XPost: linux.debian.maint.boot

x-port debian-boot, debian-cd (not sure which is correct)

Hi,

I'm creating the /root/mok.der key (in Sid dkms changed to /root/dkms.der) and try to register it with mokutil during a custom installation. I tried the preseed/late_command and I also tried a script with simple-cdd. But in all cases I get on UEFI systems (real hardware included):

EFI variables are not supported on this system

and have to enroll it after the first boot. Only then the modules built and signed are loaded.

I tried loading the efivarfs module via preseed/early_command and I can confirm that /sys/firmware/efi/efivars/ is actually there (but epmty).

I'd really appreciate to enroll the key *during* installation, while the Debian installer is running. Is there any way I can do this?

Regards, Daniel
--
Regards,
Daniel Leidert <dleidert@debian.org> | https://www.wgdd.de/
GPG-Key RSA4096 / BEED4DED5544A4C03E283DC74BCD0567C296D05D
GPG-Key ED25519 / BD3C132D8B3805D1808123AB7ACE00941E338C78

https://www.fiverr.com/dleidert
https://www.patreon.com/join/dleidert

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmHfcBYACgkQS80FZ8KW 0F1v1A/+O+KYlZX1CbHnjEoxQ2wPF4P99+5+Gzp5s/B6QHtVtrN6tsVru+7Tinqf uUXZRiQD14uVl5IbBRRZi+QSQhP8Eg0o7nAQCAeOb9sPgT04Aa0XKuKS7KmV8CVG OXO9+KzmUykU1lQWltehByc4pWe3QBTSdKHboSsx0Yhm6A3Nh6zF+V7ZnY5zyJ0y RfU6zpXkO9ex8FRm48yLnQ1N32DmHJN26JIV0AMr0BMkevum/InHYsKPNiP4yCf4 WRFJunXoxEaI//6zBxflkjjfhMFUZOCrcPQptH4w/Yoo3MilCAJrcvS5yLe2KCg4 SBBVwFGK2bviTofSc99urlO99aGFwOX9/LVA7/6Wv13f9cl0mIuhqHYbUCJM9FGH T8lN7Ivj0jqCqIfo141NK0y+PNxw6aMca3cJKXxwtN44b5HSCqLfWucwKgA7+Sy6 Ub1ewotLdiRo8v9wciMCuNpCwKXVo6ROySCq8/TWRFL9eViYeYgbXhso+Opj0EEW afekrXvNGWOENC4TinJl2iI4vDLHydHDfat1l4i0+TjgAx7rhim3ZGNCnQyQKJ9Z drC985qEkAALPepoYrBdXDhaje7B5ImI0GP+WEuIXUUWyJNg5EULSW6Iq4L

XPost: linux.debian.maint.boot

Am Donnerstag, dem 13.01.2022 um 01:19 +0100 schrieb Daniel Leidert:

I'm creating the /root/mok.der key (in Sid dkms changed to /root/dkms.der) and
try to register it with mokutil during a custom installation. I tried the preseed/late_command and I also tried a script with simple-cdd. But in all cases I get on UEFI systems (real hardware included):

EFI variables are not supported on this system

and have to enroll it after the first boot. Only then the modules built and signed are loaded.

I tried loading the efivarfs module via preseed/early_command and I can confirm
that /sys/firmware/efi/efivars/ is actually there (but epmty).

I'd really appreciate to enroll the key *during* installation, while the Debian
installer is running. Is there any way I can do this?

I got it to work. I'm using a script that I load via preseed/late_command. The script does this:

#!/bin/sh

set -x

modprobe efivarfs || true

mount -t efivarfs efivarfs /target/sys/firmware/efi/efivars || true

test -e /target/root/mok.der || exit 0
in-target echo "Enroll DKMS mok.der key" >&2
in-target sh -c "printf 'Pass\nPass\n' | /usr/bin/mokutil --import /root/mok.der"

umount /target/sys/firmware/efi/efivars || true

exit 0

I'd like to use 'mokutil --import <file> --root-pw', but that fails with something like "Failed to get root password hash", so I have to set the password directly. Any idea about the error message and how to fix it?

Special thanks to @kibi for the printf hint.


Regards, Daniel
--
Regards,
Daniel Leidert <dleidert@debian.org> | https://www.wgdd.de/
GPG-Key RSA4096 / BEED4DED5544A4C03E283DC74BCD0567C296D05D
GPG-Key ED25519 / BD3C132D8B3805D1808123AB7ACE00941E338C78

https://www.fiverr.com/dleidert
https://www.patreon.com/join/dleidert

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmHgp9EACgkQS80FZ8KW 0F02HRAAqOkxTjhE11rRjBe4ofwSYw3uPBscUUAf+TnWQGzXP+15cjl0Kb0rU840 cYTU+qYjJ3yFCycqZ0gPY4efh9RoDOtcevx0JLbyzx89SJFWdvR/zppZsxQdldz0 giDuHH5n8VGHtqBG+Hs76KStEpZA/+4iyAmO7b+BjxHdy4nWK9w3xDab/A2vP+1n UebNtM0a1KnVZ+aK3SgR4a/RULfEu+ycBc3jb3ArXvPsS0Zu4ibt9ZGH04A8X2Ga vFr3RKAG0VhMZQKDoefMMXu412Ri5UvNdlVUMhzFmmRbi/EM3fqGFEPq8Gx4IyRS KYVH481q19ZbkiFgN51dHgidspElI4JxHkcG0Wrf6r9XdBzc9Ux8TtOexifKmZid IjnVmJQ7d2I35YQ24HBcfWSPe0Jj+gvKRJ2KxOqyu4+ABwApZlhA+7YCQ7R3Bq1J opuQwxr4BrEkw3hbNFdDt6BidbRU2f//JjNWCEg02aqadkg5Mw76H13NC+OjLgib M1R0YnencKHYcSXQXfeW4nlubzPrO2y41+sUaEQ1QFRDn3ANUd+64lgKl71UU+aT /Ruv9wUBlPfa6u58HpwbN+kWeiPLXvAbLM8hUTP/UdzQMlv1CHy+C3QKEp5

XPost: linux.debian.maint.boot

Am Donnerstag, dem 13.01.2022 um 23:29 +0100 schrieb Daniel Leidert:

[..]

I'd like to use 'mokutil --import <file> --root-pw', but that fails with something like "Failed to get root password hash", so I have to set the password directly. Any idea about the error message and how to fix it?

The problem is that pam now sets the default hashing method to 'yescrypt' and that's not supported by mokutil, so it cannot decrypt the password :(


Regards, Daniel
--
Regards,
Daniel Leidert <dleidert@debian.org> | https://www.wgdd.de/
GPG-Key RSA4096 / BEED4DED5544A4C03E283DC74BCD0567C296D05D
GPG-Key ED25519 / BD3C132D8B3805D1808123AB7ACE00941E338C78

https://www.fiverr.com/dleidert
https://www.patreon.com/join/dleidert

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmHg3xsACgkQS80FZ8KW 0F2Dtg/9HPAoBpjQetAMMy+eck2YTPvaM/r+wVZF6RtpipigW5RkuILhPGhXlPMC QrtSowoB8fcLpY8Fr3vgf0gbZ8iea2LbCxb4/Aya/9yPUuNVh0sXqlycd8AeDWbK T8n+4D1zLE3tbGKYXU43X9mjeN3Bvo/oytxuy0YQ3nZ07BKPNjSTwe+h18b0gOsM Unxbz4XOALwOKdWwIsmVxm/EhqCb8QIZ363UeMT8P5U3GIPSCee8j9ybiGhvbGpL f97aaBJRQuJEeWPUmzPyOQWfjDKtE6luw25kdzUnpbSx2a0pBvSOH7mD+r5K/98c nFfMTyjA+840uhvfLodAUI1S2YpyBoOSYFXYNTbH6PqICqPgjnm4zd5RXG+ysB4n FGceh3m3nAEGV8/Ftm23fRuxZ3/C3rEGHKDE9Dvs1tWwdMamUuv7mvC9orw8etq8 7zT5I3VJAxEnVwou12V2LFs0ypxF3bPHDKPbQIbAJdLXaXNFiffq0sVSYz/bGAjV rlc3BSjKXY3Ug4/Pvdu7WBMK5U9IPpKepvoMTJmhON4uTgxump9Q+0FrEKiuw9vK LfgN3+kf45TZg4XlHoTLCpkVyZY1DHPvAq39xKbOQvRpWK735L6snUPNbXT