At startup I got a warning about secure boot being turned on, but not having enrolled Universal Blue’s keys. I went to the mentioned page: Introduction to Bluefin. And did
I tested with mokutil --list-enrolled and it seems OK.
Now at startup, I get a blue screen with MOK management. I can choose between booting, enroll key, get the key from the web or getting it locally. Or something like that. Because I started Ecosia-ing what to do next, and that took to long, it went to sleep, the second time I think the “enroll key” option changed.
Anyway, what should I choose? The manual stops there and goes to Move on to system administration, which is about different things…
No, I don’t believe that’s the correct key. I am not in a position to check it out right now, but when I eyeball that I’m thinking it is the Redhat shim. That should’ve been installed without any input from you because they are signed by MS. The MoK is for keys from individuals or small organizations that have to appeal to your personal trust and entreat your acceptance. Again, I can’t look this up first-hand at the moment… but I believe the key you’re adding to your MoK is going to say universalblue instead of Redhat.
When the blue box pops up, the enroll option should already have the location of the key (that’s what the enroll command was for). Whatever you’ve gotten into in your BIOS is browsing the ESP: none of those things are keys.
Thanks again.
As you can see, it looks like with the first command (ujust enroll…), the next ones are performed automatically? I tried to repeat those (sudo mokutil …), but that doesn’t seem to work for the second command.
Should I just wait for an update, maybe there’s a bug?
❯ ujust enroll-secure-boot-key
echo 'Enter password "universalblue" if prompted after your user password.'
Enter password "universalblue" if prompted after your user password.
sudo mokutil --timeout -1
Plaats uw vinger op de lezer
sudo mokutil --import /etc/pki/akmods/certs/akmods-ublue.der
input password:
input password again:
echo 'When you reboot your computer, follow the instructions to start MOK util'
When you reboot your computer, follow the instructions to start MOK util
echo 'by pressing a key, then enroll the secure boot key and enter "universalblue" as the password'
by pressing a key, then enroll the secure boot key and enter "universalblue" as the password
~ took 22s
❯ sudo mokutil --timeout -1
~
❯ sudo mokutil --import public_key.der
Failed to get file status, public_key.der
The first part looks correct, mate. It is not clear why you are attempting to import the key immediately after the ujust script enrolled it or why you’d use different syntax. I think need only to reboot after running the script.
No offense, but I think you probably just clicked the wrong option in the blue screen on reboot. It’s easy to do because the prompts are rather terse. Someone else asked for some screenshots of the enroll process in a different thread and I linked a video walking through the process:
The docs you linked say that you can run the mokutil commands yourself INSTEAD of the ujust script should you be in a scenario where you’re rebasing and want to enroll the key before you even have access to ujust.
That’s an excellent guess that would’ve never crossed my mind. Nice job. Seems like you’re in the home stretch, now!
Only question left: when asked to type and retype a password when you run the script, you already have to use the universalblue password? (because the documentation says “if prompted after your user password”?
I never was asked my user password, not in the first screen and not in the blue screen.
I think it meant for sudo. Depending on your settings and how recently you last used sudo, you might be asked for a user password every execution or never. You can verify that you’ve installed the key the distro is asking for if you’re still apprehensive: mokutil --list-enrolled and look for ublue kernel.
For a simplest recap of the problem:
the enrollment programm (the bios looking one), doesnt understand any other keyboard layout than azerty. Which is what most of the world doesnt use by default…
So when you should put in a Password on the ujust command, you have to choose one without the switched up letters…for example a and q
in my case because i use qwertz in germany i also have to look out for y and z switching it up.
Now i have the fedora key, the ublue akmods and ublue kernel
now everything should work out fine?
I don’t know where you got that from but that cannot be correct.
Well it could depend on device/manufacturer, but I would say that it will not use azerty but a US qwerty layout.
Just like the LUKS password prompt on these Atomic distros, it will not follow you system keymap (unless you make the imageramfs track your vconsole.conf), a known bug currently (been for a while).
.