kernel – MOK key enrollment fails under Ubuntu 24 with TPM-backed FDE

admin

I recently installed Ubuntu 24 with hardware-backed full disk encryption, and now I want to install a third-party kernel module (specifically the PEAK CAN driver). My understanding is that kernel modules must be signed with MOK keys so that Linux can verify their authenticity. I followed the instructions on this page to create MOK keys. Then I ran mokutil --import MOK.der and rebooted. My expectation was that MokManager would run, and would allow me to enroll the MOK key in the UEFI. Instead, the system showed a black screen with this message:

Failed to open \EFI\BOOT\mmx64.efi - Not Found
Failed to load image ######: Not Found
Failed to start MokManager: Not Found
Something has gone seriously wrong: import_mok_state() failed: Not Found

A few sources (such as this post) suggested duplicating grubx64.efi and renaming it to mmx64.efi. I tried doing this in both the ubuntu-seed and ubuntu-boot partitions, but this gave me the message error: shim_lock protocol not found instead, and booting still fails.

I also attempted to use KeyTool.efi as shown on this page to install the MOK key, but the MOK file did not appear in the list of eligible keys (even though KeyTool could see the MOK file on the USB drive). I even tried renaming MOK.der to MOK.cer as recommended here, but that did not help.

Note that I can fix the boot process by following these steps:

  1. Disable secure boot
  2. Enter the recovery key
  3. Run mokutil --revoke-import
  4. Re-enable secure boot

However, this does not solve my original problem, because it cancels the enrollment of the MOK key.

For the sake of completeness, here are some of my system specs:

  • PC model = OnLogic Karbon 410
  • Processor = Intel Atom x6425E
  • UEFI setup utility = InsydeH2O Z01-0004A077P154
  • Operating system = Ubuntu 24.04.1 LTS

Does anyone have suggestions for how to enroll MOK keys under Ubuntu 24 with TPM-backed FDE? Am I missing something here? I’m aware that TPM-backed FDE is still an “experimental” feature, but it would be a shame if it lacks support for third-party kernel modules. Thanks for any help you can provide.

Read more here: Source link