shim can't enable validation and enroll keys in one sitting

This bug was fixed in the package shim-signed - 1.33.1

---------------
shim-signed (1.33.1) bionic; urgency=medium

  * Update to the signed 13-0ubuntu2 binary from Microsoft. (LP: #1708245)
  * Stop generating and install BOOT.CSV, shim will do that by itself now.
  * Add Vcs-* fields.

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 21 Dec 2017 14:33:37 -0500

I had forgotten that MokManager and fallback binaries changed their installed filenames, dropping the .signed in shim 13. grub2 and grub2-signed need a tiny update for it too; but that doesn't change the test cases.

Hello Mathieu, or anyone else affected,

Accepted shim-signed into artful-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~17.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-artful to verification-done-artful. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-artful. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Mathieu, or anyone else affected,

Accepted grub2 into artful-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02~beta3-4ubuntu7.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-artful to verification-done-artful. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-artful. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Mathieu, or anyone else affected,

Accepted grub2-signed into artful-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.85.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-artful to verification-done-artful. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-artful. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Mathieu, or anyone else affected,

Accepted shim-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Mathieu, or anyone else affected,

Accepted grub2 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-36ubuntu3.16 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Mathieu, or anyone else affected,

Accepted grub2-signed into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.66.16 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

This bug was fixed in the package grub2-signed - 1.89

---------------
grub2-signed (1.89) bionic; urgency=medium

  * Rebuild against grub2 2.02-2ubuntu3. (LP: #1675453)

 -- Łukasz 'sil2100' Zemczak <email address hidden> Mon, 22 Jan 2018 09:40:19 +0100

This bug was fixed in the package grub2 - 2.02-2ubuntu4

---------------
grub2 (2.02-2ubuntu4) bionic; urgency=medium

  * debian/patches/vt_handoff.patch: modify the existing patch to set
    vt.handoff=1 instead of vt.handoff=7 as we now start display managers on
    vt1 anyway. This also fixes issues with netboot installed server systems
    not displaying the login prompt on boot. (LP: #1675453)

 -- Łukasz 'sil2100' Zemczak <email address hidden> Thu, 18 Jan 2018 18:32:31 +0100

As a part of the Stable Release Updates quality process a search for Launchpad bug reports using the version of grub2 from artful-proposed was performed and bug 1745791 was found. Please investigate this bug report to ensure that a regression will not be created by this SRU. In the event that this is not a regression remove the "verification-failed" tag from this bug report and add the tag "bot-stop-nagging" to bug 1745791 (not this bug). Thanks!

Verified grub2,grub2-signed,shim,shim-signed for both xenial and artful:

Toggling validation states, importing certificates in DB, compounded operations as well as normal booting via disk or via the network are working as intended.

(artful)
ubuntu@DESKTOP-RVN66JO:~$ dpkg -l grub-efi\* shim\* | grep ii
ii grub-efi-amd64 2.02~beta3-4ubuntu7.1 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version)
ii grub-efi-amd64-bin 2.02~beta3-4ubuntu7.1 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 binaries)
ii grub-efi-amd64-signed 1.85.1+2.02~beta3-4ubuntu7.1 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed)
ii shim 13-0ubuntu2 amd64 boot loader to chain-load signed boot loaders under Secure Boot
ii shim-signed 1.33.1~17.10.1+13-0ubuntu2 amd64 Secure Boot chain-loading bootloader (Microsoft-signed binary)

(xenial)
ubuntu@DESKTOP-RVN66JO:~$ dpkg -l grub-efi\* shim\* | grep ii
ii grub-common 2.02~beta2-36ubuntu3.16 amd64 GRand Unified Bootloader (common files)
ii grub-efi-amd64 2.02~beta2-36ubuntu3.16 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version)
ii grub-efi-amd64-bin 2.02~beta2-36ubuntu3.16 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 binaries)
ii grub-efi-amd64-signed 1.66.16+2.02~beta2-36ubuntu3.16 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed)
ii shim 13-0ubuntu2 amd64 boot loader to chain-load signed boot loaders under Secure Boot
ii shim-signed 1.33.1~16.04.1+13-0ubuntu2 amd64 Secure Boot chain-loading bootloader (Microsoft-signed binary)

Updated bug statuses for Zesty; as well as the statuses for the shim binary copies to all the releases which is part of this SRU.

The verification of the Stable Release Update for grub2 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package grub2-signed - 1.85.1

---------------
grub2-signed (1.85.1) artful; urgency=medium

  * Rebuild against grub2 2.02~beta3-4ubuntu7.1. (LP: #1734278, #1708245)

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 13 Dec 2017 14:36:57 -0500

This bug was fixed in the package shim-signed - 1.33.1~17.10.1

---------------
shim-signed (1.33.1~17.10.1) artful; urgency=medium

  * Backport shim-signed 1.33.1 to 17.10. (LP: #1708245)
  * debian/control: bump the Depends on grub2-common since that's needed to
    install with the new updated EFI binaries filenames.

