[Solved] Mokutil - This system doesn't support Secure Boot

Ask for help with issues regarding the Installations of the Debian O/S.
Post Reply
Message
Author
sakurita
Posts: 4
Joined: 2023-01-22 11:19
Has thanked: 2 times

[Solved] Mokutil - This system doesn't support Secure Boot

#1 Post by sakurita »

I was reading the debian wiki documentation (Secure Boot), of course my Asus laptop has an UEFI BIOS:

-CSM is disabled
-Fastboot is disabled

When i type the command:

Code: Select all

mokutil --sb-state
it returns

Code: Select all

This system doesn't support Secure Boot
Any idea?
Last edited by sakurita on 2023-01-23 17:37, edited 1 time in total.

kent_dorfman766
Posts: 177
Joined: 2022-12-16 06:34
Location: socialist states of america
Has thanked: 13 times
Been thanked: 19 times

Re: Mokutil - This system doesn't support Secure Boot

#2 Post by kent_dorfman766 »

-CSM is disabled

Would this answer your question? If your call to mokutil just queiries the bios setting and CSM is realated to secure boot?

WFIW, IMHO secure boot isn't worth the hassle and I disable it on systems where I'm allowed to do so.

Aki
Posts: 453
Joined: 2014-07-20 18:12
Location: Europe
Has thanked: 6 times
Been thanked: 59 times

Re: Mokutil - This system doesn't support Secure Boot

#3 Post by Aki »

Hello,
sakurita wrote: 2023-01-22 12:35 I was reading the debian wiki documentation (Secure Boot), of course my Asus laptop has an UEFI BIOS:
When i type the command:

Code: Select all

mokutil --sb-state
it returns

Code: Select all

This system doesn't support Secure Boot
Any idea?
What Debian version are you using ?

It is possible that, for some reason, the command cannot access to the /sys/firmware/efi/efivars/ filesystem . You can verify with:

Code: Select all

su -l -c "apt install strace"
strace -o strace.log mokutil --sb-state
The strace.log will contain the system calls.

Perhaps the efivars directory is not mounted in /sys/firmware/efi for some reason; for example, in my working installation with Debian Stable (11.6):

Code: Select all

$ mokutil --sb-state
SecureBoot enabled
$ mount | grep efivarfs
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
---
[1] https://wiki.debian.org/UEFI#efibootmgr_and_efivar
[2] viewtopic.php?t=152538
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀

sakurita
Posts: 4
Joined: 2023-01-22 11:19
Has thanked: 2 times

Re: Mokutil - This system doesn't support Secure Boot

#4 Post by sakurita »

Aki wrote: 2023-01-22 14:25 Hello,
sakurita wrote: 2023-01-22 12:35 I was reading the debian wiki documentation (Secure Boot), of course my Asus laptop has an UEFI BIOS:
When i type the command:

Code: Select all

mokutil --sb-state
it returns

Code: Select all

This system doesn't support Secure Boot
Any idea?
What Debian version are you using ?

It is possible that, for some reason, the command cannot access to the /sys/firmware/efi/efivars/ filesystem . You can verify with:

Code: Select all

su -l -c "apt install strace"
strace -o strace.log mokutil --sb-state
The strace.log will contain the system calls.

Perhaps the efivars directory is not mounted in /sys/firmware/efi for some reason; for example, in my working installation with Debian Stable (11.6):

Code: Select all

$ mokutil --sb-state
SecureBoot enabled
$ mount | grep efivarfs
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
---
[1] https://wiki.debian.org/UEFI#efibootmgr_and_efivar
[2] viewtopic.php?t=152538
I'm using Debian 11
I followed your steps:

Code: Select all

efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)

Code: Select all

mokutil --sb-state
This system doesn't support Secure Boot
It becomes to being interesting with:

Code: Select all

strace -o strace.log mokutil --sb-state

Code: Select all

openat(AT_FDCWD, "/sys/firmware/efi/efivars/SecureBoot-*******************", O_RDONLY) = -1 ENOENT (File or directory not exist)
write(2, "This system doesn't support Secu"..., 40) = 40
exit_group(-1)    


So i manual create the missing file (notice that i replaced hexadecimal with * because i don't know is important):

Code: Select all

touch /sys/firmware/efi/efivars/SecureBoot-*******************"
then i got a new error

Code: Select all

Failed to read "SetupMode" variable: No such file or directory
then i manual create the new required file:

Code: Select all

touch /sys/firmware/efi/SetupMode-*******************"
Finally:

Code: Select all

strace -o strace.log mokutil --sb-state
SecureBoot enabled
So i don't know why this filles are not automatically created, but secureboot seems to work using default manufactured PK.

In the other hand:

Code: Select all

apt reinstall shim-signed grub-efi-amd64-signed
returns

Code: Select all

No DKMS packages installed: not changing Secure Boot validation state.

Aki
Posts: 453
Joined: 2014-07-20 18:12
Location: Europe
Has thanked: 6 times
Been thanked: 59 times

Re: Mokutil - This system doesn't support Secure Boot

#5 Post by Aki »

sakurita wrote: 2023-01-22 18:45 So i manual create the missing file (notice that i replaced hexadecimal with * because i don't know is important):

Code: Select all

touch /sys/firmware/efi/efivars/SecureBoot-*******************"
then i got a new error

Code: Select all

Failed to read "SetupMode" variable: No such file or directory
then i manual create the new required file:

Code: Select all

touch /sys/firmware/efi/SetupMode-*******************"
So i don't know why this filles are not automatically created
The files in /sys/firmware/efi/efivars/ is the way the linux kernel view/access to UEFI's non volatile memory (NVM) stored in the firmware memory (usually, flash memory on the motherboard). These variables control the way UEFI firmware behaves, therefore it is better not to play with these variables.

I'm not an UEFI expert, but I often read that the possibility to brick your computer could be quite high if you modify some important NVM variable so that the firmware cannot get rid of it anymore.

There's a specific command named efivar [1] to deal with them, but it's better to be very cautious even with it. Try to investigate the content of UEFI NVM using that command, but it is quite strange that booting in UEFI mode this variable is not available.

What is your computer manufacturer and model ? What is the BIOS release version and release date ?
sakurita wrote: 2023-01-22 18:45 In the other hand:

Code: Select all

apt reinstall shim-signed grub-efi-amd64-signed
returns

Code: Select all

No DKMS packages installed: not changing Secure Boot validation state.
The aforementioned message seems to be generated by a shim script (see [2]) and it seems to be triggered when the directory /var/lib/dkms does not exists. This could happen if you didn't installed dkms [3] at all or you installed a newer kernel, but you did not install the matching dkms package. What kernel are you using ?

Have you previously modified / edited / deleted NVM variables ?

---
[1] https://packages.debian.org/bullseye/efivar
[2] https://sources.debian.org/src/shim-sig ... l=149#L149
[3] https://packages.debian.org/bullseye/dkms
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀

sakurita
Posts: 4
Joined: 2023-01-22 11:19
Has thanked: 2 times

Re: Mokutil - This system doesn't support Secure Boot

#6 Post by sakurita »

Aki wrote: 2023-01-22 19:23
sakurita wrote: 2023-01-22 18:45 So i manual create the missing file (notice that i replaced hexadecimal with * because i don't know is important):

Code: Select all

touch /sys/firmware/efi/efivars/SecureBoot-*******************"
then i got a new error

Code: Select all

Failed to read "SetupMode" variable: No such file or directory
then i manual create the new required file:

Code: Select all

touch /sys/firmware/efi/SetupMode-*******************"
So i don't know why this filles are not automatically created
The files in /sys/firmware/efi/efivars/ is the way the linux kernel view/access to UEFI's non volatile memory (NVM) stored in the firmware memory (usually, flash memory on the motherboard). These variables control the way UEFI firmware behaves, therefore it is better not to play with these variables.

I'm not an UEFI expert, but I often read that the possibility to brick your computer could be quite high if you modify some important NVM variable so that the firmware cannot get rid of it anymore.

There's a specific command named efivar [1] to deal with them, but it's better to be very cautious even with it. Try to investigate the content of UEFI NVM using that command, but it is quite strange that booting in UEFI mode this variable is not available.

What is your computer manufacturer and model ? What is the BIOS release version and release date ?
sakurita wrote: 2023-01-22 18:45 In the other hand:

Code: Select all

apt reinstall shim-signed grub-efi-amd64-signed
returns

Code: Select all

No DKMS packages installed: not changing Secure Boot validation state.
The aforementioned message seems to be generated by a shim script (see [2]) and it seems to be triggered when the directory /var/lib/dkms does not exists. This could happen if you didn't installed dkms [3] at all or you installed a newer kernel, but you did not install the matching dkms package. What kernel are you using ?

---
[1] https://packages.debian.org/bullseye/efivar
[2] https://sources.debian.org/src/shim-sig ... l=149#L149
[3] https://packages.debian.org/bullseye/dkms

Code: Select all

uname -r
5.10.0-20-amd64

Code: Select all

ls /var/lib/dkms
dkms_dbversion

Code: Select all

sudo apt info dkms
Package: dkms
Version: 2.8.4-3
This laptop is an Asus
Model F541UA

Code: Select all

BIOS vendor: American Megatrends Inc.; Ver: X541UA.307; Product Version: 1.0
so using Bios V307 version

It's the last bios avaliable for this model, acording with dmesg a buggy BIOS

Code: Select all

 DMI: ASUSTeK COMPUTER INC. X541UA/X541UA, BIOS X541UA.307 04/17/2019
[    0.079942] DMAR: [Firmware Bug]: No firmware reserved region can cover this RMRR [0x0000000088800000-0x000000008cffffff], contact BIOS vendor for fixes
[    0.079948] DMAR: [Firmware Bug]: Your BIOS is broken; bad RMRR [0x0000000088800000-0x000000008cffffff]
               BIOS vendor: American Megatrends Inc.; Ver: X541UA.307; Product Version: 1.0       
[    0.079954] DMAR-IR: x2apic is disabled because BIOS sets x2apic opt out bit.
[    0.079955] DMAR-IR: Use 'intremap=no_x2apic_optout' to override the BIOS setting.
[    0.317587] ACPI: [Firmware Bug]: BIOS _OSI(Linux) query ignored

sakurita
Posts: 4
Joined: 2023-01-22 11:19
Has thanked: 2 times

Re: [Solved] Mokutil - This system doesn't support Secure Boot

#7 Post by sakurita »

Finally i resolved the problem following this steps:
-Reboot into "Bios"
-Deleted all boot entries
-Save changes and exit

Code: Select all

mokutil --sb-state
SecureBoot enabled

Code: Select all

update-grub
Added an extra line in grub menu, called UEFI firmware

Code: Select all

sudo dpkg-reconfigure grub-efi-amd64
selecting these options:
-Not force UEFI
-Update NVRAM

Now is time to test enrolling my own PK and test signing modules.

Aki
Posts: 453
Joined: 2014-07-20 18:12
Location: Europe
Has thanked: 6 times
Been thanked: 59 times

Re: [Solved] Mokutil - This system doesn't support Secure Boot

#8 Post by Aki »

Hello,
Thank you for updating us on progress. Happy you solved it.
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀

Post Reply