Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: What is the message of "Enrol MOK" while booting from UEFI

  1. #1

    Default What is the message of "Enrol MOK" while booting from UEFI

    Hello everyone,

    After one of recent upgrade (at least before or equal to snapshot 20180425), my laptop ask me if I want to enrol the MOK. If I try to enrol it, a password is required. But I don't know any password to this. If I do not response, the system will boot after several seconds. This is a new thing to me.

    Could anyone please tell me what is this? And what should I do to deal with it?

    P.S. The key is from openSUSE Project. Fingerprint is,
    Code:
    18 8E A6 FA 76 FB FC FE 6F 67
    24 47 20 AB 61 DF 7F 43 D1 4A
    All the best,
    CnZhx
    openSUSE Tumbleweed (usually the latest snapshot) w/ KDE Plasma 5

  2. #2
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    15,663
    Blog Entries
    3

    Default Re: What is the message of "Enrol MOK" while booting from UEFI

    I have been seeing that message on several boots -- I'm not sure why. Presumably some change in the nvram data structure cause MokManager to be loaded.

    I just hit enter, and it continues booting. I do not select "Enrol MOK" from the menu.

    As to what that "enroll" is: You can create your own key for signing kernels. If you that, then you need to enroll it before you can use it. The main purpose is to allow you to compile your own kernel and sign it yourself, yet still use secure-boot. There's a description of all of that on the openSUSE wiki.

    Assuming that you are not doing that, just hit enter when you see that prompt. It does not show up on every boot.
    openSUSE Leap 15.3; KDE Plasma 5.18.6;

  3. #3
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    20,925
    Blog Entries
    14

    Default Re: What is the message of "Enrol MOK" while booting from UEFI

    Quote Originally Posted by nrickert View Post
    I have been seeing that message on several boots -- I'm not sure why. Presumably some change in the nvram data structure cause MokManager to be loaded.

    I just hit enter, and it continues booting. I do not select "Enrol MOK" from the menu.

    As to what that "enroll" is: You can create your own key for signing kernels. If you that, then you need to enroll it before you can use it. The main purpose is to allow you to compile your own kernel and sign it yourself, yet still use secure-boot. There's a description of all of that on the openSUSE wiki.

    Assuming that you are not doing that, just hit enter when you see that prompt. It does not show up on every boot.
    Now that you're mentioning this, I have had the impression it only shows up after a Tumbleweed kernel update, but didn't verify.
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  4. #4
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    32,317
    Blog Entries
    15

    Default Re: What is the message of "Enrol MOK" while booting from UEFI

    On Tue 01 May 2018 09:06:03 PM CDT, Knurpht wrote:

    nrickert;2864291 Wrote:
    > I have been seeing that message on several boots -- I'm not sure why.
    > Presumably some change in the nvram data structure cause MokManager to
    > be loaded.
    >
    > I just hit enter, and it continues booting. I do not select "Enrol
    > MOK" from the menu.
    >
    > As to what that "enroll" is: You can create your own key for signing
    > kernels. If you that, then you need to enroll it before you can use
    > it. The main purpose is to allow you to compile your own kernel and
    > sign it yourself, yet still use secure-boot. There's a description
    > of all of that on the openSUSE wiki.
    >
    > Assuming that you are not doing that, just hit enter when you see that
    > prompt. It does not show up on every boot.


    Now that you're mentioning this, I have had the impression it only shows
    up after a Tumbleweed kernel update, but didn't verify.


    Hi
    Correct, select enrol and enter the root password. It's the updated
    kernel signature for secure boot.

    --
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    Tumbleweed - 20180429 | GNOME Shell 3.28.1 | 4.16.4-1-default
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!


  5. #5
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    20,925
    Blog Entries
    14

    Default Re: What is the message of "Enrol MOK" while booting from UEFI

    Quote Originally Posted by malcolmlewis View Post
    Hi
    Correct, select enrol and enter the root password. It's the updated
    kernel signature for secure boot.

    --
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    Tumbleweed - 20180429 | GNOME Shell 3.28.1 | 4.16.4-1-default
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!
    OK, thanks for the info. Will do so on the next kernel update after my regular root password change.
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  6. #6

    Default Re: What is the message of "Enrol MOK" while booting from UEFI

    Hi, thank you guys, @nrickert , @Knurpht and @malcolmlewis , you are extremely helpful and responsive.

    I am not going to quote for this for the sake of saving space

    I never would think that the password is root password I will update it at next boot.

    I heard there was a signing key update for openSUSE but I thought the updater (`zypper dup`) could take care of this.
    openSUSE Tumbleweed (usually the latest snapshot) w/ KDE Plasma 5

  7. #7
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    20,925
    Blog Entries
    14

    Default Re: What is the message of "Enrol MOK" while booting from UEFI

    Quote Originally Posted by cnzhx View Post
    Hi, thank you guys, @nrickert , @Knurpht and @malcolmlewis , you are extremely helpful and responsive.

    I am not going to quote for this for the sake of saving space

    I never would think that the password is root password I will update it at next boot.

    I heard there was a signing key update for openSUSE but I thought the updater (`zypper dup`) could take care of this.
    You're welcome. I can finally tell my oldest son ( who tried entering a signing key dozens of times ) what to do. He also tried to enter half of the internet, but not his root password. In his case ( some Lenovo linux killer ) sometimes the whole boot process stops and he had to reset the laptop a couple of times, Texted him about this, and he just confirmed that the MOK screen doesn't show up after reboots.
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  8. #8

    Default Re: What is the message of "Enrol MOK" while booting from UEFI

    Quote Originally Posted by Knurpht View Post
    You're welcome. I can finally tell my oldest son ( who tried entering a signing key dozens of times ) what to do. He also tried to enter half of the internet, but not his root password. In his case ( some Lenovo linux killer ) sometimes the whole boot process stops and he had to reset the laptop a couple of times, Texted him about this, and he just confirmed that the MOK screen doesn't show up after reboots.
    Guess what. The Enrollment prompt disappeared in my case, too. It seems I have to do this the next time a kernel updated.
    openSUSE Tumbleweed (usually the latest snapshot) w/ KDE Plasma 5

  9. #9
    Join Date
    Feb 2018
    Location
    Romania
    Posts
    484

    Default Re: What is the message of "Enrol MOK" while booting from UEFI

    Thank you Malcolm.
    It worked with Tw 20180501.

  10. #10

    Default Re: What is the message of "Enrol MOK" while booting from UEFI

    I found this thread when searching for info about the opensuse secure boot sign key and the information found here is very useful. But I still have one unanswered question: How can I verify that a key that is shown in Mok manager is really from opensuse?

    I have secure boot enabled because I think it is added security. I also created my own key to be able to boot certain unsigned kernels, so I know I can enter anything in the signing certificate to make it look real, except for the fingerprint. But I find no information of what fingerprint to expect from opensuse, so if I just enroll the key I defeat the purpose of the added security. Then a hacker could somehow setup his own key so on next boot it would get enrolled by the user.

    So, does anyone know where I can find the fingerprints of the opensuse public key for signing secure boot?

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •