5

To preface: I'm not looking to disable secure boot as I have a second hard drive with Windows 10 installed. The two OSes exist on two separate drives and are isolated from each other during runtime. Windows Boot Manager and GRUB exist on their own respective drives and are completely unaware of each other.

The relevant system configuration is:

  • OS: Ubuntu 17.04 - Kernel: 4.10.0-32-generic
  • Motherboard: Asrock Taichi X99
  • GPU: GTX 1080

So, I've been trying to use mokutil to enroll my own certificate so I can use it to load signed Nvidia drivers, but I've run into troubles with getting the whole procedure to work.

So the steps I took were:

  1. Enable secure boot support in Ubuntu.
  2. Create an x509 certificate with openssl.
  3. Ran mokutil --enable-validation and entered a password.
  4. Used mokutil --import to add the newly created certificate to the secure boot keys list.
  5. Used the signing script under the efi directory to sign kernel modules using the private key and certificate pair I created.
  6. Rebooted the system.
  7. Selected the boot entry with shimx64.efi
  8. Pressed key to enter mok management
  9. Got stuck on this screen:

MOK Management proceed screen on boot

Zanna
  • 69,223
  • 56
  • 216
  • 327
Perse95
  • 53
  • 1
  • 1
  • 5
  • When you say you "got stuck," what happens when you press a key? Is the keypress ignored and the countdown continues? Does the system hang? Does the system reboot? Do you see an error message? Something else? – Rod Smith Aug 28 '17 at 16:49
  • 1
    @RodSmith The countdown stops, effectively MOK Management opens, there just isn't any output to the display of the interface. Based on the screenshots of what should be there, pressing enter once continues boot. I managed to enroll a key by pressing keys and entering the password according to screenshots, but there is no visual display of anything. – Perse95 Aug 28 '17 at 17:09
  • This sounds like an EFI video driver problem. You mention an Nvidia GPU. Is this on a plug-in card, or built into the motherboard? If the former, you might try unplugging the card, just to enroll the key. If the latter, you could poke around in the firmware settings for relevant video options, and you might want to report it as a bug to the motherboard manufacturer. – Rod Smith Aug 29 '17 at 13:16
  • 1
    It's a plug-in card, but I have no integrated graphics nor another card that would also work to see if it's a motherboard or video card driver issue. I think I will report it tho, it seems like a very annoying bug. – Perse95 Aug 29 '17 at 13:19
  • Ah, I see. Be sure that the card provides EFI firmware, then. It could be that the card was designed for BIOS-based computers and is relying on the computer's CSM (BIOS compatibility layer), which might be flaking out a bit, particularly when you're trying to do something related to Secure Boot. Some manufacturers provide video card firmware updates to enable EFI compatibility, so you might look for that, too. – Rod Smith Aug 29 '17 at 13:34
  • It should as it is an EVGA card that is, from my research, uefi compliant. It might also be a fluke with the whole system composition, just the right combination of parts to mess things up. I'll see if Asrock support has anything to say, maybe they've encountered this before. – Perse95 Aug 29 '17 at 13:41

4 Answers4

6

I have the same issue on a Taichi X370 motherboard and 1050Ti GPU with the MOK management menus not being visible. I tried enrolling a key in a vm just to see how the menu layout looked.

Press down once and Enter for Enroll

Press down once and Enter for Continue

Press down once and Enter for Yes

Type in password and Enter to accept

Press Enter to Reboot

With the above I could blindly enroll a new key in MOK management.

Zanna
  • 69,223
  • 56
  • 216
  • 327
Mart
  • 76
  • 1
  • 3
  • I ran into exactly the same problem. Same main board but an RTX 2080 GPU. You answer here is a life saver. However I kept on hitting into the following issue: my password was getting rejected. I kept on seeing `Invalid character` in the middle of a black screen. After a bit of research I found several forum posts of people speculating that the MOK management password cannot be longer than 4 characters, and must not contain digits. So I simply set it to `pass`. Retried again, and finally I got my key enrolled – tiguchi Jan 18 '20 at 21:28
1

A message for those who tried to do this blindly from the screenshots, but got an "Invalid character" error on a black screen.

I got same problem on Ubuntu 22.04. I have the same problem that the screen freezes and does not show the menu. I decided to go in blind. I found another version of UEFI, which can be seen from the screenshots at the link - https://wiki.ubuntu.com/UEFI/SecureBoot/DKMS. The point is that it has a different menu algorithm. And instead of a password, it asks for the position of the letter in the password (reason of the "Invalid character" error on screen). So my steps were:

  1. Set a password for mokutil --enable-validation with the same characters, for example "aaaaaaaa"
  2. Reboot
  3. On "press any button" screen just press any button
  4. Press arrow down, then enter.
  5. Press "a", then enter. Repeat it three times. At this screen he wants you to guess the letter at a certain position in the password three times. So we repeat "a" and "Enter" three times.
  6. Press arrow down, then enter
  7. Press enter. You should see the PC reboot.

After these steps everything worked for me.

Mikhail Barshev
  • 11
  • 1
0

Another option is to copy the platform key from /var/lib/shim-signed/mok/MOK.der to a USB stick directly after installing the driver (via Ubuntu/Drivers) in secure boot mode. Or, when installing the driver (via Downloaded .run file) from command line, pass the option "--module-signing-public-key" to get a platform key and copy that to USB.

sudo sh ./XXXXXX.run -s --module-signing-secret-key=PATH_TO_PRIVATE_KEY --module-signing-public-key=PATH_TO_PUBLIC_KEY

Then reboot, enter the BIOS, enter secure boot management and add your key file from the USB stick as an "allowed signature".

Bim
  • 258
  • 2
  • 9
0

I had the same issue on a Asrock B450M-HDV motherboard using the integrated video card on Ubuntu 20.04.

I could enroll a key blindly with the pictures provided above, but upgrading the BIOS (UEFI firmware actually) to v4.40 solved it, and now I can see the menu!

Maybe it gives a hint someone...

Sandor Semsey
  • 1
  • 2
  • If you have a new question, please ask it by clicking the [Ask Question](https://askubuntu.com/questions/ask) button. Include a link to this question if it helps provide context. - [From Review](/review/late-answers/1198711) – David Jan 12 '22 at 06:27
  • That's fine, but now I'm confused a bit. I don't have a question as I've found the solution (for my case). I decided to put a new answer, as the accepted answer is more like a workaround (which is great actually), but not a real solution. I still like to share this information, what would be the correct way for that? – Sandor Semsey Jan 13 '22 at 11:04