Comment # 45 on bug 1175626 from 
(In reply to John Shaw from comment #43)
> (In reply to Gary Ching-Pang Lin from comment #38)
> > So there is no pending MOK request and shim/grub2 are up-to-date, the it's a
> > different issue.
> > 
> > Could you set SHIM_VERBOSE with this command and enable Secure Boot again?
> > 
> >   # mokutil --set-verbosity true
> > 
> > It'd make shim to print more information. I hope we can get more clues from
> > that...
> > 
> > ("mokutil --set-verbosity false" removes SHIM_VERBOSE.)
> > 
> > As for grubx64.efi, it's unsigned grub2 with dynamic module loading enabled.
> > To make sure that grub2 won't load any malicious code, grub.efi is generated
> > as a monolithic image and built in the necessary modules. That's the image
> > we sign. On the other hand, grubx64.efi is a fallback for the system without
> > Secure Boot or with disabled Secure Boot, so it's unsigned.
> > 
> > As for the verification of shim, it's supposed to be verified by "Microsoft
> > Corporation UEFI CA 2011", and it can be downloaded from the following link:
> > 
> > https://go.microsoft.com/fwlink/p/?linkid=321194
> 
> This seemed to be working on my machine after the last round of grub2
> updates went through, then this morning a new nVidia driver update came
> (along with about 20 other updates). On reboot with SecureBoot enabled, the
> machine hung after post with a black screen. I rebooted with SecureBoot
> disabled (ie, selected OtherOS in the ASUS bios), and it brought up the MOK
> Manager. However, unlike before the options are now different. There is no
> "enrole MOK", just: Continue, Reset MOK, Delete MOK, and enrole key and
> enrole hash from disk.
> 
I guess the update of kernel triggered the enrollment of new signkey and the
deletion of the old signkey. But somehow MokNew was gone, so MokManager thought
that there was a reset.

> Its unclear what to enrole. I basically gave up and rebooted without
> SecureBoot and still did not have working video drivers. I forced Yast to
> reinstall them, rebooted, and its now working (not SecureBoot). I guess at
> this point, I will just keep SecureBoot disabled. Its scary what would
> happen if I did not have that option, or for some reason I wanted to dual
> boot with windows.
> 
> Its possible the keys are all screwed up somehow on my machine (there are a
> number saved accordingto mokutil, but noththing that looks related to
> nvidia). Is there a simple way to reset the whole MOK status without
> reinstalling the OS (yet again)? Its not clear that that would reset the
> keys stored in the BIOS.

Reinstalling OS won't change MokList. The most reliable way is to reset the
firmware to factory default. You'll need to restore the boot entries after
that.

You are receiving this mail because: