Bug 1263992
| Summary: | mokutil fails to write MokAuth, MokPW | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Oleg Fayans <ofayans> | |
| Component: | mokutil | Assignee: | Peter Jones <pjones> | |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 22 | CC: | amarecek, arvidjaar, gggump, knutjbj, mangirdas, pjones, przedniczek, toddsmb | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1357994 (view as bug list) | Environment: | ||
| Last Closed: | 2016-07-19 17:55:13 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
|
Description
Oleg Fayans
2015-09-17 09:30:29 UTC
I've just installed Fedora 23 with UEFI support on Asus X99 Deluxe motherboard (BIOS v. 1901) and I have the same problems with mokutil. I want to enroll my public X.509 DER key into MOK list, according to 23.7.4.3. subsection in https://docs.fedoraproject.org/en-US/Fedora/23/html/System_Administrators_Guide/sect-enrolling-public-key-on-target-system.html I cannot: set password, clear password, import with root password, import with password given at the fly (I know that's foolish). # mokutil --password input password: input password again: Failed to write MokPW # mokutil --clear-password Failed to write MokPW # mokutil --root-pw --password Failed to write MokPW # mokutil --import public_key.der // Here, I'm naively using root password input password: input password again: Failed to enroll new keys # mokutil --root-pw --import public_key.der Failed to enroll new keys At the beginning, I thought that this mokutil behaviour is the result of the SELINUX policy zeal, but I haven't found any traces of AVC denials. Maybe that's not true bug, but I'm using something incorrecly? # uname -r 4.2.5-300.fc23.x86_64 # rpm -q mokutil mokutil-0.2.0-3.fc23.x86_64 I have just found a workaround to my problem with mokutil. I added my public key do system_keyring via UEFI BIOS option. Why it took so long? Because of the BIOS strange bahaviour. UEFI BIOS > Advanced Mode > Boot > Secure Boot > Key Management > Append Default db After pressing 'Append Default db' press 'No' (according to the description included), choose a DER file and you should see dialog box asking to select key type: List with two enties: 1. Key Certificate blob (highlited in yellow) 2. Uefi Serure Variable and of course two buttons: OK and Cancel. MOST INTERESTING PART: Pressing OK with highlited right option makes a delusion that the key will be stored, but ONLY HITTING WITH A MOUSE THE FIRST LIST ENTRY 'Key Certificate blob' saves the key. Why? I have no idea, but it works in this manner. I wonder if (at least my) problem with mokutil could be caused by inappropriate BIOS software. I have the same problem I am using asus x99-a/usb 3.1 with Vendor: American Megatrends Inc. Version: 2001 This affect Fedora f23 as well. Real world example: Trying to install Oracle's VirtualBox 5.O which comes with unsigned kernel modules from Oracle's repository. Since mok-utils is not working it is not possible to register a personally created key. Consequence is that system must be run with Secure Boot mode turned off in order to use VirtualBox. This is all part of an effort to support a non-profit organization. Hope this helps to bump the bug higher up the priority queue. Running this on a Dell XPS 8500 - uname -r 4.4.9-300.fc23.x86_64 Same with Lenovo T460s with fedora 4.5.6-200.fc23.x86_64 Any progress on this? I'm having the same situation with mokutil not working. This affects Fedora 23. pretty much any mokutil command used results in errors. When I try to import a key so I can sign and use Virtualbox modules I get the following. Failed to write MokAuth Failed to unset MokNew then when I reboot the import fails. Lenovo E460 Fedora 23 If there is anything I can do to help please just ask. Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. Note the final four comments on this bug all reference Fedora 23 so clearly EOL on Fedora 22 is not a sufficient reason to kill this bug it still exists in 23. PLease update it f24 I am using fedora 24 and i still have the same issue as with fedora 23. |