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 11 Jan 2018 15:49:09 -0500

This bug was fixed in the package grub2 - 2.02~beta3-4ubuntu7.1

---------------
grub2 (2.02~beta3-4ubuntu7.1) artful; urgency=medium

  * Cherry-pick upstream patch to change the default TSC calibration method
    to pmtimer on EFI systems (LP: #1734278)
  * util/grub-install.c: Use fallback and MokManager EFI binary names without
    the .signed extension now that shim handles signing via sbsigntool
    natively. (LP: #1708245)
    - debian/patches/grub-install-extra-removable.patch
    - debian/patches/install_signed.patch

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 17 Jan 2018 11:51:20 -0500

This bug was fixed in the package grub2 - 2.02~beta2-36ubuntu3.16

---------------
grub2 (2.02~beta2-36ubuntu3.16) xenial; urgency=medium

  [ dann frazier ]
  * Use EFI_SIMPLE_TEXT_INPUT_EX to support key combinations.
    (LP: #722950)

  [ Mathieu Trudel-Lapierre ]
  * util/grub-install.c: Use MokManager EFI binary name without
    the .signed extension now that shim handles signing via sbsigntool
    natively. (LP: #1708245)
    - debian/patches/install_signed.patch
  * debian/control: Breaks shim << 13 due to the renamed MokManager binary.

 -- dann frazier <email address hidden> Wed, 10 Jan 2018 17:04:34 -0700

This bug was fixed in the package grub2-signed - 1.66.16

---------------
grub2-signed (1.66.16) xenial; urgency=medium

  * Rebuild against grub2 2.02~beta2-36ubuntu3.16. (LP: #722950, #1708245)

 -- dann frazier <email address hidden> Thu, 11 Jan 2018 10:04:44 -0700

This bug was fixed in the package shim-signed - 1.33.1~16.04.1

---------------
shim-signed (1.33.1~16.04.1) xenial; urgency=medium

  * Backport shim-signed 1.33.1 to 16.04. (LP: #1708245)
  * debian/control: Depends on newer grub2-common to install the right files
    for MokManager and fallback EFI binaries.

 -- Mathieu Trudel-Lapierre <email address hidden> Thu, 11 Jan 2018 15:51:52 -0500

Hello Mathieu, or anyone else affected,

Accepted grub2 into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.02~beta2-9ubuntu1.15 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Mathieu, or anyone else affected,

Accepted grub2-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.34.17 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

I noticed the addition of a new build-dependency, so I had a closer look and the shim 13 package ftbfs on trusty:

gcc -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin -Werror=sign-compare -ffreestanding -std=gnu89 -I/usr/lib/gcc/x86_64-linux-gnu/4.8/include "-DDEFAULT_LOADER=L\"\\\\grubx64.efi\"" "-DDEFAULT_LOADER_CHAR=\"\\\\grubx64.efi\"" -nostdinc -I/tmp/shim-13/Cryptlib -I/tmp/shim-13/Cryptlib/Include -I/usr/include/efi -I/usr/include/efi/x86_64 -I/usr/include/efi/protocol -I/tmp/shim-13/include -iquote /tmp/shim-13 -iquote /tmp/shim-13 -mno-mmx -mno-sse -mno-red-zone -nostdinc -maccumulate-outgoing-args -DEFI_FUNCTION_WRAPPER -DGNU_EFI_USE_MS_ABI -DNO_BUILTIN_VA_FUNCS -DMDE_CPU_X64 -DPAGE_SIZE=4096 "-DEFI_ARCH=L\"x64\"" "-DDEBUGDIR=L\"/usr/lib/debug/usr/share/shim/x64-13/\"" -DVENDOR_CERT_FILE=\"debian/canonical-uefi-ca.der\" -DENABLE_SHIM_CERT -D_FORTIFY_SOURCE=2 -c -o shim.o shim.c
In file included from shim.c:36:0:
shim.h:47:88: error: unknown type name 'va_list'
 extern EFI_STATUS VLogError(const char *file, int line, const char *func, CHAR16 *fmt, va_list args);
                                                                                        ^
make: *** [shim.o] Error 1
make: Leaving directory `/tmp/shim-13'
dh_auto_build: make -j1 MAKELEVEL=0 EFI_PATH=/usr/lib ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1 VENDOR_CERT_FILE=debian/canonical-uefi-ca.der EFIDIR=ubuntu returned exit code 2
make[1]: *** [override_dh_auto_build] Error 2

The expectation is that the package is buildable from source in each release that we publish it to, even though in practice we are unlikely to do this for any but the devel series.

