I'm creating the /root/mok.der key (in Sid dkms changed to /root/dkms.der) and
try to register it with mokutil during a custom installation. I tried the preseed/late_command and I also tried a script with simple-cdd. But in all cases I get on UEFI systems (real hardware included):
EFI variables are not supported on this system
and have to enroll it after the first boot. Only then the modules built and signed are loaded.
I tried loading the efivarfs module via preseed/early_command and I can confirm
that /sys/firmware/efi/efivars/ is actually there (but epmty).
I'd really appreciate to enroll the key *during* installation, while the Debian
installer is running. Is there any way I can do this?
#!/bin/sh
set -x
modprobe efivarfs || true
mount -t efivarfs efivarfs /target/sys/firmware/efi/efivars || true
test -e /target/root/mok.der || exit 0
in-target echo "Enroll DKMS mok.der key" >&2
in-target sh -c "printf 'Pass\nPass\n' | /usr/bin/mokutil --import /root/mok.der"
umount /target/sys/firmware/efi/efivars || true
exit 0
I'd like to use 'mokutil --import <file> --root-pw', but that fails with something like "Failed to get root password hash", so I have to set the password directly. Any idea about the error message and how to fix it?
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 40:22:26 |
Calls: | 6,648 |
Files: | 12,193 |
Messages: | 5,329,414 |