Enroll KEK and Signature via BIOS settings but still get the same error message (comment#31).
But, I can install the test image on another x86 machine and FDE is enabled successfully.
Here are steps:
1. Remove key enrolled by mokutil
2. Re-flash uc20 test image
3. Enroll KEK and Signature via BIOS settings:
[Boot Maintenance Manager Menu][Secure Boot Configuration Menu][Secure Boot Mode][Custom Mode][Custom Secure Boot Option]
[KEK Option][Enroll KEK] => PkKek-1-snakeoil.der[1]
[DB Option][Enroll Signature] => PkKek-1-snakeoil.der
4. Clear TPM
[Intel Advanced Menu][TPM Configuration][TCG2 Configuration][TPM2 Operation]
Another x86 machine has different BIOS, so it has different steps to clear TPM and enroll key.
1. Flash uc20 test image
2. Enroll KEK and Signature via BIOS settings:
[Security][Secure Boot][Key Management]
[Key Exchange Keys][Append] => PkKek-1-snakeoil.der
[Authorized Signatures][Append] => PkKek-1-snakeoil.der
3. Clear TPM
$ sudo -s
$ echo 5 > /sys/class/tpm/tpm0/ppi/request
Enroll KEK and Signature via BIOS settings but still get the same error message (comment#31).
But, I can install the test image on another x86 machine and FDE is enabled successfully.
Here are steps: snakeoil. der[1] snakeoil. der
1. Remove key enrolled by mokutil
2. Re-flash uc20 test image
3. Enroll KEK and Signature via BIOS settings:
[Boot Maintenance Manager Menu][Secure Boot Configuration Menu][Secure Boot Mode][Custom Mode][Custom Secure Boot Option]
[KEK Option][Enroll KEK] => PkKek-1-
[DB Option][Enroll Signature] => PkKek-1-
4. Clear TPM
[Intel Advanced Menu][TPM Configuration][TCG2 Configuration][TPM2 Operation]
Another x86 machine has different BIOS, so it has different steps to clear TPM and enroll key. snakeoil. der snakeoil. der tpm/tpm0/ ppi/request
1. Flash uc20 test image
2. Enroll KEK and Signature via BIOS settings:
[Security][Secure Boot][Key Management]
[Key Exchange Keys][Append] => PkKek-1-
[Authorized Signatures][Append] => PkKek-1-
3. Clear TPM
$ sudo -s
$ echo 5 > /sys/class/
--- /raw.githubuser content. com/snapcore/ pc-amd64- gadget/ 20/snakeoil/ PkKek-1- snakeoil. key /raw.githubuser content. com/snapcore/ pc-amd64- gadget/ 20/snakeoil/ PkKek-1- snakeoil. pem snakeoil. pem to PkKek-1- snakeoil. der snakeoil. pem -inform PEM -outform DER -out PkKek-1- snakeoil. der
[1] PkKek-1-snakeoil
https:/
https:/
# Convert PkKek-1-
$ openssl x509 -in PkKek-1-