirm its a bug in CentOS? is it fixed? is there an rpm patch I can install? Thanks.

User avatar
toracat
Forum Moderator
Posts: 7297
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: shim fails to load MokManager

Post by toracat » 2018/03/27 21:58:29

Most likely you were hit by CentOS bug #14050. Hopefully this will be taken care of with the next point release 7.5.
CentOS Forum FAQ

chassap1
Posts: 14
Joined: 2017/10/24 14:23:59

Re: shim fails to load MokManager

Post by chassap1 » 2018/03/28 15:32:21

Thanks. I down rev'ed the mokutil and shim. it now starts the MokManager after reboot.

I have another question. I don't seem to be able to delete an existing item. Secure boot is off. Any ideas or am I doing something wrong. I typed the following:

mokutil --list-enrolled
I have one certificate in the list.
mokutil -- export
saved a file MOK-0001.der
mokutil --delete MOK-001.der
ask for password
mokutil --list-delete
displays file

reboot
MokManager starts. go thru the menus to delete.
Error Failed to retrieve MokList
click ok
Failed to delete keys
continue boot

mokutil --list-enrolled
still there.

tried
mokutil --reboot
that also fails in MokManager

chassap1
Posts: 14
Joined: 2017/10/24 14:23:59

Re: shim fails to load MokManager

Post by chassap1 » 2018/03/28 17:07:54

I was able to enroll my certificate with the MokManager without any errors.

I tried to delete the original certificate. It appeared to work without any errors when there were 2 certificates. but after I rebooted, it still seemed to be there when I used:

mokutil --list-enrolled

I did a

mokutil --reset

it seemed to have deleted my certificate but not the original one.

Is there something that prevents the Red Hat certificate from being removed?

User avatar
toracat
Forum Moderator
Posts: 7297
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: shim fails to load MokManager

Post by toracat » 2018/08/27 17:24:51

@chassap1,

As noted in https://bugs.centos.org//view.php?id=14050 , @arrfab has built a version of shim that supposedly fixes the issue. Can you give it a try and provide feedback?
CentOS Forum FAQ

User avatar
TrevorH
Forum Moderator
Posts: 23474
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: shim fails to load MokManager

Post by TrevorH » 2018/08/30 15:36:31

These packages are now in the CR repo, signed with the distro GPG key and available for anyone to test. The more people that test them, the better.

Code: Select all

[root@centos7 ~]# yum --disablerepo=\* --enablerepo=cr list available
Loaded plugins: priorities
cr                                                                                                              | 3.3 kB  00:00:00     
cr/7/x86_64/primary_db                                                                                          | 3.1 kB  00:00:15     
Available Packages
mokutil.x86_64                                                       12-2.el7                                            cr
shim-ia32.x86_64                                                     12-2.el7                                            cr
shim-unsigned-ia32.x86_64                                            12-2.el7                                            cr
shim-unsigned-x64.x86_64                                             12-2.el7                                            cr
shim-x64.x86_64                                                      12-2.el7                                            cr
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply