Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MOK key enrollment in shim doesn't work when using Ventoy #280

Open
miczyg1 opened this issue Dec 5, 2022 · 4 comments
Open

MOK key enrollment in shim doesn't work when using Ventoy #280

miczyg1 opened this issue Dec 5, 2022 · 4 comments

Comments

@miczyg1
Copy link
Contributor

miczyg1 commented Dec 5, 2022

Dasharo version
Any

Dasharo variant
Any

Affected component(s) or functionality
UEFI Secure Boot, shim

Brief summary
When using Ventoy with Secure Boot enabled, the MOK key enrollment doesn't work, the platform hangs.

How reproducible
100%

How to reproduce

Steps to reproduce the behavior:

  1. Download and install Ventoy into USB stick https://www.ventoy.net/en/doc_start.html with Secure Boot enabled (selected in the Options panel)
  2. Plug the stick to the MSI machine and boot it.
  3. Wait for `Verification failed: (0x1A) Security Violation) screen and press enter (OK).
  4. Choose enroll key

Expected behavior
After selecting Enroll key from disk next windows should pop up with possible disks to search for the keys.

Actual behavior
The platform hangs when choosing to enroll key from disk.

Screenshots
none

Additional context
none

Solutions you've tried
none
@miczyg1 miczyg1 mentioned this issue Dec 5, 2022
Closed
@miczyg1
Copy link
Contributor Author

miczyg1 commented Dec 16, 2023

Found bugs in Shim's/MOKManagers's filesystem browser, which resulted in hangs of the shim when trying to enroll from a disk.

Fix: rhboot/shim#622

@desowin
Copy link

desowin commented Feb 20, 2024

I have observed exactly the same issue on PRO Z790-P WIFI (MS-7E06) running Dasharo (coreboot+UEFI) v0.9.1 with WD Red SN700 2000GB is installed in M2_2 slot. Disk is GPT partitioned and first partition is 1GiB large EFI System partition.

In my case the steps to reproduce were:

  1. Put shimx64.efi (from e.g. https://aur.archlinux.org/packages/shim-signed) alongside MOK-signed (or even unsigned) grubx64.efi
  2. Enable Secure Boot
  3. Boot shimx64.efi
  4. "Perform MOK management" blue screen pops up with options "Continue boot", "Enroll key from disk", "Enroll hash from disk"
  5. Select "Enroll key from disk" (or "Enroll hash from disk")
  6. Menu freezes, only physical reset helps

Working workaround is to enroll the key in userspace, so there is no need to browse disks in shim MOK manager:

  1. Disable Secure Boot
  2. boot Linux
  3. Enroll MOK key with userspace mokutil (choose some arbitrary password for later use)
  4. Reboot
  5. Enable Secure Boot
  6. Actually enroll the key from step 3 by entering the password provided in step 3

@wessel-novacustom
Copy link

Found bugs in Shim's/MOKManagers's filesystem browser, which resulted in hangs of the shim when trying to enroll from a disk.

Fix: rhboot/shim#622

@miczyg1 It looks like you have implemented a fix. If so, and if the issue no longer occurs, please consider to close the issue.

@miczyg1
Copy link
Contributor Author

miczyg1 commented Apr 16, 2024

Unless the PR with a fix is merged, the issue is relevant.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@desowin @miczyg1 @wessel-novacustom