sbctl: Unable to enroll keys for strange "permission denied" reason

Hi everyone,

I am currently experimenting with sbctl in order to be able to sign binaries to boot. As of now I have been using a quite old and outdated version of PreLoader and I wanted to either use a newer version signed with my own keys or switch to Shim and properly sign Grub and kernel for everything to be fine.

I have created my own keys via sudo sbctl create-keys but I am having trouble enrolling them, as you can see from the below output:

 giovanni  ~  Projects  OBS  telegram-desktop-dev  sbctl status
Installed:      ✓ sbctl is installed
Owner GUID:     ba2c48b3-7545-41fa-bc29-d2a091709a1a
Setup Mode:     ✓ Disabled
Secure Boot:    ✓ Enabled
Vendor Keys:    microsoft
 giovanni  ~  Projects  OBS  telegram-desktop-dev  sudo sbctl enroll-keys --microsoft
[sudo] password for giovanni:
!! File is immutable: /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c
!! File is immutable: /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
!! File is immutable: /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
You need to chattr -i files in efivarfs
 giovanni  ~  Projects  OBS  telegram-desktop-dev  1  sudo chattr -i /sys/firmware/efi/efivars/PK-8be4df61-93ca-11d2-aa0d-00e098032b8c /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2
-aa0d-00e098032b8c /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
 giovanni  ~  Projects  OBS  telegram-desktop-dev  sudo sbctl enroll-keys --microsoft
Enrolling keys to EFI variables...
With vendor keys from microsoft...✗
sbctl requires root to run: couldn't sync keys: couldn't write efi variable: write /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f: permission denied
 giovanni  ~  Projects  OBS  telegram-desktop-dev  1 

Any tip on how to proceed? I can provide any information you need.

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Reactions: 1
  • Comments: 46 (23 by maintainers)

Most upvoted comments

I’ll address this issue with some code that checks if we have fulfilled a few requirements before enrolling keys.

+2
Foxboron on Nov 1, 2022

Please update to 0.13 and recreate the keys. Please check if it solves the issue. Else ill fix my tanocore integration suite to check this. Generally everything here has been tested towards tianocore

+1
Foxboron on Dec 27, 2023

Ok, it works, with the following:

  1. Go in UEFI settings
  2. Put the firmware in Setup Mode (no need to turn off Secure Boot)
  3. Reboot in your Linux OS
  4. Re-do the sbctl enroll-keys

I feel the guides and the app should say clearly that it needs Setup Mode for the whole enroll-keys to work. I will try to enroll my own keys manually too to see if that is also feasible.

+1
ItachiSan on Nov 23, 2022
Read more comments on GitHub
← sbctl: `sbctl verify` returns `failed to find EFI system partition` even though it's there
ros-foxglove-bridge: Failing to retrieve service type, brings node down →