Cannot re-enroll keys after upgrading system
NomisIV opened this issue · comments
NomisIV commented
I upgraded the CPU in my system, and after booting the computer prompted me to wipe the fTPM. After booting (with secure-boot disabled) I tried enrolling the keys again.
How to reproduce:
- Unknown initial state after clearing the fTPM from upgrading the CPU
- Wipe all keys (or some keys) in UEFI settings
- Enter setup mode in UEFI
- run
sbctl enroll-keys --microsoft
in a CLI, as root
I get the following error from the command:
Enrolling keys to EFI variables...
With vendor keys from microsoft...✗
sbctl requires root to run: couldn't sync keys: couldn't write efi variable: write /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f: permission denied
I have previously had secure boot enabled on this computer (with the old CPU), for which I created and enrolled the keys without any issue. I don't understand why it's not working now.
Morten Linderud commented
Which version of sbctl is this?
NomisIV commented
Version 0.12
Morten Linderud commented
Please update to 0.13
. sbctl
shouldn't be acting on the dbx
variable anymore.
NomisIV commented
That seems to have solved my problem! I will try rebooting now :)