Is there a missing update to gnu-efi?

@cyphermox @vorlon

The grub2 in trusty-proposed currently breaks the build of debian-installer:

- d-i build-deps shim-signed,
- shim-signed deps on _shim_ (currently 0.9ish on trusty) and grub2-common,
- grub2-common now breaks _shim_ << 13 (i.e., version above)
- shim >= 13 not available on trusty
- and the d-i build is broken.

Unfortunately this is holding the SRU of d-i in LP #1783152 (build fail on amd64).

This LP does not have Trusty tracks for shim/shim-signed, but apparently it's needed -- or a different plan, e.g., not move forward w/ grub2 in trusty-proposed, but not sure this is an option.

Do you have suggestions of ways forward? Thanks!

For now, this gnu-efi debdiff allows trusty to build shim-13 from xenial/bionic (see comment #23). Moving on to some testing.

I set up a KVM guest with Secure Boot for testing this.

The patched gnu-efi to build shim 13 successfully was built on this PPA [1].
The original shim 13 too (from shim-staging PPA [2]), it built successfully
using those changes.

Unfortunately shim-signed fails to build (for key-related reasons, likely expected),
and the version built in the shim-staging PPA for Trusty has a too newer version
for the grub2-common dependency (>= 2.02~beta2-36ubuntu12).
So I installed it with with `dpkg -i --force-depends-version`.

Summary, the test used:
- shim-13 built with patched gnu-efi
- grub2 packages from trusty-proposed
- and shim-signed from shim-staging PPA.

It works. :- )

$ dpkg -s grub-efi-amd64-signed grub2-common shim shim-signed | grep -e ^Package: -e ^Version
Package: grub-efi-amd64-signed
Version: 1.34.17+2.02~beta2-9ubuntu1.15
Package: grub2-common
Version: 2.02~beta2-9ubuntu1.15
Package: shim
Version: 13-0ubuntu2
Package: shim-signed
Version: 1.33.1~14.04.1+13-0ubuntu2

$ sudo grub-install --uefi-secure-boot && sudo reboot
<...>

ubuntu@trusty-secboot:~$ dmesg | grep Secure
[ 0.000000] Secure boot enabled

ubuntu@trusty-secboot:~$ sudo fwts uefidump - | grep Secure
Name: SecureBoot.
  Value: 0x01 (Secure Boot Mode On).

[1] https://launchpad.net/~mfo/+archive/ubuntu/sf188840di
[2] https://launchpad.net/~canonical-foundations/+archive/ubuntu/shim/

Scrap that. :-)

On IRC w/ cyphermox today, he mentioned there are changes already lined up and in progress for this.

Once that hits trusty-proposed, the d-i build should work.

Hello Mathieu, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Unfortunately the shim-signed in trusty-proposed failed to build:

  cmp shimx64.efi.signed build/shimx64.efi.signed
  shimx64.efi.signed build/shimx64.efi.signed differ: byte 135, line 2
  make[1]: *** [check] Error 1

Could you please take a look?

On Wed, Sep 05, 2018 at 11:40:22AM -0000, Mauricio Faria de Oliveira wrote:
> Unfortunately the shim-signed in trusty-proposed failed to build:

> cmp shimx64.efi.signed build/shimx64.efi.signed
> shimx64.efi.signed build/shimx64.efi.signed differ: byte 135, line 2
> make[1]: *** [check] Error 1

> Could you please take a look?

This was an annoying publishing problem, I accepted the shim sync but it
somehow went to rejected instead, so then shim-signed was trying to build
without the matching version of shim being available. It's built now.

Steve,

Thanks, but unfortunately the shim-signed package still has another problem.

It deps on a grub2-common version that is not available (see comment #26).

  -Depends: <...> grub2-common (>= 2.02~beta2-9ubuntu1.14), mokutil
  +Depends: <...> grub2-common (>= 2.02~beta2-36ubuntu12), mokutil

So, it fails to install:

    $ sudo apt-get install shim-signed grub2-common
    <...>
    The following packages have unmet dependencies:
     shim-signed : Depends: grub2-common (>= 2.02~beta2-36ubuntu12) but 2.02~beta2-9ubuntu1.15 is to be installed
    <...>

It seems a leftover from Xenial (which ships grub2 version 2.02~beta2-36ubuntu3.18 now) that unfortunately breaks Trusty.

Thus d-i can't yet build on trusty-proposed.

if it's uninstallable then it's obviously verification-failed. Setting the tag, pending reupload of shim-signed.

Hello Mathieu, or anyone else affected,

Accepted shim-signed into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/shim-signed/1.33.1~14.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Thanks, it works now.

