How To Consolidate Multiple MOK Keys Or Delete Unnecessary Ones?How to list drivers/kernel modules affected by SecureBoot?Mok Management Will Not Load on BootHow Shim verifies binaries in secure boot?Re-signing kernel modules after update - VMMONUEFI Secure Boot - unable to sign VirtualBox kernel modules - sign-key does nothingTrying to Set up VirtualBox with Live Persistent USB made using Mkusb18.04 LTS unstable performance [very slow startup + sudden desktop freezing]services failing to start - control process exited with error codeDoes Ubuntu Secure Boot make Intel TXT unnecessary?Trying to repair bootup
Are tax years 2016 & 2017 back taxes deductible for tax year 2018?
Why is an old chain unsafe?
If Manufacturer spice model and Datasheet give different values which should I use?
What are these boxed doors outside store fronts in New York?
What would the Romans have called "sorcery"?
Motorized valve interfering with button?
How to type dʒ symbol (IPA) on Mac?
Circuitry of TV splitters
Email Account under attack (really) - anything I can do?
Is it tax fraud for an individual to declare non-taxable revenue as taxable income? (US tax laws)
Why did the Germans forbid the possession of pet pigeons in Rostov-on-Don in 1941?
Why is "Reports" in sentence down without "The"
Chess with symmetric move-square
What defenses are there against being summoned by the Gate spell?
I see my dog run
Pronouncing Dictionary.com's W.O.D "vade mecum" in English
How to make payment on the internet without leaving a money trail?
Download, install and reboot computer at night if needed
What would happen to a modern skyscraper if it rains micro blackholes?
How old can references or sources in a thesis be?
Is there really no realistic way for a skeleton monster to move around without magic?
Japan - Plan around max visa duration
Possibly bubble sort algorithm
Why are 150k or 200k jobs considered good when there are 300k+ births a month?
How To Consolidate Multiple MOK Keys Or Delete Unnecessary Ones?
How to list drivers/kernel modules affected by SecureBoot?Mok Management Will Not Load on BootHow Shim verifies binaries in secure boot?Re-signing kernel modules after update - VMMONUEFI Secure Boot - unable to sign VirtualBox kernel modules - sign-key does nothingTrying to Set up VirtualBox with Live Persistent USB made using Mkusb18.04 LTS unstable performance [very slow startup + sudden desktop freezing]services failing to start - control process exited with error codeDoes Ubuntu Secure Boot make Intel TXT unnecessary?Trying to repair bootup
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
AFAIK I've only had one MOK.priv file since I started using secureboot on Bionic.
A kernel update last week (as usual) asked me to create a MOK password and to re-enter this password in the MOK enrollment screen at boot up. But I missed the enrollment screen (for the 1st time).
I've since been able to enroll the MOK key and sign the needed kernel modules, re-enabling secure boot. I then found an "orphan" MOK key on my machine. Maybe missing the enrollment caused me to end up with one more MOK key? Or maybe not, since it is dated Aug last year.
-rw------- 1 root root 1.1K Jun 13 2018 /root/keyfiles/MOK.der
-rw------- 1 root root 1.4K Jun 13 2018 /root/keyfiles/MOK.priv.gpg
-rw-r--r-- 1 root root 910 Aug 13 2018 /var/lib/shim-signed/mok/MOK.der
-rw------- 1 root root 1.7K Aug 13 2018 /var/lib/shim-signed/mok/MOK.priv
The MOK files I know I have are the first pair. The 2nd pair was news to me.
MOK files should not be left available on the machine. I could possibly just encrypt the 2nd key, but
a) I am not comfortable touching a file in /var/lib/shim-signed/ and
b) I'd like to keep a single MOK file on the machine (and enrolled in the BIOS)
To make matters worse, today I had to install an upgrade to the Acronis backup agent (which depends on snapapi26, a kernel module) and now have more MOK files (though the extension is different, it looks to me that MOK.secdata is a key)
-rw-r--r-- 1 root root 854 Apr 7 18:34 /var/lib/sb/MOK.2
-rw-r--r-- 1 root root 1.8K Apr 7 18:49 /var/lib/sb/MOK.secdata
-rw-r--r-- 1 root root 0 Apr 7 18:34 /var/lib/sb/MOK.seclock
-rw-r--r-- 1 root root 228 Apr 7 18:34 /var/lib/sb/MOK.secmeta
I'd like to have a single (encrypted) MOK.priv and MOK.der on my machine. How do I "consolidate" these MOK keys into a single one (by size alone you can see that they are not identical)? If this is not possible, do I need more than one MOK key? If not, which one should I keep?
