Public bug reported:
In both eoan and bionic I have had cases where I add a new dkms package
and dkms triggers update-secureboot-policy to try and enroll a key for
me. When it does this I reboot and nothing is prompted and the key is
not enrolled.
Tracking this through update-secureboot-policy is calling mokutil as
below:
enroll_mok()
{
[...]
echo "Adding '$SB_KEY' to shim:"
printf '%s\n%s\n' "$key" "$again" | mokutil --timeout -1 --import "$SB_KEY"
>/dev/null || true
}
If I try this at the command line this is reported as invalid, dispite
listing both options as valid:
# printf "%s\n%s\n" '12345678' '12345678' | mokutil --timeout 1 --import
MOK.der
Usage:
mokutil OPTIONS [ARGS...]
Options:
[...]
--import <der file...> Import keys
[...]
--timeout <-1,0..0x7fff> Set the timeout for MOK prompt
[...]
Dropping --timeout allows the command to complete:
# printf "%s\n%s\n" '12345678' '12345678' | mokutil --import MOK.der
input password:
input password again:
And on reboot I am prompted and the key is enrolled.
** Affects: mokutil (Ubuntu)
Importance: Undecided
Status: New
** Affects: shim-signed (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1883906
Title:
update-secureboot-policy: fails to trigger mok loading
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1883906/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
