Ubuntu
mokutil package

"Failed to set variable: (2) Invalid Parameter" when enrolling MOK

Bug #1600452 reported by Austin Dempewolff
44
This bug affects 9 people
Affects Status Importance Assigned to Milestone
mokutil (Ubuntu)
Confirmed
Medium
Unassigned
Xenial
Confirmed
Medium
Unassigned

Bug Description

## Testing Environment:
Lenovo Thinkpad P50, fresh install of Ubuntu 16.04

$ apt-cache policy mokutil
mokutil:
  Installed: 0.3.0-0ubuntu3
  Candidate: 0.3.0-0ubuntu3
  Version table:
 *** 0.3.0-0ubuntu3 500
        500 http://cn.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status

$ apt-cache policy shim
shim:
  Installed: 0.8-0ubuntu2
  Candidate: 0.8-0ubuntu2
  Version table:
 *** 0.8-0ubuntu2 500
        500 http://cn.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
        100 /var/lib/dpkg/status

## Steps to reproduce:
(1) do not disable SecureBoot as suggested during the install.

(2) install virtualbox-5.0 from the virtualbox ppa (deb http://download.virtualbox.org/virtualbox/debian xenial contrib)

(3) Follow instructions here to manually sign the vboxdrv kernel module (https://askubuntu.com/questions/760671/could-not-load-vboxdrv-after-upgrade-to-ubuntu-16-04-and-i-want-to-keep-secur/768310#768310)

$ openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive name/"

$ sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)

$ sudo mokutil --import MOK.der

(enter password)

(4) reboot, click "enroll mok", "continue", "yes", enter password, (screenshots here: https://sourceware.org/systemtap/wiki/SecureBoot)

## Expected behavior:

new mok will be enrolled and I will be asked to reboot (several users from the original askubuntu answer indicated that these exact steps worked for them.

## Actual behaviour:

"Error: Failed to set variable: (2) Invalid Parameter"

## Troubleshooting steps taken:
- tried different passwords, and was able to eliminate that being the cause.
- found relevant lines of code producing the error: lines 919-931 in https://github.com/rhinstaller/shim/blob/master/MokManager.c

/# C code
  efi_status = uefi_call_wrapper(RT->SetVariable, 5, db_name,
            &shim_lock_guid,
            EFI_VARIABLE_NON_VOLATILE
            | EFI_VARIABLE_BOOTSERVICE_ACCESS
            | EFI_VARIABLE_APPEND_WRITE,
            MokNewSize, MokNew);
 }

 if (efi_status != EFI_SUCCESS) {
  console_error(L"Failed to set variable", efi_status);
  return efi_status;
}
C Code #/
- unable to find where uefi_call_wrapper() is defined

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: mokutil 0.3.0-0ubuntu3
ProcVersionSignature: Ubuntu 4.4.0-28.47-generic 4.4.13
Uname: Linux 4.4.0-28-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Sat Jul 9 18:56:59 2016
InstallationDate: Installed on 2016-07-08 (0 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
SourcePackage: mokutil
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Austin Dempewolff (adempewolff) wrote :
Revision history for this message
Austin Dempewolff (adempewolff) wrote :

filed an issue at shim's Github page here: https://github.com/rhinstaller/shim/issues/55

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in mokutil (Ubuntu):
status: New → Confirmed
Revision history for this message
Chris J Arges (arges) wrote :

Here's the pull request:
https://github.com/rhinstaller/shim/pull/60

Once this is merged we can then backport this into Yakkety/Xenial or any other affected versions.

Changed in mokutil (Ubuntu Xenial):
status: New → Confirmed
Changed in mokutil (Ubuntu):
importance: Undecided → Medium
Changed in mokutil (Ubuntu Xenial):
importance: Undecided → Medium
Revision history for this message
Chris J Arges (arges) wrote :

Attached a patch containing the unmerged patches. Not sure if want to wait until they are merged to fix this, but this currently prevents me from being able to enroll keys on my machine.

Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
Chris J Arges (arges) wrote :
Revision history for this message
Chris J Arges (arges) wrote :

cypermox mentioned he will be merging from master for yakkety. This should fix the issue then.

Revision history for this message
Larry McCarthy (abject) wrote :

This problem still exists in my apt-get-upgrad'ed copy of yakkety and plagues me on my Lenovo E560 with up-to-date (from Lenovo's point of view) firmware.

Is there a step-by-step for the workaround (patching, building and replacing MokManager.efi's)? It seems to me that even when the fixed MokManager gets into the repos, people will still need to go back and update any UEFIs they've deployed, to be able to turn Secure Boot back on, right?

Thanks,

Revision history for this message
Mathieu Trudel-Lapierre (cyphermox) wrote :

We're waiting for a new shim update to be signed by Microsoft. We'll close the bug when this is solved.

If you're just running mokutil and getting a "Invalid parameter"; make sure you reboot anyway and see if the changes happened anyway -- there are cases where the process works even if an error is listed.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.