Comment # 53 on bug 1175626 from 
(In reply to Martin Wilck from comment #48)
> (In reply to Gary Ching-Pang Lin from comment #45)
> 
> > I guess the update of kernel triggered the enrollment of new signkey and the
> > deletion of the old signkey. But somehow MokNew was gone, so MokManager
> > thought that there was a reset.
> 
> How would MokNew go away? The scriptlets in the kernel rpm are written so
> that the keys won't be deleted as long as the system still has one kernel
> installed that needs them.
> 
MokManager deletes the MokNew after loading it. This is a bug should be fixed.

It seems to me that MokManager was loaded but got stuck or just failed to draw
the screen.

John,

Have you seen the MokManager screen with Secure Boot enabled before? I wonder
if it's a drawing problem.

[snip]

> 
> > > I forced Yast to
> > > reinstall them, rebooted, and its now working (not SecureBoot).
> 
> The forced reinstall may have caused harm. When you reinstall (and the
> version number of the nvidia-gfxG05-kmp-default package is the same as
> before), the installation procedure will generate a new key with the same
> file name, overwriting the previous one. Because of rpm scriptlet ordering
> (%postun is executed after %post), this might lead to the old key remaining
> present and the new one not being enrolled. I'm not 100% certain about this,
> but I guess it could happen. It's safer to delete the package and install it
> again.
> 
> I'm not saying this is the user's fault. It's rather a corner case that we
> may have overlooked. It does not apply to the kernel packages.
> 
> > Reinstalling OS won't change MokList. The most reliable way is to reset the
> > firmware to factory default. You'll need to restore the boot entries after
> > that.
> 
> Isn't this is an overkill recommendation? It should be only a last resort
> measure. Perhaps MokManager should have an option to reset the MokList only.

Although mokutil can create a reset request, it seems MokManager cannot be
launched reliably, and that's why I recommend a firmware reset.

You are receiving this mail because: