search for: mokutil

...lp we would need you totry the following: 1. boot using a working USB/cdrom/netboot path and installer2. choose the rescue mode3. have the rescue mount the disks as local and chroot into thesystem. << if possible have the system also bring up networking >> Thenyum list kernel shim grub2 mokutil John, I have a CentOS 8.2.2004 system running on an EPYC-equipped SuperMicro motherboard. I assume it uses EFI boot. I have it set to auto-update with cron.daily, so it almost certainly has the buggy package(s) installed. I'm loath to try rebooting it just to see. When I run "yum list...

...boot=off? >(Just to be sure; I imply that you use UEFI, right?) > >-- >Leon >____________ I'm not sure how to turn 'secure boot' off or if it exists. (MacMini5.2). I presume it uses UEFI, but not sure how to answer that. Boot failure only occurs when the grub2/shim/mokutil updates are applied. David

...device. AFAIK the openfirmware of >such hardware have also a legacy mode. So first >check if it uses the UEFI mode at all by checking >if this directory exists (in the working/bootable system): > ># ls -la /sys/firmware/efi > >if so test the secure boot state with > ># mokutil --sb-state > > >>Boot failure only occurs when the grub2/shim/mokutil updates are applied. [root at xxx -]ls -la /sys/firmware/efi total 0 drwxr-xr-x 5 root root 0 Aug 4 17:12 . drwxr-xr-x 7 root root 0 Aug 4 14:30 .. -r--r--r-- 1 root root 4096 Aug 4 17:12 config_table d...

><snip> > >> Yes .. it should be on mirror.centos.org now .. you could change the > >> repo where your updates come from.? OR .. wait for that mirror to get > >> updated. > > > > > > I just did > > yum clean all > > yum update > > > > and 15-8 showed up.? Maybe the 'clean all' > did it, or maybe just

...ntos 7: 1) Boot from an rescue linux usb 2) When the rescue system is running: ??? 2.1) #chroot /mnt/sysimage 3) Config network: ??? 3.1) # ip addr add X.X.X.X/X dev X ??? 3.2) # ip route add default via X.X.X.X??? <--- default router 4) And finally: ??? #yum downgrade shim\* grub2\* mokutil ??? #exit ??? #reboot I hope you can fix it with these steps. El 4/8/20 a las 0:56, Nicolas Kovacs escribi?: > Le 03/08/2020 ? 19:24, david a ?crit?: >> After trying several paths, some suggested on this list, here's my results. > Hi, > > Just back from a hiking trip. On...

On 1/22/2016 11:00 AM, Eero Volotinen wrote: > It works on linux, it can't be secure? if you can insert a custom Machine Owner Key into this keyring, then anyone with sufficient ingenuity can, too. which renders the whole signature thing moot, other than as another step to be cracked. -- john r pierce, recycling bits in santa cruz

...n a service like Amazon AWS >> (or pick your virtual server environment) ? AWS provides a remote >> console, doesn't it? > > AWS doesn't offer UEFI Secure Boot, so I'm not sure how that's relevant. > > It seems like you're reaching for criticisms of mokutil because you > don't like it, rather than because there is a demonstrable problem > with it. yeah, I just realized, duh, secureboot on a VM is not an issue at all, so never mind all that. I do think the whole secureboot thing is a bad idea on a general purpose computer system, seems...

...of such hardware have also >> a legacy mode. So first check if it uses the UEFI mode at all by checking >> if this directory exists (in the working/bootable system): >> >> # ls -la /sys/firmware/efi >> >> if so test the secure boot state with >> >> # mokutil --sb-state >> >> >>> Boot failure only occurs when the grub2/shim/mokutil updates are >>> applied. > > > > [root at xxx -]ls -la /sys/firmware/efi > total 0 > drwxr-xr-x? 5 root root??? 0 Aug? 4 17:12 . > drwxr-xr-x? 7 root root??? 0 Aug? 4 14:...

...[root at gary ~]# modprobe wl modprobe: ERROR: could not insert 'wl': Required key not available [root at gary ~]# This relates to the secure boot that is mentioned on the page. I therefore went through the process of disabling secure boot. This consisted of running: [root at gary ~]# mokutil --disable-validation password length: 8~16 input password: input password again: [root at gary ~]# After doing this I rebooted. As part of the reboot I was supposed to be asked for the password that I had just created but I wasn't. Then, after the reboot I tried the modprobe command but r...

