[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Running mokutil during installation process

Am Donnerstag, dem 13.01.2022 um 01:19 +0100 schrieb Daniel Leidert:
> I'm creating the /root/mok.der key (in Sid dkms changed to /root/dkms.der) and
> try to register it with mokutil during a custom installation. I tried the
> preseed/late_command and I also tried a script with simple-cdd. But in all
> cases I get on UEFI systems (real hardware included):
> EFI variables are not supported on this system
> and have to enroll it after the first boot. Only then the modules built and
> signed are loaded.
> I tried loading the efivarfs module via preseed/early_command and I can confirm
> that /sys/firmware/efi/efivars/ is actually there (but epmty).
> I'd really appreciate to enroll the key *during* installation, while the Debian
> installer is running. Is there any way I can do this?

I got it to work. I'm using a script that I load via preseed/late_command. The
script does this:

> #!/bin/sh
> set -x
> modprobe efivarfs || true
> mount -t efivarfs efivarfs /target/sys/firmware/efi/efivars || true
> test -e /target/root/mok.der || exit 0
> in-target echo "Enroll DKMS mok.der key" >&2
> in-target sh -c "printf 'Pass\nPass\n' | /usr/bin/mokutil --import /root/mok.der"
> umount /target/sys/firmware/efi/efivars || true
> exit 0

I'd like to use 'mokutil --import <file> --root-pw', but that fails with
something like "Failed to get root password hash", so I have to set the
password directly. Any idea about the error message and how to fix it?

Special thanks to @kibi for the printf hint.

Regards, Daniel
Daniel Leidert <dleidert@debian.org> | https://www.wgdd.de/
GPG-Key RSA4096 / BEED4DED5544A4C03E283DC74BCD0567C296D05D
GPG-Key ED25519 / BD3C132D8B3805D1808123AB7ACE00941E338C78


Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: