I am trying to disable or change mok password. Password I set many months ago, do not work, or I forgot it, or someone’s/something change it.
By the way… I cannot disable (clear) or change password. Try:
You present your conclusion without describing any facts that your conclusion is based upon. Start with describing your actual problem.
When I update my system and reboot computer, MokManager asks for password. Password I did remember, do not apply. After three times I type password, computer continue booting. I try many times to reboot and provide different passwords, I may set. No one matches. I even follow advice on internet to set single character 1 by mokutil --password, but it do not help.
I remember I set password by mokutil --password long long ago and I remember I type it in mokmanager long ago, so I do not known, why this do not work. I even do not known, why I cannot change or clear password.
How to clear or change MokManager password?
I have not set any mok-password, when mokmanager is opened and asking for a password, I use my root password.
Ok. I cannot type my root password - it contains national characters
After changing my root’s pw and type
mokutil --password --root-pw
Nothing changes
And I cannot delete pw:
mokutil --clear-password
So what happens after reboot?
It asks for password. I tries type password, I’ve had remember, but after three shot, it continue to boot.
You are right. Before MokManager does any boot-time management you must authenticate yourself if password is set. Your options are
EFI Shell (or any other EFI boot-time application that can manage variables) and use it to delete variable MokPWStore.The variable where password is kept is boot time only and cannot be cleared from within booted OS.
That’s great. I knew Linux unmount some EFI partition to enhance security and MokManager is born to add modules/kernel certificates (even when system is compromised, attacker cannot do much - even as root), so this makes sense. Thanks!
Hi. Cannot I boot my system in non-secured mode (by making change in Yast2 bootloader module) and simply rm /sys/firmware/efi/efivars/SOME_VARIABLE? I do not have efi shell in boot options. I can enter SETUP (BIOS/EFI), because this password I do remember. I remember root PW.
I do not see this variable under /sys/firmware/efi/efivars
I downloaded EFI Shell from https://github.com/tianocore/edk2/releases/download/edk2-stable202002/ShellBinPkg.zip . Disables secure boot to launch it.
When typing dmpstore MokPWStore, it complains there is no variable with that name and displays GUID.
Maybe this variable was deleted and mok remember settings it must asks for password, so I cannot authorize?
PS: It there a way to create variable on Linux? Which cipher algorithm select to encode password? In which format save it?
This look odd:
https://www.mail-archive.com/search?l=opensuse-commit@opensuse.org&q=subject:"commit+shim+for+openSUSE\%3AFactory"&o=newest&f=1
+diff --git a/MokManager.c b/MokManager.c
+index b832e40..bef4d8c 100644
+--- a/MokManager.c
b/MokManager.c
+@@ -1107,7 +1107,11 @@ static INTN mok_pw_prompt (void *MokPW, UINTN
MokPWSize) {
+
+ LibDeleteVariable(LMokPWStore,
I do not read whole sources, but it looks, when MokManager asks for password, it could delete MokPWStore variable.
I saw: UEFI enroll password for community kernel . So, maybe should I enter root password? But my root password contains national characters, so I cannot use it. Does change root password work?
What is not clear in “The variable where password is kept is boot time only and cannot be cleared from within booted OS”?
Did you try to read the dmpstore command help? You need to specify the correct GUID or use -all flag so dmpstore will also search other GUIDs besides the default one.
Thanks. It worked:
dmpstore -all -d MokPWStore
I did not read help, because typing help in terminal does not explain how to invoke commands with pager.
Now I set a new password, which I encrypt in Plasma-Vault. I prefer to kept this password on other device (best: not connected to network), but Steam Deck have problems with Plasma-Vault. I can kept this password as plain text, either, because attacker cannot use it on working system, but prefer to encrypt it. Keeping password on the same device is security risk, cause somebody, who stolen that device, could have access.
It is save to kept this password unencrypted on Deck?
PS: What is best way to mark this thread as solved?