Perform MOK management after Ubuntu install: documentation?

Asked by Philip Vetter

I installed Kubuntu 2204 (beta 03-31) to share a disk with Windows (and potentially other linux distributions).
Chose options Install third party drivers and set a password (for Secure Boot?).

On first boot after install (choosing "ubuntu") I am presented a screen
"Perform MOK management:
    Continue boot
    Enroll MOK
    Enroll key from disk
    Enroll hash from disk"

This is Dell BIOS.

Q1. What do I do at this screen?
Q2. Is this documented anywhere?
Q3. After no response from me it auto-restarted several times and now skips MOK management going directly to a GRUB menu.
What do I need to do if I do NOT get the MOK management screen?

Thank you for your help!

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Manfred Hampl
Solved:
Last query:
Last reply:
Revision history for this message
Philip Vetter (pvetter) said :
#1

Q4. How do I get the third party drivers installed properly if the MOK management screen no longer appears after boot?

Revision history for this message
Manfred Hampl (m-hampl) said :
#2

The MOK management screen at boot appears only once after doing a change in the running system.
If you do not enroll the MOK key at the next boot, the key is discarded and you have to re-do the action from the beginning.

Documentation: https://wiki.ubuntu.com/UEFI/SecureBoot

Revision history for this message
Philip Vetter (pvetter) said :
#3

Thank you Manfred!

Q5: Is there an alternative to reinstalling the system? Would it mean removing and re-adding packages with apt?

Q6: How do I identify which drivers might require enrolling a key?

Revision history for this message
Manfred Hampl (m-hampl) said :
#4

for Q5:
The steps are somewhat independent.
With the mokutil command you can register a key that will be offered for enrolling at the next reboot. No new installation or re-adding packages necessary.
Signing the modules is separate. Either done with kmodsign, eventually fully automated.

For Q6: If you have secureboot with signature verification enabled, all kernel modules to be loaded require to be signed with a trusted key.
The modules delivered with the Ubuntu kernel are already signed, for everything else you have to manage signing yourself (with a MOK key that you have to register in your system).

Revision history for this message
Philip Vetter (pvetter) said (last edit ):
#5

Thank you;
does "modules delivered with the Ubuntu kernel" include all the drivers and firmware that the Ubuntu/Kubuntu install .iso will download when the "third party firmware" option is selected?

For example: nvidia drivers? touchpad? wifi? fingerprint reader?

Revision history for this message
Manfred Hampl (m-hampl) said :
#6

Sorry, I do not know these details.

Revision history for this message
Manfred Hampl (m-hampl) said :
#7

"... third party firmware ..."

Firmware is not loaded as kernel module, so it need not be signed.

Revision history for this message
Philip Vetter (pvetter) said :
#8

The output of these two commands are different:

mokutil -l
openssl x509 -inform DER -in /var/lib/shim-signed/mok/MOK.der -noout -text

and more decisively:
# mokutil -t /var/lib/shim-signed/mok/MOK.der
/var/lib/shim-signed/mok/MOK.der is not enrolled

So perhaps I could use mokutil to enroll /var/lib/shim-signed/mok/MOK.der ?

I have read man mokutil and it is not obvious to me how to do it. Any idea?

Revision history for this message
Best Manfred Hampl (m-hampl) said :
#9
Revision history for this message
Philip Vetter (pvetter) said :
#10

Thank you Manfred! Content there states:

"Enrolling your key

$ sudo mokutil --import MOK.der # prompts for one-time password
$ sudo mokutil --list-new # recheck your key will be prompted on next boot

<rebooting machine then enters MOK manager EFI utility: enroll MOK, continue, confirm, enter password, reboot>

$ sudo dmesg | grep cert # verify your key is loaded"

This works!

Revision history for this message
Philip Vetter (pvetter) said :
#11

SUMMARY OF QUESTIONS AND ANSWERS:

Q1. What do I do at this "Perform MOK management" screen?
When rebooting machine enters MOK manager EFI utility: enroll MOK, continue, confirm, enter

Q2. Is this documented anywhere?
https://wiki.debian.org/SecureBoot#Enrolling_your_key
https://wiki.ubuntu.com/UEFI/SecureBoot

Q3. After no response from me it auto-restarted several times and now skips MOK management going directly to a GRUB menu.
What do I need to do if I do NOT get the MOK management screen?

sudo mokutil -t /var/lib/shim-signed/mok/MOK.der # (Optional)
sudo mokutil --import /var/lib/shim-signed/mok/MOK.der
sudo mokutil -t /var/lib/shim-signed/mok/MOK.der # (Optional)
Then reboot and see answer to Q1.

Q4-6 are irrelevant now, I hope.
Thanks to Manfred Hampl !

Revision history for this message
Philip Vetter (pvetter) said :
#12

Thanks Manfred Hampl, that solved my question.