[Solved] Mokutil - This system doesn't support Secure Boot

[sakurita]

I was reading the debian wiki documentation (Secure Boot), of course my Asus laptop has an UEFI BIOS:

-CSM is disabled
-Fastboot is disabled

When i type the command:

Code: Select all

mokutil --sb-state

it returns

Code: Select all

This system doesn't support Secure Boot

Any idea?

[kent_dorfman766]

-CSM is disabled

Would this answer your question? If your call to mokutil just queiries the bios setting and CSM is realated to secure boot?

WFIW, IMHO secure boot isn't worth the hassle and I disable it on systems where I'm allowed to do so.

[Aki]

Hello,

I was reading the debian wiki documentation (Secure Boot), of course my Asus laptop has an UEFI BIOS:
When i type the command:

Code: Select all

mokutil --sb-state

it returns

Code: Select all

This system doesn't support Secure Boot

Any idea?

What Debian version are you using ?

It is possible that, for some reason, the command cannot access to the /sys/firmware/efi/efivars/ filesystem . You can verify with:

Code: Select all

su -l -c "apt install strace"
strace -o strace.log mokutil --sb-state

The strace.log will contain the system calls.

Perhaps the efivars directory is not mounted in /sys/firmware/efi for some reason; for example, in my working installation with Debian Stable (11.6):

Code: Select all

$ mokutil --sb-state
SecureBoot enabled
$ mount | grep efivarfs
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)

---
[1] https://wiki.debian.org/UEFI#efibootmgr_and_efivar
[2] viewtopic.php?t=152538

[sakurita]

Hello,

I was reading the debian wiki documentation (Secure Boot), of course my Asus laptop has an UEFI BIOS:
When i type the command:

Code: Select all

mokutil --sb-state

it returns

Code: Select all

This system doesn't support Secure Boot

Any idea?

What Debian version are you using ?

It is possible that, for some reason, the command cannot access to the /sys/firmware/efi/efivars/ filesystem . You can verify with:

Code: Select all

su -l -c "apt install strace"
strace -o strace.log mokutil --sb-state

The strace.log will contain the system calls.

Perhaps the efivars directory is not mounted in /sys/firmware/efi for some reason; for example, in my working installation with Debian Stable (11.6):

Code: Select all

$ mokutil --sb-state
SecureBoot enabled
$ mount | grep efivarfs
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)

---
[1] https://wiki.debian.org/UEFI#efibootmgr_and_efivar
[2] viewtopic.php?t=152538

I'm using Debian 11
I followed your steps:

Code: Select all

efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)

Code: Select all

mokutil --sb-state
This system doesn't support Secure Boot

It becomes to being interesting with:

Code: Select all

strace -o strace.log mokutil --sb-state

Code: Select all

openat(AT_FDCWD, "/sys/firmware/efi/efivars/SecureBoot-*******************", O_RDONLY) = -1 ENOENT (File or directory not exist)
write(2, "This system doesn't support Secu"..., 40) = 40
exit_group(-1)    

So i manual create the missing file (notice that i replaced hexadecimal with * because i don't know is important):

Code: Select all

touch /sys/firmware/efi/efivars/SecureBoot-*******************"

then i got a new error

Code: Select all

Failed to read "SetupMode" variable: No such file or directory

then i manual create the new required file:

Code: Select all

touch /sys/firmware/efi/SetupMode-*******************"

Finally:

Code: Select all

strace -o strace.log mokutil --sb-state
SecureBoot enabled

So i don't know why this filles are not automatically created, but secureboot seems to work using default manufactured PK.

In the other hand:

Code: Select all

apt reinstall shim-signed grub-efi-amd64-signed

returns

Code: Select all

No DKMS packages installed: not changing Secure Boot validation state.

[Aki]

So i manual create the missing file (notice that i replaced hexadecimal with * because i don't know is important):

Code: Select all

touch /sys/firmware/efi/efivars/SecureBoot-*******************"

then i got a new error

Code: Select all

Failed to read "SetupMode" variable: No such file or directory

then i manual create the new required file:

Code: Select all

touch /sys/firmware/efi/SetupMode-*******************"

So i don't know why this filles are not automatically created

The files in /sys/firmware/efi/efivars/ is the way the linux kernel view/access to UEFI's non volatile memory (NVM) stored in the firmware memory (usually, flash memory on the motherboard). These variables control the way UEFI firmware behaves, therefore it is better not to play with these variables.

I'm not an UEFI expert, but I often read that the possibility to brick your computer could be quite high if you modify some important NVM variable so that the firmware cannot get rid of it anymore.

There's a specific command named efivar [1] to deal with them, but it's better to be very cautious even with it. Try to investigate the content of UEFI NVM using that command, but it is quite strange that booting in UEFI mode this variable is not available.

What is your computer manufacturer and model ? What is the BIOS release version and release date ?

In the other hand:

Code: Select all

apt reinstall shim-signed grub-efi-amd64-signed

returns

Code: Select all

No DKMS packages installed: not changing Secure Boot validation state.

The aforementioned message seems to be generated by a shim script (see [2]) and it seems to be triggered when the directory /var/lib/dkms does not exists. This could happen if you didn't installed dkms [3] at all or you installed a newer kernel, but you did not install the matching dkms package. What kernel are you using ?

Have you previously modified / edited / deleted NVM variables ?

---
[1] https://packages.debian.org/bullseye/efivar
[2] https://sources.debian.org/src/shim-sig ... l=149#L149
[3] https://packages.debian.org/bullseye/dkms

[sakurita]

So i manual create the missing file (notice that i replaced hexadecimal with * because i don't know is important):

Code: Select all

touch /sys/firmware/efi/efivars/SecureBoot-*******************"

then i got a new error

Code: Select all

Failed to read "SetupMode" variable: No such file or directory

then i manual create the new required file:

Code: Select all

touch /sys/firmware/efi/SetupMode-*******************"

So i don't know why this filles are not automatically created

The files in /sys/firmware/efi/efivars/ is the way the linux kernel view/access to UEFI's non volatile memory (NVM) stored in the firmware memory (usually, flash memory on the motherboard). These variables control the way UEFI firmware behaves, therefore it is better not to play with these variables.

I'm not an UEFI expert, but I often read that the possibility to brick your computer could be quite high if you modify some important NVM variable so that the firmware cannot get rid of it anymore.

There's a specific command named efivar [1] to deal with them, but it's better to be very cautious even with it. Try to investigate the content of UEFI NVM using that command, but it is quite strange that booting in UEFI mode this variable is not available.

What is your computer manufacturer and model ? What is the BIOS release version and release date ?

In the other hand:

Code: Select all

apt reinstall shim-signed grub-efi-amd64-signed

returns

Code: Select all

No DKMS packages installed: not changing Secure Boot validation state.

The aforementioned message seems to be generated by a shim script (see [2]) and it seems to be triggered when the directory /var/lib/dkms does not exists. This could happen if you didn't installed dkms [3] at all or you installed a newer kernel, but you did not install the matching dkms package. What kernel are you using ?

---
[1] https://packages.debian.org/bullseye/efivar
[2] https://sources.debian.org/src/shim-sig ... l=149#L149
[3] https://packages.debian.org/bullseye/dkms

Code: Select all

uname -r
5.10.0-20-amd64

Code: Select all

ls /var/lib/dkms
dkms_dbversion

Code: Select all

sudo apt info dkms
Package: dkms
Version: 2.8.4-3

This laptop is an Asus
Model F541UA

Code: Select all

BIOS vendor: American Megatrends Inc.; Ver: X541UA.307; Product Version: 1.0

so using Bios V307 version

It's the last bios avaliable for this model, acording with dmesg a buggy BIOS

Code: Select all

 DMI: ASUSTeK COMPUTER INC. X541UA/X541UA, BIOS X541UA.307 04/17/2019
[    0.079942] DMAR: [Firmware Bug]: No firmware reserved region can cover this RMRR [0x0000000088800000-0x000000008cffffff], contact BIOS vendor for fixes
[    0.079948] DMAR: [Firmware Bug]: Your BIOS is broken; bad RMRR [0x0000000088800000-0x000000008cffffff]
               BIOS vendor: American Megatrends Inc.; Ver: X541UA.307; Product Version: 1.0       
[    0.079954] DMAR-IR: x2apic is disabled because BIOS sets x2apic opt out bit.
[    0.079955] DMAR-IR: Use 'intremap=no_x2apic_optout' to override the BIOS setting.
[    0.317587] ACPI: [Firmware Bug]: BIOS _OSI(Linux) query ignored

[sakurita]

Finally i resolved the problem following this steps:
-Reboot into "Bios"
-Deleted all boot entries
-Save changes and exit

Code: Select all

mokutil --sb-state
SecureBoot enabled

Code: Select all

update-grub

Added an extra line in grub menu, called UEFI firmware

Code: Select all

sudo dpkg-reconfigure grub-efi-amd64

selecting these options:
-Not force UEFI
-Update NVRAM

Now is time to test enrolling my own PK and test signing modules.

[Aki]

Hello,
Thank you for updating us on progress. Happy you solved it.