How To Consolidate Multiple MOK Keys Or Delete Unnecessary Ones?How to list drivers/kernel modules affected...

Accidentally leaked the solution to an assignment, what to do now? (I'm the prof)

Why doesn't Newton's third law mean a person bounces back to where they started when they hit the ground?

How is this relation reflexive?

Shell script can be run only with sh command

Email Account under attack (really) - anything I can do?

A Journey Through Space and Time

How to add power-LED to my small amplifier?

Infinite past with a beginning?

Why is this code 6.5x slower with optimizations enabled?

What typically incentivizes a professor to change jobs to a lower ranking university?

How do you conduct xenoanthropology after first contact?

Why are 150k or 200k jobs considered good when there are 300k+ births a month?

whey we use polarized capacitor?

What would the Romans have called "sorcery"?

Why was the small council so happy for Tyrion to become the Master of Coin?

What are these boxed doors outside store fronts in New York?

Schwarzchild Radius of the Universe

Is it tax fraud for an individual to declare non-taxable revenue as taxable income? (US tax laws)

Japan - Plan around max visa duration

Example of a relative pronoun

Can an x86 CPU running in real mode be considered to be basically an 8086 CPU?

I probably found a bug with the sudo apt install function

A newer friend of my brother's gave him a load of baseball cards that are supposedly extremely valuable. Is this a scam?

The use of multiple foreign keys on same column in SQL Server



How To Consolidate Multiple MOK Keys Or Delete Unnecessary Ones?


How to list drivers/kernel modules affected by SecureBoot?Mok Management Will Not Load on BootHow Shim verifies binaries in secure boot?Re-signing kernel modules after update - VMMONUEFI Secure Boot - unable to sign VirtualBox kernel modules - sign-key does nothingTrying to Set up VirtualBox with Live Persistent USB made using Mkusb18.04 LTS unstable performance [very slow startup + sudden desktop freezing]services failing to start - control process exited with error codeDoes Ubuntu Secure Boot make Intel TXT unnecessary?Trying to repair bootup






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}







1















AFAIK I've only had one MOK.priv file since I started using secureboot on Bionic.



A kernel update last week (as usual) asked me to create a MOK password and to re-enter this password in the MOK enrollment screen at boot up. But I missed the enrollment screen (for the 1st time).



I've since been able to enroll the MOK key and sign the needed kernel modules, re-enabling secure boot. I then found an "orphan" MOK key on my machine. Maybe missing the enrollment caused me to end up with one more MOK key? Or maybe not, since it is dated Aug last year.



-rw------- 1 root root 1.1K Jun 13  2018 /root/keyfiles/MOK.der
-rw------- 1 root root 1.4K Jun 13 2018 /root/keyfiles/MOK.priv.gpg
-rw-r--r-- 1 root root 910 Aug 13 2018 /var/lib/shim-signed/mok/MOK.der
-rw------- 1 root root 1.7K Aug 13 2018 /var/lib/shim-signed/mok/MOK.priv


The MOK files I know I have are the first pair. The 2nd pair was news to me.



MOK files should not be left available on the machine. I could possibly just encrypt the 2nd key, but



a) I am not comfortable touching a file in /var/lib/shim-signed/ and



b) I'd like to keep a single MOK file on the machine (and enrolled in the BIOS)



To make matters worse, today I had to install an upgrade to the Acronis backup agent (which depends on snapapi26, a kernel module) and now have more MOK files (though the extension is different, it looks to me that MOK.secdata is a key)



-rw-r--r-- 1 root root  854 Apr  7 18:34 /var/lib/sb/MOK.2
-rw-r--r-- 1 root root 1.8K Apr 7 18:49 /var/lib/sb/MOK.secdata
-rw-r--r-- 1 root root 0 Apr 7 18:34 /var/lib/sb/MOK.seclock
-rw-r--r-- 1 root root 228 Apr 7 18:34 /var/lib/sb/MOK.secmeta


I'd like to have a single (encrypted) MOK.priv and MOK.der on my machine. How do I "consolidate" these MOK keys into a single one (by size alone you can see that they are not identical)? If this is not possible, do I need more than one MOK key? If not, which one should I keep?



Side note, and not required to answer my main question: I'd appreciate an explanation (or link to one) on whether the BIOS stores multiple MOK keys or just one and what causes a new MOK key to be created when you already have a working one.










share|improve this question





























    1















    AFAIK I've only had one MOK.priv file since I started using secureboot on Bionic.



    A kernel update last week (as usual) asked me to create a MOK password and to re-enter this password in the MOK enrollment screen at boot up. But I missed the enrollment screen (for the 1st time).



    I've since been able to enroll the MOK key and sign the needed kernel modules, re-enabling secure boot. I then found an "orphan" MOK key on my machine. Maybe missing the enrollment caused me to end up with one more MOK key? Or maybe not, since it is dated Aug last year.



    -rw------- 1 root root 1.1K Jun 13  2018 /root/keyfiles/MOK.der
    -rw------- 1 root root 1.4K Jun 13 2018 /root/keyfiles/MOK.priv.gpg
    -rw-r--r-- 1 root root 910 Aug 13 2018 /var/lib/shim-signed/mok/MOK.der
    -rw------- 1 root root 1.7K Aug 13 2018 /var/lib/shim-signed/mok/MOK.priv


    The MOK files I know I have are the first pair. The 2nd pair was news to me.



    MOK files should not be left available on the machine. I could possibly just encrypt the 2nd key, but



    a) I am not comfortable touching a file in /var/lib/shim-signed/ and



    b) I'd like to keep a single MOK file on the machine (and enrolled in the BIOS)



    To make matters worse, today I had to install an upgrade to the Acronis backup agent (which depends on snapapi26, a kernel module) and now have more MOK files (though the extension is different, it looks to me that MOK.secdata is a key)



    -rw-r--r-- 1 root root  854 Apr  7 18:34 /var/lib/sb/MOK.2
    -rw-r--r-- 1 root root 1.8K Apr 7 18:49 /var/lib/sb/MOK.secdata
    -rw-r--r-- 1 root root 0 Apr 7 18:34 /var/lib/sb/MOK.seclock
    -rw-r--r-- 1 root root 228 Apr 7 18:34 /var/lib/sb/MOK.secmeta


    I'd like to have a single (encrypted) MOK.priv and MOK.der on my machine. How do I "consolidate" these MOK keys into a single one (by size alone you can see that they are not identical)? If this is not possible, do I need more than one MOK key? If not, which one should I keep?



    Side note, and not required to answer my main question: I'd appreciate an explanation (or link to one) on whether the BIOS stores multiple MOK keys or just one and what causes a new MOK key to be created when you already have a working one.










    share|improve this question

























      1












      1








      1








      AFAIK I've only had one MOK.priv file since I started using secureboot on Bionic.



      A kernel update last week (as usual) asked me to create a MOK password and to re-enter this password in the MOK enrollment screen at boot up. But I missed the enrollment screen (for the 1st time).



      I've since been able to enroll the MOK key and sign the needed kernel modules, re-enabling secure boot. I then found an "orphan" MOK key on my machine. Maybe missing the enrollment caused me to end up with one more MOK key? Or maybe not, since it is dated Aug last year.



      -rw------- 1 root root 1.1K Jun 13  2018 /root/keyfiles/MOK.der
      -rw------- 1 root root 1.4K Jun 13 2018 /root/keyfiles/MOK.priv.gpg
      -rw-r--r-- 1 root root 910 Aug 13 2018 /var/lib/shim-signed/mok/MOK.der
      -rw------- 1 root root 1.7K Aug 13 2018 /var/lib/shim-signed/mok/MOK.priv


      The MOK files I know I have are the first pair. The 2nd pair was news to me.