Now d-i can build with trusty-proposed.
And the packages can boot a VM with Secure Boot enabled.

If this is enough testing, just let me know and I can change the verification tags.

    # lsb_release -d
    Description: Ubuntu 14.04.5 LTS

    # dpkg -s grub2-common shim shim-signed | grep -e ^Package -e ^Version
    Package: grub2-common
    Version: 2.02~beta2-9ubuntu1.15
    Package: shim
    Version: 13-0ubuntu2
    Package: shim-signed
    Version: 1.33.1~14.04.2+13-0ubuntu2

    # grub-install --uefi-secure-boot && reboot
    ...

    # dmesg | grep Secure
    [ 0.000000] Secure boot enabled

    # fwts uefidump - | grep Secure
    Name: SecureBoot.
      Value: 0x01 (Secure Boot Mode On).

This confirms the system boots and is in Secure Boot mode. Do you have time to run through the other test cases using mokutil?

Yes, and it all goes well in the secure-boot VM.

As this covers the testing in bug description, changing verification tags to done.

Thanks.

Procedure
=========

Generate x509 certificate:
---

# openssl genrsa -out key.pem 4096
# openssl req -new -sha256 -key key.pem -out csr.csr
# openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out cert.pem
# openssl x509 -in cert.pem -outform der -out cert.der

Key Enrollment:
---

# mokutil --import cert.der
# reboot
< MOK management menu, enroll key, reboot >
# cat /proc/keys # that key is listed

Toggling Validation (Secure Boot State)
---

1) Disable

# ls /sys/firmware/efi/efivars/MokSBStateRT-*
ls: cannot access /sys/firmware/efi/efivars/MokSBStateRT-*: Invalid argument

# mokutil --disable-validation

# reboot
< MOK management menu, change secure boot state to disabled, reboot >

# cat /proc/keys # does not list secure-boot related keys anymore

# ls /sys/firmware/efi/efivars/MokSBStateRT-*
/sys/firmware/efi/efivars/MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23

# hexdump -Cv /sys/firmware/efi/efivars/MokSBStateRT-* # the last byte is 1
00000000 06 00 00 00 01 |.....|

2) Enable

# mokutil --enable-validation

# reboot
< MOK management menu, change secure boot state to enabled, reboot >

# cat /proc/keys # lists secure-boot related keys and cert.der

# ls /sys/firmware/efi/efivars/MokSBStateRT-*
ls: cannot access /sys/firmware/efi/efivars/MokSBStateRT-*: Invalid argument

Toggling Validation and Enrolling
---

# mokutil --disable-validation

# reboot
< MOK management menu, change secure boot state to disabled, reboot >

# ... generate another x509 certificate (see above)

# mokutil --import cert.der
# mokutil --enable-validation

# reboot
< MOK management menu, enroll key, change secure boot state to enabled, reboot >

# cat /proc/keys # the new key is listed

# ls /sys/firmware/efi/efivars/MokSBStateRT-*
ls: cannot access /sys/firmware/efi/efivars/MokSBStateRT-*: Invalid argument

This bug was fixed in the package grub2-signed - 1.34.17

---------------
grub2-signed (1.34.17) trusty; urgency=medium

  * Rebuild against grub-efi-amd64 2.02~beta2-9ubuntu1.14 (LP: #1708245)

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 04 Jul 2018 15:41:41 -0400

This bug was fixed in the package shim-signed - 1.33.1~14.04.2

---------------
shim-signed (1.33.1~14.04.2) trusty; urgency=medium

  * Depend on the correct version of grub2-common: 2.02~beta2-9ubuntu1.15.

shim-signed (1.33.1~14.04.1) trusty; urgency=medium

  * Backport shim-signed 1.33.1 to 14.04. (LP: #1708245)

shim-signed (1.33.1) bionic; urgency=medium

  * Update to the signed 13-0ubuntu2 binary from Microsoft. (LP: #1708245)
  * Stop generating and install BOOT.CSV, shim will do that by itself now.
  * Add Vcs-* fields.

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 05 Sep 2018 16:00:53 -0400

This bug was fixed in the package grub2 - 2.02~beta2-9ubuntu1.15

---------------
grub2 (2.02~beta2-9ubuntu1.15) trusty; urgency=medium

  * util/grub-install.c: Use MokManager EFI binary name without
    the .signed extension now that shim handles signing via sbsigntool
    natively. (LP: #1708245)
    - debian/patches/install_signed.patch
  * debian/control: Breaks shim << 13 due to the renamed MokManager binary.

 -- Mathieu Trudel-Lapierre <email address hidden> Wed, 04 Jul 2018 15:28:17 -0400