shim fails to load MokManager

Support for security such as Firewalls and securing linux
chassap1
Posts: 24
Joined: 2017/10/24 14:23:59

shim fails to load MokManager

Post by chassap1 » 2018/03/27 15:40:44

I imported a cer file using mkutil. When I rebooted with secure boot, I was expecting the MokManager (mmx64.efi) to run to finish enrolling the key. I believe there is some error message but it goes away so quickly.

as a work around, I booted into an EFI shell and manually ran mmx64 from the command line.

it looks like this is a bug in other distributions.

can anyone confirm its a bug in CentOS? is it fixed? is there an rpm patch I can install? Thanks.

User avatar
toracat
Site Admin
Posts: 7518
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: shim fails to load MokManager

Post by toracat » 2018/03/27 21:58:29

Most likely you were hit by CentOS bug #14050. Hopefully this will be taken care of with the next point release 7.5.
CentOS Forum FAQ

chassap1
Posts: 24
Joined: 2017/10/24 14:23:59

Re: shim fails to load MokManager

Post by chassap1 » 2018/03/28 15:32:21

Thanks. I down rev'ed the mokutil and shim. it now starts the MokManager after reboot.

I have another question. I don't seem to be able to delete an existing item. Secure boot is off. Any ideas or am I doing something wrong. I typed the following:

mokutil --list-enrolled
I have one certificate in the list.
mokutil -- export
saved a file MOK-0001.der
mokutil --delete MOK-001.der
ask for password
mokutil --list-delete
displays file

reboot
MokManager starts. go thru the menus to delete.
Error Failed to retrieve MokList
click ok
Failed to delete keys
continue boot

mokutil --list-enrolled
still there.

tried
mokutil --reboot
that also fails in MokManager

chassap1
Posts: 24
Joined: 2017/10/24 14:23:59

Re: shim fails to load MokManager

Post by chassap1 » 2018/03/28 17:07:54

I was able to enroll my certificate with the MokManager without any errors.

I tried to delete the original certificate. It appeared to work without any errors when there were 2 certificates. but after I rebooted, it still seemed to be there when I used:

mokutil --list-enrolled

I did a

mokutil --reset

it seemed to have deleted my certificate but not the original one.

Is there something that prevents the Red Hat certificate from being removed?

User avatar
toracat
Site Admin
Posts: 7518
Joined: 2006/09/03 16:37:24
Location: California, US
Contact:

Re: shim fails to load MokManager

Post by toracat » 2018/08/27 17:24:51

@chassap1,

As noted in https://bugs.centos.org//view.php?id=14050 , @arrfab has built a version of shim that supposedly fixes the issue. Can you give it a try and provide feedback?
CentOS Forum FAQ

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: shim fails to load MokManager

Post by TrevorH » 2018/08/30 15:36:31

These packages are now in the CR repo, signed with the distro GPG key and available for anyone to test. The more people that test them, the better.

Code: Select all

[root@centos7 ~]# yum --disablerepo=\* --enablerepo=cr list available
Loaded plugins: priorities
cr                                                                                                              | 3.3 kB  00:00:00     
cr/7/x86_64/primary_db                                                                                          | 3.1 kB  00:00:15     
Available Packages
mokutil.x86_64                                                       12-2.el7                                            cr
shim-ia32.x86_64                                                     12-2.el7                                            cr
shim-unsigned-ia32.x86_64                                            12-2.el7                                            cr
shim-unsigned-x64.x86_64                                             12-2.el7                                            cr
shim-x64.x86_64                                                      12-2.el7                                            cr
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Spork Schivago
Posts: 37
Joined: 2017/08/14 04:21:54

Re: shim fails to load MokManager

Post by Spork Schivago » 2018/10/15 11:41:48

I'm not sure if I should start my own thread or continue here. It's related. I have a fresh install of CentOS 7.5.1804. I run an update, it pulls in the latest shim, mokutils, etc. But when I reboot, I cannot get into my os at all without using a recovery disk.

The error message on the screen shows:

Code: Select all

Unable to trigger tcg2 final events table: Invalid Parameter
Something has gone seriously wrong: Invalid Parameter
Shim was unable to measure state into the TMP
I had to boot off the installation media to get to a recovery console. I had to setup networking, then remove the latest kernel, then downgrade shim and mokutil to the previous version.

I than had to work around the current bug in the old version to install my organizations MOK.

I know it does not sound like a lot of work, but it took about 3 hours to do this.

I was not using the unsigned rpm versions because I didn't know what they where at the time. Is there a chance that these unsigned versions will fix the issue? I would really not like to run an outdated kernel for long on this system. However, if the unsigned rpm versions simply allow the manager screen to display after a key has been enrolled and the system rebooted, I feel this might not fix my issue.

This appears to be a confirmed bug on redhats bug tracker, but the only suggestion is to downgrade.

Thanks.
-- Niklaus Wirth's Law: software is getting slower more rapidly than hardware becomes faster.

tomkep
Posts: 38
Joined: 2018/04/25 13:30:50

Re: shim fails to load MokManager

Post by tomkep » 2018/10/31 20:14:03

I've seen this on Lenovo T460p laptop provided by my empoloyer.

The workaround which works for me is to switch TPM from Intel PTT to discrete TPM 1.2 chip in the BIOS. Downgrade is also another option but unfortunately this prevents kernel upgrade.

Spork Schivago
Posts: 37
Joined: 2017/08/14 04:21:54

Re: shim fails to load MokManager

Post by Spork Schivago » 2018/10/31 21:10:30

tomkep wrote:
2018/10/31 20:14:03
I've seen this on Lenovo T460p laptop provided by my empoloyer.

The workaround which works for me is to switch TPM from Intel PTT to discrete TPM 1.2 chip in the BIOS. Downgrade is also another option but unfortunately this prevents kernel upgrade.
Are you saying you have two TPM chips in your laptop? In my server, I only have the one add-on TPM controller.
-- Niklaus Wirth's Law: software is getting slower more rapidly than hardware becomes faster.

tomkep
Posts: 38
Joined: 2018/04/25 13:30:50

Re: shim fails to load MokManager

Post by tomkep » 2018/11/01 23:20:02

I think there is TPM 1.2 discrete chip. Additionally it looks like the chipset on that laptop can emulate TPM 2.0 chip. I have no idea how it is accomplished but I have a switch in the BIOS between the two and as I wrote - it makes a difference.

Post Reply