Can't remove enrolled keys and change SecureBoot state
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mokutil (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
I have UEFI Secure Boot enabled and when I boot to the linux I don't see message 'You are booting in insecure mode' or something like that, but when I am in OS and i check for shim secure boot state i got this.
$ mokuitil --sb-state
SecureBoot disabled
when I want to enable I got error in MokManager that secure boot state is not empty or something like that. Which I think means that I have enabled shim secure boot state but with above command it's wrong output. From there i can --disable-
With hexdump first line finishes with 0 which means that shims secure boot state is disabled. If it's 1 it would be enabled. This is i think the problem with output, probably.
$ hexdump /sys/firmware/
0000000 0006 0000 0000
0000005
Problem 2!
with dmesg I see that i have enrolled trusted key
Loaded UEFI:MokListRT cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f
and with $mokutil --list-enrolled i see that key. but when i want to delete it in MokManager I got again error 0xEd or something similar. I tried manually to delete through --export and through mokutil --reset. Nothing worked. I don't know whether i can even delete this key and what is it. But I want to delete all keys signed by me.
I want to delete this key because when i import trusted keys from UEFI motherboard there is the same key with the same ID. but it's from db list.
Thanks for help.
Thanks.
Strange, I have mokutil --sb-state
SecureBoot enabled
But my kernel secure boot is disabled and the GRUB boot displays "Booting in insecure mode"