How can I delete a specific MOK UEFI key?

Question

Score:1

Ubuntu

How can I delete a specific MOK UEFI key?

Serhio1

6/3/24, 4:35 AM

Dell vostro 3400-4654 laptop with Ubuntu 20.04 out of the box. First, after the purchase, I tried to install all the necessary programs. One of them is Virtualbox. The BIOS was like from the store in UEFI mode with secure boot enabled. Virtualbox naturally requested the addition of the MOK key. I don't remember if I added it correctly when I rebooted in MOK manager. As a result, I decided to disable secure boot. I reset the laptop to its original state from the factory recovery partition. I disabled secure boot and installed the programs cleanly. Now I have a question. Right now, when I output mokutil --list-enrolled, it shows two keys

sergey@sergey-Vostro-3400:~$ mokutil --list-enrolled [key 1] SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0 Certificate: Data: Version: 3 (0x2) Serial Number: b9:41:24:a0:18:2c:92:67 Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority Validity Not Before: Apr 12 11:12:51 2012 GMT Not After : Apr 11 11:12:51 2042 GMT Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:bf:5b:3a:16:74:ee:21:5d:ae:61:ed:9d:56:ac: bd:de:de:72:f3:dd:7e:2d:4c:62:0f:ac:c0:6d:48: 08:11:cf:8d:8b:fb:61:1f:27:cc:11:6e:d9:55:3d: 39:54:eb:40:3b:b1:bb:e2:85:34:79:ca:f7:7b:bf: ba:7a:c8:10:2d:19:7d:ad:59:cf:a6:d4:e9:4e:0f: da:ae:52:ea:4c:9e:90:ce:c6:99:0d:4e:67:65:78: 5d:f9:d1:d5:38:4a:4a:7a:8f:93:9c:7f:1a:a3:85: db:ce:fa:8b:f7:c2:a2:21:2d:9b:54:41:35:10:57: 13:8d:6c:bc:29:06:50:4a:7e:ea:99:a9:68:a7:3b: c7:07:1b:32:9e:a0:19:87:0e:79:bb:68:99:2d:7e: 93:52:e5:f6:eb:c9:9b:f9:2b:ed:b8:68:49:bc:d9: 95:50:40:5b:c5:b2:71:aa:eb:5c:57:de:71:f9:40: 0a:dd:5b:ac:1e:84:2d:50:1a:52:d6:e1:f3:6b:6e: 90:64:4f:5b:b4:eb:20:e4:61:10:da:5a:f0:ea:e4: 42:d7:01:c4:fe:21:1f:d9:b9:c0:54:95:42:81:52: 72:1f:49:64:7a:c8:6c:24:f1:08:70:0b:4d:a5:a0: 32:d1:a0:1c:57:a8:4d:e3:af:a5:8e:05:05:3e:10: 43:a1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63 X509v3 Authority Key Identifier: keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63

        X509v3 Basic Constraints: critical
            CA:TRUE
        X509v3 Key Usage:
            Digital Signature, Certificate Sign, CRL Sign
        X509v3 CRL Distribution Points:

            Full Name:
              URI:http://www.canonical.com/secure-boot-master-ca.crl

Signature Algorithm: sha256WithRSAEncryption
     3f:7d:f6:76:a5:b3:83:b4:2b:7a:d0:6d:52:1a:03:83:c4:12:
     a7:50:9c:47:92:cc:c0:94:77:82:d2:ae:57:b3:99:04:f5:32:
     3a:c6:55:1d:07:db:12:a9:56:fa:d8:d4:76:20:eb:e4:c3:51:
     db:9a:5c:9c:92:3f:18:73:da:94:6a:a1:99:38:8c:a4:88:6d:
     c1:fc:39:71:d0:74:76:16:03:3e:56:23:35:d5:55:47:5b:1a:
     1d:41:c2:d3:12:4c:dc:ff:ae:0a:92:9c:62:0a:17:01:9c:73:
     e0:5e:b1:fd:bc:d6:b5:19:11:7a:7e:cd:3e:03:7e:66:db:5b:
     a8:c9:39:48:51:ff:53:e1:9c:31:53:91:1b:3b:10:75:03:17:
     ba:e6:81:02:80:94:70:4c:46:b7:94:b0:3d:15:cd:1f:8e:02:
     e0:68:02:8f:fb:f9:47:1d:7d:a2:01:c6:07:51:c4:9a:cc:ed:
     dd:cf:a3:5d:ed:92:bb:be:d1:fd:e6:ec:1f:33:51:73:04:be:
     3c:72:b0:7d:08:f8:01:ff:98:7d:cb:9c:e0:69:39:77:25:47:
     71:88:b1:8d:27:a5:2e:a8:f7:3f:5f:80:69:97:3e:a9:f4:99:
     14:db:ce:03:0e:0b:66:c4:1c:6d:bd:b8:27:77:c1:42:94:bd:
     fc:6a:0a:bc
[key 2] SHA1 Fingerprint: 62:12:5e:cf:cf:93:44:1b:25:24:86:1d:b3:da:c0:10:6d:ea:9e:1b Certificate: Data: Version: 3 (0x2) Serial Number: 32:0a:68:a6:33:4b:8f:01:c0:8c:7c:d2:dd:be:c8:71:c5:bc:26:e7 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=sergey-Vostro-3400 Secure Boot Module Signature key Validity Not Before: Mar 6 17:31:15 2022 GMT Not After : Feb 10 17:31:15 2122 GMT Subject: CN=sergey-Vostro-3400 Secure Boot Module Signature key Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:ee:41:1e:ac:47:bf:ca:77:f6:68:d8:b3:08:1e: 00:76:c9:b2:a1:fd:de:45:af:23:32:17:35:ce:14: 93:67:ce:63:5f:4b:de:eb:f6:18:d6:51:06:15:2f: 06:78:36:44:71:ab:64:c4:b4:80:77:6e:e5:d5:f7: 84:b6:76:e3:d0:f1:76:6f:1b:52:19:03:68:d3:a0: 7d:b2:27:e7:d2:74:26:d4:4b:7f:a0:0c:a1:3f:70: 37:79:c0:15:a3:9e:3e:63:d3:b4:14:22:59:b0:ca: 84:e5:25:53:67:d4:91:54:9a:1e:3a:f0:1e:89:a6: b1:86:ed:fc:16:ef:ee:5e:a4:d0:e6:65:f3:f1:9d: 45:98:7a:0a:6a:42:d8:00:b1:9a:f4:5f:02:a7:94: 90:b3:2a:e3:f4:fe:fa:2d:6a:f0:f8:8e:74:ff:37: 83:f2:ab:f2:81:11:6d:94:7b:9e:a4:b0:02:08:6d: 37:f9:fd:30:52:c3:13:87:79:55:d2:12:e7:a7:7f: cf:52:b9:66:91:d5:da:7c:ab:90:58:83:04:72:30: 79:7d:10:53:9a:62:a0:86:02:91:90:76:11:44:87: d4:e9:5a:56:dc:69:2f:9e:01:8c:77:4b:64:e6:1b: 66:98:8f:0d:4d:4b:ac:9b:99:e1:e0:59:8b:04:01: c4:19 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 6E:63:E8:85:FC:C1:7F:3C:30:71:D6:4E:C5:CB:CE:BB:75:85:FA:02 X509v3 Authority Key Identifier: keyid:6E:63:E8:85:FC:C1:7F:3C:30:71:D6:4E:C5:CB:CE:BB:75:85:FA:02

        X509v3 Basic Constraints: critical
            CA:FALSE
        X509v3 Extended Key Usage:
            Code Signing, 1.3.6.1.4.1.2312.16.1.2
        Netscape Comment:
            OpenSSL Generated Certificate
Signature Algorithm: sha256WithRSAEncryption
     94:7c:e9:5f:0e:3f:f1:7d:2c:02:f2:7a:83:68:2a:73:15:d0:
     21:e7:30:89:54:c5:72:da:67:c9:fd:fd:f8:85:82:88:a5:6d:
     85:09:78:52:c8:30:af:46:e2:9d:c1:e7:57:07:8c:a8:6d:bd:
     59:0c:50:46:ea:0d:7c:1c:95:65:dc:39:94:f0:43:be:f9:9d:
     58:2f:da:69:fa:92:9e:0c:71:1e:1d:b3:78:49:80:2c:7f:cb:
     17:2f:6b:88:13:d7:d7:52:12:a9:7e:ce:72:bc:76:78:e2:8b:
     23:2e:61:09:89:be:4d:60:8d:c3:5c:25:77:2a:8d:5e:6b:1f:
     0a:ed:45:f1:23:a3:4a:a7:10:c6:aa:c2:99:26:20:ad:29:cc:
     2c:f0:ee:47:14:dd:5c:93:59:25:e0:65:55:c2:d8:56:16:95:
     a3:db:9d:8e:06:a5:3a:8c:70:45:b8:05:cc:70:c9:1f:5d:ca:
     9b:9f:49:77:10:75:03:09:0a:ab:46:27:d9:01:7a:b1:90:ee:
     ba:5b:ab:55:cf:95:64:4c:11:71:d8:2e:47:fb:65:d1:af:70:
     e1:85:0c:a2:c6:40:d1:69:85:3f:e7:28:18:5e:ef:3a:16:7e:
     e7:7d:67:e9:c6:9b:8f:f1:d3:17:e9:31:91:0f:bd:7d:78:3a:
     42:27:90:2e

The first Ubuntu key. And the second one from Not Before: Mar 6 17:31:15 2022 GMT is probably the one I added when I first tried to install Virtualbox? The first attempt was just on March 6, 2022. And on March 8, I restored the system from the factory recovery partition and installed everything clean. Do I understand correctly that the second key can be deleted in the way indicated below? Or is this key needed and has nothing to do with Virtualbox?

To delete only one specific key from the database you could first use the --export flag, like so:
$ mokutil --export
This will export all machine owner keys to the current directory:
$ ls -1 MOK* MOK-0001.der MOK-0002.der ...
They are numbered according to the list given by
$ mokutil --list-enrolled
[key 1] SHA1 Fingerprint:.... ...
[key 2] SHA1 Fingerprint:....
which should then enable you to delete only one specific key, e.g. key 2:
mokutil --delete MOK-0002.der

And the second question is if I reset the keys sudo mokutil --reset at the same time, the key MOK0002.der will be deleted and the key from Ubuntu MOK0001.der will remain, or will both MOK keys be deleted? In general, the advice of experienced comrades is required in order not to break anything. I haven't dealt with keys before, I apologize if I ask stupid questions. Advise the right option how to proceed. Thank you in advance!

152

0 + 0

virtualbox

uefi

How can I delete a specific MOK UEFI key?

Post an answer