Bug 1263992 - mokutil fails to write MokAuth, MokPW
mokutil fails to write MokAuth, MokPW
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: mokutil (Show other bugs)
22
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Peter Jones
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-17 05:30 EDT by Oleg Fayans
Modified: 2016-11-30 19:28 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1357994 (view as bug list)
Environment:
Last Closed: 2016-07-19 13:55:13 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Oleg Fayans 2015-09-17 05:30:29 EDT
Description of problem:

mokutil fails to update or clear password, fails to reset. No related avc denials and nothing in the logs.

Version-Release number of selected component (if applicable):

# cat /etc/redhat-release 
Fedora release 22 (Twenty Two)

# uname -r
4.0.8-300.fc22.x86_64

# rpm -q mokutil
mokutil-0.2.0-1.fc22.x86_64


How reproducible:
Always

Steps to Reproduce:
# mokutil  --password
input password: 
input password again: 
Failed to write MokPW

# mokutil --reset
input password: 
input password again: 
Failed to write MokAuth
Failed to issue a reset request

Actual results:


Expected results:


Additional info:
Comment 1 Adam Przedniczek 2015-11-08 13:27:44 EST
I've just installed Fedora 23 with UEFI support on Asus X99 Deluxe motherboard (BIOS v. 1901) and I have the same problems with mokutil.
I want to enroll my public X.509 DER key into MOK list, according to 23.7.4.3. subsection in
https://docs.fedoraproject.org/en-US/Fedora/23/html/System_Administrators_Guide/sect-enrolling-public-key-on-target-system.html
I cannot: set password, clear password, import with root password, import with password given at the fly (I know that's foolish).

# mokutil --password
input password: 
input password again: 
Failed to write MokPW

# mokutil --clear-password
Failed to write MokPW

# mokutil --root-pw --password
Failed to write MokPW

# mokutil --import public_key.der        // Here, I'm naively using root password
input password: 
input password again: 
Failed to enroll new keys

# mokutil --root-pw --import public_key.der 
Failed to enroll new keys

At the beginning, I thought that this mokutil behaviour is the result of the SELINUX policy zeal, but I haven't found any traces of AVC denials.
Maybe that's not true bug, but I'm using something incorrecly?

# uname -r
4.2.5-300.fc23.x86_64

# rpm -q mokutil
mokutil-0.2.0-3.fc23.x86_64
Comment 2 Adam Przedniczek 2015-11-16 17:39:08 EST
I have just found a workaround to my problem with mokutil.

I added my public key do system_keyring via UEFI BIOS option.
Why it took so long? Because of the BIOS strange bahaviour.
UEFI BIOS > Advanced Mode > Boot > Secure Boot > Key Management > Append Default db
After pressing 'Append Default db' press 'No' (according to the description included),
choose a DER file and you should see dialog box asking to select key type:
List with two enties:
1. Key Certificate blob (highlited in yellow)
2. Uefi Serure Variable
and of course two buttons: OK and Cancel.

MOST INTERESTING PART:
Pressing OK with highlited right option makes a delusion that the key will be stored,
but ONLY HITTING WITH A MOUSE THE FIRST LIST ENTRY 'Key Certificate blob' saves the key.
Why? I have no idea, but it works in this manner.

I wonder if (at least my) problem with mokutil could be caused by inappropriate BIOS software.
Comment 3 Knut J BJuland 2016-02-05 03:34:03 EST
I have the same problem I am using asus x99-a/usb 3.1 with  Vendor: American Megatrends Inc. Version: 2001
Comment 4 Knut J BJuland 2016-02-05 03:54:06 EST
This affect Fedora f23 as well.
Comment 5 Gayland G. Gump 2016-05-15 12:24:34 EDT
Real world example:  Trying to install Oracle's VirtualBox 5.O which comes with unsigned kernel modules from Oracle's repository. Since mok-utils is not working it is not possible to register a personally created key.  Consequence is that system must be run with Secure Boot mode turned off in order to use VirtualBox.  This is all part of an effort to support a non-profit organization.  Hope this helps to bump the bug higher up the priority queue.

Running this on a Dell XPS 8500 - uname -r 4.4.9-300.fc23.x86_64
Comment 6 Mangirdas 2016-06-10 07:47:35 EDT
Same with Lenovo T460s with fedora 4.5.6-200.fc23.x86_64

Any progress on this?
Comment 7 todd 2016-06-10 21:57:42 EDT
I'm having the same situation with mokutil not working. This affects Fedora 23.

pretty much any mokutil command used results in errors. When I try to import a key so I can sign and use Virtualbox modules I get the following.
Failed to write MokAuth
Failed to unset MokNew

then when I reboot the import fails.


Lenovo E460
Fedora 23


If there is anything I can do to help please just ask.
Comment 8 Fedora End Of Life 2016-07-19 13:55:13 EDT
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 9 Gayland G. Gump 2016-07-19 14:59:34 EDT
Note the final four comments on this bug all reference Fedora 23 so clearly EOL on Fedora 22 is not a sufficient reason to kill this bug it still exists in 23.
Comment 10 Knut J BJuland 2016-07-21 16:04:19 EDT
PLease update it f24
Comment 11 todd 2016-07-26 12:05:33 EDT
I am using fedora 24 and i still have the same issue as with fedora 23.

Note You need to log in before you can comment on or make changes to this bug.