kernel module mokutil: failed to enroll new keys

Question

I'm trying to sign some kernel modules (for virtualbox) as explained here.

As explained there, I create the new keys:

openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Descriptive name/"

I sign all the modules:

sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxdrv)
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxnetadp)
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxnetflt)
sudo /usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $(modinfo -n vboxpci)

But when it comes to importing the keys, that fails

$ sudo mokutil --import MOK.der
input password: 
input password again: 
Failed to enroll new keys

What could be causing this?

EDIT: Actually, I just noticed that I really can't do much with mokutil. For example:

$ sudo mokutil --reset
input password: 
input password again: 
Failed to unset MokNew
Failed to write MokAuth
Failed to unset MokNew
Failed to issue a reset request

I think that the only commands that don't fail somehow are --sb-state which correctly states that SecureBoot is enabled, and --list-enrolled which lists enrolled keys. Everything else errs in some way.

I got a similar error, I fixed it by giving the complete path to the MOK.der file: $ sudo mokutil --import /var/lib/shim-signed/mok/MOK.der — JStrahl, Jan 27 '23 at 13:22

Goddard · Answer 1 · 2019-09-04T21:24:35.497

If you are on Ubuntu you don't need to set a root password. Not sure about other distros, but this should work with any distro that uses sudo.

sudo su
mokutil --import MOK.der

It should work without error now. Then to get back to a normal prompt just type.

exit

or simple

reboot

You now need to go through the UEFI prompt to add your key. Whatever you named it should show up, at least it did for me on my system.

Now you should be able to use your software.

score 3 · Answer 2 · answered Oct 19 '20 at 01:57

Had the same issue. Did a bit digging around with mokutil --help and was able to get things to work like this:

mokutil --set-verbosity true #optional
mokutil --password #enter password when prompted
mokutil --import MOK.der #enter same password

Posting it here in the hope that it helps someone. I have no clue why it works like this. All I'm trying to do is get VMware Workstation to work on Ubuntu with Secure Boot turned on :)

PS: Ubuntu 20.04.1 Desktop

score 2 · Answer 3 · answered Feb 02 '17 at 09:29

2

I had the same problem and found that UEFI boot had to be enabled while using modutil. (I had it disabled to use vmware workstation.)

Hope that helps!

answered Feb 02 '17 at 09:29

sebkraemer

435
3
12

Hey, this was a while ago. I never solved it, I just disabled some sort of check and now I use unsafe boot. I don't wanna break my current installation by changing things now, but next time I reinstall my OS maybe I'll come back and try your suggestion. Thanks. – Feb 02 '17 at 19:39

score 2 · Answer 4 · edited Jul 26 '19 at 00:52

2

I was able to solve this:

set a root passord (as I am using Ubuntu and it is not set by default)
doing it as root and with option --root-pw

edited Jul 26 '19 at 00:52

Pang

9,564
146
81
122

answered Nov 25 '17 at 13:25

user9007312

21
1

score 0 · Answer 5 · answered Feb 24 '23 at 00:40

0

Running the command as sudo solved the issue for me

answered Feb 24 '23 at 00:40

Tarik Waleed

97
1
8

kernel module mokutil: failed to enroll new keys

5 Answers5