shim fails to load MokManager

Support for security such as Firewalls and securing linux
User avatar
TrevorH
Forum Moderator
Posts: 24052
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: shim fails to load MokManager

Post by TrevorH » 2018/11/02 09:20:51

So one TPM with a BIOS setting to change its mode and the right mode needs to be chosen.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

Spork Schivago
Posts: 37
Joined: 2017/08/14 04:21:54

Re: shim fails to load MokManager

Post by Spork Schivago » 2018/11/02 16:06:46

TrevorH wrote:
2018/11/02 09:20:51
So one TPM with a BIOS setting to change its mode and the right mode needs to be chosen.
I understand his post now. My TPM chip is 2.0 though. I can convert it to a v1.2 TPM chip. Is there something wrong with 2.0?

My TPM chip was freshly installed into the machine. The machine never had a TPM chip installed before. I also installed new hard drives at the same time, so no OS had not been installed. I did a fresh install of CentOS 7 and when I rebooted, that's when it refused to boot with that error message.

Downgrading the shim package fixed my issue. To me, that sounds like it's not an issue with my TPM chip being misconfigured, but more something wrong with the how the packages for CentOS are handling it...unless the older version of shim was flawed and the latest version on the repo's fixed some flaw that breaks my default configuration....
-- Niklaus Wirth's Law: software is getting slower more rapidly than hardware becomes faster.

user65536
Posts: 2
Joined: 2018/12/07 05:18:27

Re: shim fails to load MokManager

Post by user65536 » 2018/12/07 05:54:12

Hello.

I'm reporting a similar problem; maybe it is related. The solution to your problem addressed this problem. (downgraded shim)

Hardware: Really old, Dell PowerEdge R710, has TPM, TPM is disabled in BIOS, mokutil reports secure boot is not supported. (Not a problem, just a detail that may help with diagnoses of cause), OS installed on RAID-1 LD (PERC 6/i, RAID dedicated Write-Cache, RAID-1 system volumes, RAID-5 secondary, BBU OK, 100% charge, 75% of capacity when new), this has all of the latest Firmware/BIOS updates from Dell, in Dell published ISO from November 2018.

This machine has been on CentOS 7.x through many upgrades and started with a UEFI install. Around December 3, 2018, upgraded from 7.5.1804 to 7.6.1810.

The yum upgrade/update reported no problems. I issued "sync". I rebooted it.

On reboot, an error message on boot/grub:

Code: Select all

Failed to set MokListRT: Invalid Parameter
Something has gone seriously wrong: import_mok_state() failed
: Invalid Parameter
Error appeared on each reboot.

Used DRAC (like IPMI with a console or ILO) remote media, boot from ISO, recovery, chroot to installed system:
7.6.1810 (after upgrade + failed boot) had: shim-x64-15-1.el7.centos.x86_64 and mokutil-15-1.el7.centos.x86_64
7.5.1804 (before upgrade) had: shim-x64-12-2.el7.x86_64 mokutil-12-2.el7.x86_64

Completed download of 7.5.1804 versions of those two.

Issued an "rpm --force -U" for both.

Rebooted, and boot works with these two older packages. (I am not sure which, addressed the problem.)

I have several other servers upgraded to 7.6.1810. No other servers exhibited this problem. Others also have TPM, which are disabled in BIOS, but different models.

I hope this helps with your trouble report to diagnose the cause.

User avatar
TrevorH
Forum Moderator
Posts: 24052
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: shim fails to load MokManager

Post by TrevorH » 2018/12/07 07:37:57

That's also known and addressed in a testing update. You can get more details from https://bugs.centos.org//view.php?id=15522 which I believe has a link to newer unsigned packages to correct the problem.
CentOS 5 died in March 2017 - migrate NOW!
Full time Geek, part time moderator. Use the FAQ Luke

user65536
Posts: 2
Joined: 2018/12/07 05:18:27

Re: shim fails to load MokManager

Post by user65536 » 2018/12/07 08:28:42

TrevorH wrote:
2018/12/07 07:37:57
That's also known and addressed in a testing update. You can get more details from https://bugs.centos.org//view.php?id=15522 which I believe has a link to newer unsigned packages to correct the problem.
Thanks! I am in no rush to upgrade. I can wait until the new release is out of testing.

Post Reply