I recently had to go through the mok import and enrollment on a headless machine, which was not fun!
First, my fault, I had forgotten about it until too late and the machine didn’t come back after a reboot.
Second, I had to actually move the machine and plug it in to a keyboard/monitor to perform the enrollment.
This had me wondering, what tool actually does this, and could it be done from the OS command line rather than during the boot process?
How do others handle this?
(I do have an IP KVM on order…)
1 Like
So key enrollment is handled by mokutil which communicates with shimx64.efi, a GRUB preloader signed with Microsoft keys. After perusing the Debian documentation for both projects, it appears that shimx64.efi requires physical presence to install a machine custodian key by design. This, there’s not really a way I can see to get around this on a headless machine at install time. The key enrollment only needs to be done once as the same keys will be used to sign subsequent kernel updates. If you plan to reinstall UBlue often, I’d consider turning Secure Boot off altogether (to my understanding, the contributions it makes to platform security are minimal at best).
1 Like
Thanks for that. No, I don’t intend to re-install often, if at all, on this headless machine.
You will only need to renroll the key if the EFI variable storing it gets reset. This can happen on firmware updates.
Mokutil unfortunately requires physical presence to enroll the certificate. A KVM would be a great solution to this.
1 Like