update-secureboot-policy: fails to trigger mok loading
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mokutil (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
shim-signed (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
In both eoan and bionic I have had cases where I add a new dkms package and dkms triggers update-
Tracking this through update-
enroll_mok()
{
[...]
echo "Adding '$SB_KEY' to shim:"
printf '%s\n%s\n' "$key" "$again" | mokutil --timeout -1 --import "$SB_KEY" >/dev/null || true
}
If I try this at the command line this is reported as invalid, dispite listing both options as valid:
# printf "%s\n%s\n" '12345678' '12345678' | mokutil --timeout 1 --import MOK.der
Usage:
mokutil OPTIONS [ARGS...]
Options:
[...]
--import <der file...> Import keys
[...]
--timeout <-1,0..0x7fff> Set the timeout for MOK prompt
[...]
Dropping --timeout allows the command to complete:
# printf "%s\n%s\n" '12345678' '12345678' | mokutil --import MOK.der
input password:
input password again:
And on reboot I am prompted and the key is enrolled.
Changed in mokutil (Ubuntu): | |
status: | New → Invalid |
Oh and this is simply because --timeout and --import are essentially mutually exclusive. When you specify both the command is IMPORT|TIMEOUT and so not recognised.