Results 1 to 7 of 7

Thread: How to clean multiple MOK keys ?

  1. #1
    Join Date
    Apr 2008
    Beans
    154

    How to clean multiple MOK keys ?

    Hello,
    I own a Dell G3 (3579) with which I had a lot of big problems. (Software and hardware).
    In order to track them down, I was forced to redo the installation of Ubuntu 19.10 version WITH additional drivers installed during the installation process on 3 different disks.
    Now, my MOK database contains 10 keys, a lot of them being the various platform key created on my machine during install of the Nvidia proprietary driver. (which was one of the culprit for my problems)
    For my sanity and further proper handling, I would like to clean the unused keys without destroying the good ones and retain the security boot.
    I can't find a clear answer and procedure for this. So I kindly ask for help on that matter.
    Many thanks in advance for your enlightenment !
    Have a nice day and stay safe !

  2. #2
    Join Date
    Sep 2014
    Location
    United States
    Beans
    254
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: How to clean multiple MOK keys ?

    Code:
    $ mokutil --export
    Exports to list.

    Code:
    $ ls -1 MOK*
    Shows all keys.

    Code:
    $ mokutil --list-enrolled
    Shows you keys enrolled.

    Code:
    $ mokutil --delete MOK-0001.der
    Delete those not enrolled to maintain secure boot.

  3. #3
    Join Date
    Apr 2008
    Beans
    154

    Re: How to clean multiple MOK keys ?

    Thank you EuclidianCoffe for your answer !
    Everything is fine except that the "mokutil --list-enrolled" command list all the 10 keys which are in my machine tables.
    So I still can't find which keys to delete.
    Is there a way to find the serial number from a .der file ? because I have the actual DER file my current Ubuntu is using, and the mokutil command gives me the serial of all the keys enrolled.
    So by comparison I would be able to build the list of the extra keys.
    I'm not so keen in cryptography nor key handling, even if I look not so newbie
    Have a nice day and stay safe !

  4. #4
    Join Date
    Sep 2014
    Location
    United States
    Beans
    254
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: How to clean multiple MOK keys ?

    If you can't determine, maybe a simple reset could assist.

    I would backup before doing anything final like a reset.

    Code:
    $ mokutil --export

  5. #5
    Join Date
    Apr 2008
    Beans
    154

    Re: How to clean multiple MOK keys ?

    OK. I'll give it a try !
    But I would have preferred to check which key was which...
    Thanks anyway !

  6. #6
    Join Date
    Apr 2008
    Beans
    154

    Re: How to clean multiple MOK keys ?

    So, today it was raining hard. Very hard. So it was perfect to play with the computer ...
    I did triple check the various key (and dates of the files in /var/lib/shim-signed/mok ) and determined all the keys I had to remove.
    Then I removed them one at a time (to be able to check if something went amiss and correct it easily).
    So I did the following procedure eight times ...
    Code:
    $ sudo  mokutil --delete MOK-000<N>.der     # where N is the number of the key to remove.... In my case, it ran from 1 to 8.
    <enter a password for the MOK UEFI utility>
    <enter again the same password and keep in mind the keyboard in the UEFI utility would surely be a US one... >
    $ sudo systemctl reboot
    The machine reboots and the mok utility shows. Follow the instructions and then, view the key to ensure it is the one you want to delete... if it is, proceed.
    Reboot the computer after removing the "quiet splash" stanza in the linux Grub line. This way, if something goes amiss, you'll catch the red fail message.
    Login and do it again for the other key.
    After this is complete, tap yourself on the back.
    Congratulation, you're done !
    P.S. : each key has a validity date. Obviously, all keys valid BEFORE the creation date of the keys in /var/lib/shim-signed/mok are to be deleted. EXCEPT the one issued by MM Microsoft, your computer maker, and Ubuntu Central authority...
    P.P.S : It is important to say that saving the keys BEFORE doing anything leading to deletion is not a stupid thing to do. And doing one at a time, even if your BIOS allows for a more easy way to clean the lot is not a bad idea also. Kind of "belt and suspenders" here but.... Being locked out is no fun.
    Last edited by georgesgiralt; 3 Weeks Ago at 07:40 AM. Reason: Needed a clarification

  7. #7
    Join Date
    Sep 2014
    Location
    United States
    Beans
    254
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: How to clean multiple MOK keys ?

    Congratulations, brilliant work. Please mark this as solved, so future users can follow your advice. Thanks for posting the results of your work.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •