Am Donnerstag, dem 13.01.2022 um 01:19 +0100 schrieb Daniel Leidert: > > I'm creating the /root/mok.der key (in Sid dkms changed to /root/dkms.der) and > try to register it with mokutil during a custom installation. I tried the > preseed/late_command and I also tried a script with simple-cdd. But in all > cases I get on UEFI systems (real hardware included): > > EFI variables are not supported on this system > > and have to enroll it after the first boot. Only then the modules built and > signed are loaded. > > I tried loading the efivarfs module via preseed/early_command and I can > confirm > that /sys/firmware/efi/efivars/ is actually there (but epmty). > > I'd really appreciate to enroll the key *during* installation, while the > Debian > installer is running. Is there any way I can do this?
I got it to work. I'm using a script that I load via preseed/late_command. The script does this: > #!/bin/sh > > set -x > > modprobe efivarfs || true > > mount -t efivarfs efivarfs /target/sys/firmware/efi/efivars || true > > test -e /target/root/mok.der || exit 0 > in-target echo "Enroll DKMS mok.der key" >&2 > in-target sh -c "printf 'Pass\nPass\n' | /usr/bin/mokutil --import > /root/mok.der" > > umount /target/sys/firmware/efi/efivars || true > > exit 0 I'd like to use 'mokutil --import <file> --root-pw', but that fails with something like "Failed to get root password hash", so I have to set the password directly. Any idea about the error message and how to fix it? Special thanks to @kibi for the printf hint. Regards, Daniel -- Regards, Daniel Leidert <dleid...@debian.org> | https://www.wgdd.de/ GPG-Key RSA4096 / BEED4DED5544A4C03E283DC74BCD0567C296D05D GPG-Key ED25519 / BD3C132D8B3805D1808123AB7ACE00941E338C78 https://www.fiverr.com/dleidert https://www.patreon.com/join/dleidert
signature.asc
Description: This is a digitally signed message part