Side note, and not required to answer my main question: I'd appreciate an explanation (or link to one) on whether the BIOS stores multiple MOK keys or just one and what causes a new MOK key to be created when you already have a working one.
18.04 kernel secure-boot dkms
add a comment |
AFAIK I've only had one MOK.priv file since I started using secureboot on Bionic.
A kernel update last week (as usual) asked me to create a MOK password and to re-enter this password in the MOK enrollment screen at boot up. But I missed the enrollment screen (for the 1st time).
I've since been able to enroll the MOK key and sign the needed kernel modules, re-enabling secure boot. I then found an "orphan" MOK key on my machine. Maybe missing the enrollment caused me to end up with one more MOK key? Or maybe not, since it is dated Aug last year.
-rw------- 1 root root 1.1K Jun 13 2018 /root/keyfiles/MOK.der
-rw------- 1 root root 1.4K Jun 13 2018 /root/keyfiles/MOK.priv.gpg
-rw-r--r-- 1 root root 910 Aug 13 2018 /var/lib/shim-signed/mok/MOK.der
-rw------- 1 root root 1.7K Aug 13 2018 /var/lib/shim-signed/mok/MOK.priv
The MOK files I know I have are the first pair. The 2nd pair was news to me.
MOK files should not be left available on the machine. I could possibly just encrypt the 2nd key, but
a) I am not comfortable touching a file in /var/lib/shim-signed/ and
b) I'd like to keep a single MOK file on the machine (and enrolled in the BIOS)
To make matters worse, today I had to install an upgrade to the Acronis backup agent (which depends on snapapi26, a kernel module) and now have more MOK files (though the extension is different, it looks to me that MOK.secdata is a key)
-rw-r--r-- 1 root root 854 Apr 7 18:34 /var/lib/sb/MOK.2
-rw-r--r-- 1 root root 1.8K Apr 7 18:49 /var/lib/sb/MOK.secdata
-rw-r--r-- 1 root root 0 Apr 7 18:34 /var/lib/sb/MOK.seclock
-rw-r--r-- 1 root root 228 Apr 7 18:34 /var/lib/sb/MOK.secmeta
I'd like to have a single (encrypted) MOK.priv and MOK.der on my machine. How do I "consolidate" these MOK keys into a single one (by size alone you can see that they are not identical)? If this is not possible, do I need more than one MOK key? If not, which one should I keep?
Side note, and not required to answer my main question: I'd appreciate an explanation (or link to one) on whether the BIOS stores multiple MOK keys or just one and what causes a new MOK key to be created when you already have a working one.
18.04 kernel secure-boot dkms
add a comment |
AFAIK I've only had one MOK.priv file since I started using secureboot on Bionic.
A kernel update last week (as usual) asked me to create a MOK password and to re-enter this password in the MOK enrollment screen at boot up. But I missed the enrollment screen (for the 1st time).
I've since been able to enroll the MOK key and sign the needed kernel modules, re-enabling secure boot. I then found an "orphan" MOK key on my machine. Maybe missing the enrollment caused me to end up with one more MOK key? Or maybe not, since it is dated Aug last year.
-rw------- 1 root root 1.1K Jun 13 2018 /root/keyfiles/MOK.der
-rw------- 1 root root 1.4K Jun 13 2018 /root/keyfiles/MOK.priv.gpg
-rw-r--r-- 1 root root 910 Aug 13 2018 /var/lib/shim-signed/mok/MOK.der
-rw------- 1 root root 1.7K Aug 13 2018 /var/lib/shim-signed/mok/MOK.priv
The MOK files I know I have are the first pair. The 2nd pair was news to me.
