Running mokutil during installation process

Discussion:

(too old to reply)

Daniel Leidert

2022-01-13 00:20:01 UTC

x-port debian-boot, debian-cd (not sure which is correct)

Hi,

I'm creating the /root/mok.der key (in Sid dkms changed to /root/dkms.der) and
try to register it with mokutil during a custom installation. I tried the
preseed/late_command and I also tried a script with simple-cdd. But in all
cases I get on UEFI systems (real hardware included):

EFI variables are not supported on this system

and have to enroll it after the first boot. Only then the modules built and
signed are loaded.

I tried loading the efivarfs module via preseed/early_command and I can confirm
that /sys/firmware/efi/efivars/ is actually there (but epmty).

I'd really appreciate to enroll the key *during* installation, while the Debian
installer is running. Is there any way I can do this?

Regards, Daniel

--
Regards,
Daniel Leidert <***@debian.org> | https://www.wgdd.de/
GPG-Key RSA4096 / BEED4DED5544A4C03E283DC74BCD0567C296D05D
GPG-Key ED25519 / BD3C132D8B3805D1808123AB7ACE00941E338C78

https://www.fiverr.com/dleidert
https://www.patreon.com/join/dleidert

Daniel Leidert

2022-01-13 22:30:02 UTC

Permalink

Post by Daniel Leidert
I'm creating the /root/mok.der key (in Sid dkms changed to /root/dkms.der) and
try to register it with mokutil during a custom installation. I tried the
preseed/late_command and I also tried a script with simple-cdd. But in all
EFI variables are not supported on this system
and have to enroll it after the first boot. Only then the modules built and
signed are loaded.
I tried loading the efivarfs module via preseed/early_command and I can confirm
that /sys/firmware/efi/efivars/ is actually there (but epmty).
I'd really appreciate to enroll the key *during* installation, while the Debian
installer is running. Is there any way I can do this?

I got it to work. I'm using a script that I load via preseed/late_command. The

Post by Daniel Leidert
#!/bin/sh
set -x
modprobe efivarfs || true
mount -t efivarfs efivarfs /target/sys/firmware/efi/efivars || true
test -e /target/root/mok.der || exit 0
in-target echo "Enroll DKMS mok.der key" >&2
in-target sh -c "printf 'Pass\nPass\n' | /usr/bin/mokutil --import /root/mok.der"
umount /target/sys/firmware/efi/efivars || true
exit 0

I'd like to use 'mokutil --import <file> --root-pw', but that fails with
something like "Failed to get root password hash", so I have to set the
password directly. Any idea about the error message and how to fix it?

Special thanks to @kibi for the printf hint.

Regards, Daniel

Daniel Leidert

2022-01-14 02:30:01 UTC

Permalink

Am Donnerstag, dem 13.01.2022 um 23:29 +0100 schrieb Daniel Leidert:

[..]

Post by Daniel Leidert
I'd like to use 'mokutil --import <file> --root-pw', but that fails with
something like "Failed to get root password hash", so I have to set the
password directly. Any idea about the error message and how to fix it?

The problem is that pam now sets the default hashing method to 'yescrypt' and
that's not supported by mokutil, so it cannot decrypt the password :(

Regards, Daniel