      MOK files should not be left available on the machine. I could possibly just encrypt the 2nd key, but



      a) I am not comfortable touching a file in /var/lib/shim-signed/ and



      b) I'd like to keep a single MOK file on the machine (and enrolled in the BIOS)



      To make matters worse, today I had to install an upgrade to the Acronis backup agent (which depends on snapapi26, a kernel module) and now have more MOK files (though the extension is different, it looks to me that MOK.secdata is a key)



      -rw-r--r-- 1 root root  854 Apr  7 18:34 /var/lib/sb/MOK.2
      -rw-r--r-- 1 root root 1.8K Apr 7 18:49 /var/lib/sb/MOK.secdata
      -rw-r--r-- 1 root root 0 Apr 7 18:34 /var/lib/sb/MOK.seclock
      -rw-r--r-- 1 root root 228 Apr 7 18:34 /var/lib/sb/MOK.secmeta


      I'd like to have a single (encrypted) MOK.priv and MOK.der on my machine. How do I "consolidate" these MOK keys into a single one (by size alone you can see that they are not identical)? If this is not possible, do I need more than one MOK key? If not, which one should I keep?



      Side note, and not required to answer my main question: I'd appreciate an explanation (or link to one) on whether the BIOS stores multiple MOK keys or just one and what causes a new MOK key to be created when you already have a working one.










      share|improve this question














      AFAIK I've only had one MOK.priv file since I started using secureboot on Bionic.



      A kernel update last week (as usual) asked me to create a MOK password and to re-enter this password in the MOK enrollment screen at boot up. But I missed the enrollment screen (for the 1st time).



      I've since been able to enroll the MOK key and sign the needed kernel modules, re-enabling secure boot. I then found an "orphan" MOK key on my machine. Maybe missing the enrollment caused me to end up with one more MOK key? Or maybe not, since it is dated Aug last year.



      -rw------- 1 root root 1.1K Jun 13  2018 /root/keyfiles/MOK.der
      -rw------- 1 root root 1.4K Jun 13 2018 /root/keyfiles/MOK.priv.gpg
      -rw-r--r-- 1 root root 910 Aug 13 2018 /var/lib/shim-signed/mok/MOK.der
      -rw------- 1 root root 1.7K Aug 13 2018 /var/lib/shim-signed/mok/MOK.priv


      The MOK files I know I have are the first pair. The 2nd pair was news to me.



      MOK files should not be left available on the machine. I could possibly just encrypt the 2nd key, but



      a) I am not comfortable touching a file in /var/lib/shim-signed/ and



      b) I'd like to keep a single MOK file on the machine (and enrolled in the BIOS)



      To make matters worse, today I had to install an upgrade to the Acronis backup agent (which depends on snapapi26, a kernel module) and now have more MOK files (though the extension is different, it looks to me that MOK.secdata is a key)



      -rw-r--r-- 1 root root  854 Apr  7 18:34 /var/lib/sb/MOK.2
      -rw-r--r-- 1 root root 1.8K Apr 7 18:49 /var/lib/sb/MOK.secdata
      -rw-r--r-- 1 root root 0 Apr 7 18:34 /var/lib/sb/MOK.seclock
      -rw-r--r-- 1 root root 228 Apr 7 18:34 /var/lib/sb/MOK.secmeta


      I'd like to have a single (encrypted) MOK.priv and MOK.der on my machine. How do I "consolidate" these MOK keys into a single one (by size alone you can see that they are not identical)? If this is not possible, do I need more than one MOK key? If not, which one should I keep?



      Side note, and not required to answer my main question: I'd appreciate an explanation (or link to one) on whether the BIOS stores multiple MOK keys or just one and what causes a new MOK key to be created when you already have a working one.







      18.04 kernel secure-boot dkms






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 25 mins ago









      GaiaGaia

      1401113




      1401113






















          0






          active

          oldest

          votes












          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "89"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1132010%2fhow-to-consolidate-multiple-mok-keys-or-delete-unnecessary-ones%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Ask Ubuntu!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1132010%2fhow-to-consolidate-multiple-mok-keys-or-delete-unnecessary-ones%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Why do type traits not work with types in namespace scope?What are POD types in C++?Why can templates only be...

          Will tsunami waves travel forever if there was no land?Why do tsunami waves begin with the water flowing away...

          Simple Scan not detecting my scanner (Brother DCP-7055W)Brother MFC-L2700DW printer can print, can't...