Kernel 6.18.0: mokutil failed to enroll new keys

Done!

fwupdmgr security
Host Security ID: HSI:0! (v2.0.18)

HSI-1
✔ BIOS firmware updates:         Enabled
✔ MEI key manifest:              Valid
✔ csme manufacturing mode:       Locked
✔ csme override:                 Locked
✔ csme v0:16.1.38.2676:          Valid
✔ Platform debugging:            Disabled
✔ SPI write:                     Disabled
✔ SPI lock:                      Enabled
✔ SPI BIOS region:               Locked
✔ Supported CPU:                 Valid
✔ UEFI bootservice variables:    Locked
✘ TPM v2.0:                      Not found

HSI-2
✔ Intel BootGuard ACM protected: Valid
✔ Intel BootGuard:               Enabled
✔ Intel BootGuard OTP fuse:      Valid
✔ Intel BootGuard verified boot: Valid
✔ IOMMU:                         Enabled
✔ Platform debugging:            Locked
✘ BIOS rollback protection:      Disabled

HSI-3
✔ CET Platform:                  Supported
✔ Intel BootGuard error policy:  Valid
✔ Pre-boot DMA protection:       Enabled
✔ Suspend-to-idle:               Enabled
✔ Suspend-to-ram:                Disabled

HSI-4
✔ SMAP:                          Enabled
✘ Encrypted RAM:                 Disabled

Runtime Suffix -!
✔ CET OS Support:                Supported
✔ fwupd plugins:                 Untainted
✔ UEFI db:                       Valid
✘ Linux kernel lockdown:         Disabled
✘ Linux swap:                    Unencrypted
✘ Linux kernel:                  Tainted
✘ UEFI secure boot:              Disabled

@malcolmlewis Do you think it is necessary to run
mokutil --enable-validation ?
In an intermediate step I disable validation.

@verga that should be fine. Is TPM 2.0 enable in the BIOS, then I would suggest enabling, then if you install the tpm2.0-tools package it should show up as well after a reboot.

Aside from that you should be good to go…

I think that we may close this issue.
Thanks!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.