Error enrolling secure boot key

Bambiraptor · August 30, 2024, 4:49pm

I tried with or without secure boot enabled in the BIOS and I get this error each time:

thanks

bsherman · September 27, 2024, 2:51am

From what I’ve seen by searching for possible errors like this, if I had to guess, it’s a bug in your particular system’s UEFI implementation.

The older the machine, the more likely this is, not because it has gained a bug with age, but just because older UEFI implementations seemed to have more bugs as I think the manufacturers were still figuring it out.

On a system like that, you could try upgrading the BIOS/UEFI if there is one available, or just disable SecureBoot and don’t sweat it.

Bambiraptor · September 27, 2024, 3:59am

Ok thanks a lot, much appreciated @bsherman

MaxJanky · September 27, 2024, 5:40am

@bsherman gave you fantastic analysis and advice, but I’d also add that the timeout is just a convenience. You could still try to manually ‘wget https://github.com/ublue-os/bazzite/raw/refs/heads/main/secure_boot.der && sudo mokutil --import secure_boot.der’ or whatever the newest key is. Just be ready to click on view/enroll right away when it pops up.

Bambiraptor · September 27, 2024, 8:58pm

Hey @MaxJanky , thanks for sharing.
Sounds good, I’m ready!
Do I have to download that secure_boot.der file and if yes, where can I find it?

MaxJanky · September 27, 2024, 11:40pm

I think all the spins are using the same ublue key and that’s the new one. So I’d try the command as written once you’ve satisfied yourself that the link is legit: wget https://github.com/ublue-os/bazzite/raw/refs/heads/main/secure_boot.der && sudo mokutil --import secure_boot.der

I suspect it’s the same thing the ujust script that failed you would attempt. Just be ready for the blue box on reboot asking you to enroll keys (unless it also fails). It could be more user-friendly and you won’t have time to look it up on your cell or whatever before it times out.

gl!

bsherman · September 28, 2024, 5:27pm

You can also inspect any ujust recipe…

The original command was ujust -n enroll-secure-boot-key.

Add -n after ujust and you’ll see the command it’s running:

$ ujust -n enroll-secure-boot-key 
echo 'Enter password "universalblue" if prompted after your user password.'
sudo mokutil --timeout -1
sudo mokutil --import /etc/pki/akmods/certs/akmods-ublue.der
echo 'When you reboot your computer, follow the instructions to start MOK util'
echo 'by pressing a key, then enroll the secure boot key and enter "universalblue" as the password'

You can then run the bits you want.

Topic		Replies	Views
Unable to disable secure boot to enroll MOK Bluefin and Aurora	2	200	August 30, 2024
Secure boot key / MOK management General	15	521	October 6, 2024
ThinkPad Secure Boot setup with Bluefin Bluefin and Aurora	3	407	June 28, 2024
Bluefin stable image 40.20240801.0 fails to boot Bluefin and Aurora	3	127	August 3, 2024
Autumn update: Secure Boot users, make sure you've enrolled our secure boot key Bluefin and Aurora announcements , bluefin-news , ublue-news	19	3370	October 5, 2024

Error enrolling secure boot key

Related topics