Bug 1263992 - mokutil fails to write MokAuth, MokPW
Summary: mokutil fails to write MokAuth, MokPW
Alias: None
Product: Fedora
Classification: Fedora
Component: mokutil
Version: 22
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Peter Jones
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2015-09-17 09:30 UTC by Oleg Fayans
Modified: 2016-12-01 00:28 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1357994 (view as bug list)
Last Closed: 2016-07-19 17:55:13 UTC
Type: Bug

Attachments (Terms of Use)

Description Oleg Fayans 2015-09-17 09:30:29 UTC
Description of problem:

mokutil fails to update or clear password, fails to reset. No related avc denials and nothing in the logs.

Version-Release number of selected component (if applicable):

# cat /etc/redhat-release 
Fedora release 22 (Twenty Two)

# uname -r

# rpm -q mokutil

How reproducible:

Steps to Reproduce:
# mokutil  --password
input password: 
input password again: 
Failed to write MokPW

# mokutil --reset
input password: 
input password again: 
Failed to write MokAuth
Failed to issue a reset request

Actual results:

Expected results:

Additional info:

Comment 1 Adam Przedniczek 2015-11-08 18:27:44 UTC
I've just installed Fedora 23 with UEFI support on Asus X99 Deluxe motherboard (BIOS v. 1901) and I have the same problems with mokutil.
I want to enroll my public X.509 DER key into MOK list, according to subsection in
I cannot: set password, clear password, import with root password, import with password given at the fly (I know that's foolish).

# mokutil --password
input password: 
input password again: 
Failed to write MokPW

# mokutil --clear-password
Failed to write MokPW

# mokutil --root-pw --password
Failed to write MokPW

# mokutil --import public_key.der        // Here, I'm naively using root password
input password: 
input password again: 
Failed to enroll new keys

# mokutil --root-pw --import public_key.der 
Failed to enroll new keys

At the beginning, I thought that this mokutil behaviour is the result of the SELINUX policy zeal, but I haven't found any traces of AVC denials.
Maybe that's not true bug, but I'm using something incorrecly?

# uname -r

# rpm -q mokutil

Comment 2 Adam Przedniczek 2015-11-16 22:39:08 UTC
I have just found a workaround to my problem with mokutil.

I added my public key do system_keyring via UEFI BIOS option.
Why it took so long? Because of the BIOS strange bahaviour.
UEFI BIOS > Advanced Mode > Boot > Secure Boot > Key Management > Append Default db
After pressing 'Append Default db' press 'No' (according to the description included),
choose a DER file and you should see dialog box asking to select key type:
List with two enties:
1. Key Certificate blob (highlited in yellow)
2. Uefi Serure Variable
and of course two buttons: OK and Cancel.

Pressing OK with highlited right option makes a delusion that the key will be stored,
but ONLY HITTING WITH A MOUSE THE FIRST LIST ENTRY 'Key Certificate blob' saves the key.
Why? I have no idea, but it works in this manner.

I wonder if (at least my) problem with mokutil could be caused by inappropriate BIOS software.

Comment 3 Knut J BJuland 2016-02-05 08:34:03 UTC
I have the same problem I am using asus x99-a/usb 3.1 with  Vendor: American Megatrends Inc. Version: 2001

Comment 4 Knut J BJuland 2016-02-05 08:54:06 UTC
This affect Fedora f23 as well.

Comment 5 Gayland G. Gump 2016-05-15 16:24:34 UTC
Real world example:  Trying to install Oracle's VirtualBox 5.O which comes with unsigned kernel modules from Oracle's repository. Since mok-utils is not working it is not possible to register a personally created key.  Consequence is that system must be run with Secure Boot mode turned off in order to use VirtualBox.  This is all part of an effort to support a non-profit organization.  Hope this helps to bump the bug higher up the priority queue.

Running this on a Dell XPS 8500 - uname -r 4.4.9-300.fc23.x86_64

Comment 6 Mangirdas 2016-06-10 11:47:35 UTC
Same with Lenovo T460s with fedora 4.5.6-200.fc23.x86_64

Any progress on this?

Comment 7 todd 2016-06-11 01:57:42 UTC
I'm having the same situation with mokutil not working. This affects Fedora 23.

pretty much any mokutil command used results in errors. When I try to import a key so I can sign and use Virtualbox modules I get the following.
Failed to write MokAuth
Failed to unset MokNew

then when I reboot the import fails.

Lenovo E460
Fedora 23

If there is anything I can do to help please just ask.

Comment 8 Fedora End Of Life 2016-07-19 17:55:13 UTC
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this

Thank you for reporting this bug and we are sorry it could not be fixed.

Comment 9 Gayland G. Gump 2016-07-19 18:59:34 UTC
Note the final four comments on this bug all reference Fedora 23 so clearly EOL on Fedora 22 is not a sufficient reason to kill this bug it still exists in 23.

Comment 10 Knut J BJuland 2016-07-21 20:04:19 UTC
PLease update it f24

Comment 11 todd 2016-07-26 16:05:33 UTC
I am using fedora 24 and i still have the same issue as with fedora 23.

Note You need to log in before you can comment on or make changes to this bug.