MOK files should not be left available on the machine. I could possibly just encrypt the 2nd key, but
a) I am not comfortable touching a file in /var/lib/shim-signed/ and
b) I'd like to keep a single MOK file on the machine (and enrolled in the BIOS)
To make matters worse, today I had to install an upgrade to the Acronis backup agent (which depends on snapapi26, a kernel module) and now have more MOK files (though the extension is different, it looks to me that MOK.secdata is a key)
-rw-r--r-- 1 root root 854 Apr 7 18:34 /var/lib/sb/MOK.2
-rw-r--r-- 1 root root 1.8K Apr 7 18:49 /var/lib/sb/MOK.secdata
-rw-r--r-- 1 root root 0 Apr 7 18:34 /var/lib/sb/MOK.seclock
-rw-r--r-- 1 root root 228 Apr 7 18:34 /var/lib/sb/MOK.secmeta
I'd like to have a single (encrypted) MOK.priv and MOK.der on my machine. How do I "consolidate" these MOK keys into a single one (by size alone you can see that they are not identical)? If this is not possible, do I need more than one MOK key? If not, which one should I keep?
Side note, and not required to answer my main question: I'd appreciate an explanation (or link to one) on whether the BIOS stores multiple MOK keys or just one and what causes a new MOK key to be created when you already have a working one.
18.04 kernel secure-boot dkms
AFAIK I've only had one MOK.priv file since I started using secureboot on Bionic.
A kernel update last week (as usual) asked me to create a MOK password and to re-enter this password in the MOK enrollment screen at boot up. But I missed the enrollment screen (for the 1st time).
I've since been able to enroll the MOK key and sign the needed kernel modules, re-enabling secure boot. I then found an "orphan" MOK key on my machine. Maybe missing the enrollment caused me to end up with one more MOK key? Or maybe not, since it is dated Aug last year.
-rw------- 1 root root 1.1K Jun 13 2018 /root/keyfiles/MOK.der
-rw------- 1 root root 1.4K Jun 13 2018 /root/keyfiles/MOK.priv.gpg
-rw-r--r-- 1 root root 910 Aug 13 2018 /var/lib/shim-signed/mok/MOK.der
-rw------- 1 root root 1.7K Aug 13 2018 /var/lib/shim-signed/mok/MOK.priv
The MOK files I know I have are the first pair. The 2nd pair was news to me.
MOK files should not be left available on the machine. I could possibly just encrypt the 2nd key, but
a) I am not comfortable touching a file in /var/lib/shim-signed/ and
b) I'd like to keep a single MOK file on the machine (and enrolled in the BIOS)
To make matters worse, today I had to install an upgrade to the Acronis backup agent (which depends on snapapi26, a kernel module) and now have more MOK files (though the extension is different, it looks to me that MOK.secdata is a key)
-rw-r--r-- 1 root root 854 Apr 7 18:34 /var/lib/sb/MOK.2
-rw-r--r-- 1 root root 1.8K Apr 7 18:49 /var/lib/sb/MOK.secdata
-rw-r--r-- 1 root root 0 Apr 7 18:34 /var/lib/sb/MOK.seclock
-rw-r--r-- 1 root root 228 Apr 7 18:34 /var/lib/sb/MOK.secmeta
I'd like to have a single (encrypted) MOK.priv and MOK.der on my machine. How do I "consolidate" these MOK keys into a single one (by size alone you can see that they are not identical)? If this is not possible, do I need more than one MOK key? If not, which one should I keep?
Side note, and not required to answer my main question: I'd appreciate an explanation (or link to one) on whether the BIOS stores multiple MOK keys or just one and what causes a new MOK key to be created when you already have a working one.
18.04 kernel secure-boot dkms
18.04 kernel secure-boot dkms
asked 13 mins ago
GaiaGaia
1401113
1401113
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "89"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1132010%2fhow-to-consolidate-multiple-mok-keys-or-delete-unnecessary-ones%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1132010%2fhow-to-consolidate-multiple-mok-keys-or-delete-unnecessary-ones%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown