Cannot re-enroll keys after upgrading system

Question

Cannot re-enroll keys after upgrading system

NomisIV opened this issue 6 months ago · comments

I upgraded the CPU in my system, and after booting the computer prompted me to wipe the fTPM. After booting (with secure-boot disabled) I tried enrolling the keys again.

How to reproduce:

Unknown initial state after clearing the fTPM from upgrading the CPU
Wipe all keys (or some keys) in UEFI settings
Enter setup mode in UEFI
run sbctl enroll-keys --microsoft in a CLI, as root

I get the following error from the command:

Enrolling keys to EFI variables...
With vendor keys from microsoft...✗
sbctl requires root to run: couldn't sync keys: couldn't write efi variable: write /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f: permission denied

I have previously had secure boot enabled on this computer (with the old CPU), for which I created and enrolled the keys without any issue. I don't understand why it's not working now.

Morten Linderud · Answer 1 · Wed Mar 13 2024 22:12:34 GMT+0800 (China Standard Time)

Which version of sbctl is this?

NomisIV · Answer 2 · Wed Mar 13 2024 23:27:13 GMT+0800 (China Standard Time)

Version 0.12

Morten Linderud · Answer 3 · Wed Mar 13 2024 23:29:47 GMT+0800 (China Standard Time)

Please update to 0.13. sbctl shouldn't be acting on the dbx variable anymore.

NomisIV · Answer 4 · Wed Mar 13 2024 23:40:17 GMT+0800 (China Standard Time)

That seems to have solved my problem! I will try rebooting now :)