Is there an "easy" way to just sign all kernel modules in the /lib/modules directory ? I'm getting an error about a module not being signed so not loading. CentOS 7.7 UEFI booting. (I cannot remove UEFI as hardware does not allow it). Thanks, Jerry

...the new versions are: > >PowerTools/x86_64/os/Packages/shim-unsigned-x64-15-8.el8.x86_64.rpm >BaseOS/x86_64/os/Packages/shim-ia32-15-15.el8_2.x86_64.rpm >BaseOS/x86_64/os/Packages/shim-x64-15-15.el8_2.x86_64.rpm > >For CentOS Linux 7 .. the new files are: > >x86_64/Packages/mokutil-15-8.el7.x86_64.rpm >x86_64/Packages/shim-ia32-15-8.el7.x86_64.rpm >x86_64/Packages/shim-unsigned-ia32-15-8.el7.x86_64.rpm >x86_64/Packages/shim-unsigned-x64-15-8.el7.x86_64.rpm >x86_64/Packages/shim-x64-15-8.el7.x86_64.rpm > >You need only replace the files you currently have ins...

On 1/22/2016 2:24 PM, Gordon Messmer wrote: > On 01/22/2016 01:56 PM, John R Pierce wrote: >> Sure, if someone has penetrated my IPMI and/or virtualization >> management, I'm already in a world of hurt > > Exactly. IPMI should be on a dedicated VLAN with a bastion host. No > other systems should have access to it at all. The servers, > especially, should not

...grub binary is created, replacing grubx64.efi. If you have Secure Boot enabled, you will not be able to boot, until you either reinstall the grub2-efi package (or you self-sign the grub2-install created binary and then go through the process of informing the firmware this is a valid binary by using mokutil - but I estimate maybe 1 in 50 people might do this). -- Chris Murphy

...ure how to answer that. Oh, an apple device. AFAIK the openfirmware of such hardware have also a legacy mode. So first check if it uses the UEFI mode at all by checking if this directory exists (in the working/bootable system): # ls -la /sys/firmware/efi if so test the secure boot state with # mokutil --sb-state > > Boot failure only occurs when the grub2/shim/mokutil updates are applied. > -- Leon

...AM, John R Pierce wrote: >> if you can insert a custom Machine Owner Key into this keyring, then >> anyone with sufficient ingenuity can, too. which renders the whole >> signature thing moot, other than as another step to be cracked. > > I'm not sure you understand mokutil. You do know that in order to > enroll a key you must be physically present at the console before the > kernel boots, right? In order to enroll a key, you must have admin > access in the OS, and physical access to the hardware. in order to install a kernel module without signing, yo...

...asn't possible. Yum said there were no prior versions. 3) The most reliable method I found for Centos 7 was: - Re=install from scratch (luckily, my data files were safe and restorable) - Before running any updates, apply the fix suggested by Redhat and exclude updates to grub2, shim and mokutil. - Without the above 'exclude', the system became unbootable after a yum update even though the corrected versions of shim should have been loaded. The system I'm dealing with is Centos 7. I can easily rebuild it from scratch and test stuff without losing crucial data, if it would...

...ry single combination of firmware, hardware, etc >on every possible machine frm every manufacturer will work. But, we >have had no reports of failure since the updates. Ummmm.............. except for apple hardware. My Mac-mini runs just file as long as this text: exclude=grub2* shim* mokutil is added to the end of the file /etc/yum.conf and executing yum -y update and rebooting works just fine. HOWEVER, if I remove that 'exclude' line from yum.conf, run 'yum update', and then reboot, the system is unbootable. I end up with a blank screen, no grub anything. I...

On Thu, Dec 14, 2017 at 5:39 AM, Gary Stainburn <gary at ringways.co.uk> wrote: > After getting nowhere with the mokutil command I decided to use the other > option and turn off secure boot in the BIOS settings. > > I had been loathed to do this because every time I do anything in the BIOS > it > stuffs the boot order and reverts to booting straight into Win8. Guess > what, > as soon as I turned...

...ng: > >1. boot using a working USB/cdrom/netboot path and installer >2. choose the rescue mode >3. have the rescue mount the disks as local and chroot into the >system. << if possible have the system also bring up networking >> > >Then >yum list kernel shim grub2 mokutil > >It would also help to know which kind of Mac Mini it is (year, model, >firmware versions). Apple changes the internal hardware of these >things and how they boot so if there it may be that a particular model >is more affected than others. How does one obtain that information? T...

...ges/shim-unsigned-x64-15-8.el8.x86_64.rpm > >> BaseOS/x86_64/os/Packages/shim-ia32-15-15.el8_2.x86_64.rpm > >> BaseOS/x86_64/os/Packages/shim-x64-15-15.el8_2.x86_64.rpm > >> > >> For CentOS Linux 7 .. the new files are: > >> > >> x86_64/Packages/mokutil-15-8.el7.x86_64.rpm > >> x86_64/Packages/shim-ia32-15-8.el7.x86_64.rpm > >> x86_64/Packages/shim-unsigned-ia32-15-8.el7.x86_64.rpm > >> x86_64/Packages/shim-unsigned-x64-15-8.el7.x86_64.rpm > >> x86_64/Packages/shim-x64-15-8.el7.x86_64.rpm > >> > >...