Update caused new error message (secure boot)

treecivilization · February 19, 2024, 4:34pm

Recently updated Fedora 39 system. Made me restart and after updating I get a new error message during boot:

Could not create MokListRT: Invalid Parameter
Could not create MokListXRT: Invalid Parameter
Importing MOK states has failed: import_mok_state() failed: Invalid Parameter
Continuing boot since secure mode is disabled

I can still boot and never use secure mode since I dont own a tpm module.

computersavvy · February 19, 2024, 5:23pm

You said you just updated then this started?

Fedora installs the mokutil package by default, and I suspect that error is related to the fact that secure boot is disabled. The tpm module is included in newer laptops and desktops that are intended to run windows 11 since that is one major requirement for win11. For fedora tpm is (AFAIK) not required

According to my system mokutil has not been updated since F39 was released and I don’t understand why there would be a change giving those errors. Maybe something else has happened with the update.

You might try using sudo dnf distro-sync --refresh on the command line to ensure everything is up to date, then reboot.

barryascott · February 19, 2024, 8:19pm

Where do you see these errors?

treecivilization · February 19, 2024, 8:47pm

mokutil-2:0.6.0-7.fc39.x86_64 is already installed
distro-sync --refresh did not fix it.

I see the errors when I boot, before GRUB. Sometimes I see grub, sometimes I just see the error messages and I dont see the GRUB menu.

grumpey · February 19, 2024, 10:06pm

Can you check:
sudo dnf history info last

Thanks

treecivilization · February 19, 2024, 10:17pm

Packages Altered:
    Upgrade  ansible-srpm-macros-1-12.fc39.noarch    @updates
    Upgrade  bind-libs-32:9.18.24-1.fc39.x86_64      @updates
    Upgrade  bind-license-32:9.18.24-1.fc39.noarch   @updates
    Upgrade  bind-utils-32:9.18.24-1.fc39.x86_64     @updates
    Upgrade  cups-browsed-1:2.0.0-4.fc39.x86_64      @updates
    Upgrade  dnsmasq-2.90-1.fc39.x86_64              @updates
    Upgrade  ibus-1.5.29-1.fc39.x86_64               @updates
    Upgrade  ibus-gtk3-1.5.29-1.fc39.x86_64          @updates
    Upgrade  ibus-gtk4-1.5.29-1.fc39.x86_64          @updates
    Upgrade  ibus-libs-1.5.29-1.fc39.x86_64          @updates
    Upgrade  ibus-setup-1.5.29-1.fc39.noarch         @updates
    Upgrade  python3-unbound-1.19.1-2.fc39.x86_64    @updates
    Upgrade  qt5-qtbase-5.15.12-5.fc39.x86_64        @updates
    Upgrade  qt5-qtbase-common-5.15.12-5.fc39.noarch @updates
    Upgrade  qt5-qtbase-gui-5.15.12-5.fc39.x86_64    @updates
    Upgrade  skopeo-1:1.14.2-1.fc39.x86_64           @updates
    Upgrade  unbound-anchor-1.19.1-2.fc39.x86_64     @updates
    Upgrade  unbound-libs-1.19.1-2.fc39.x86_64       @updates
    Upgrade  vim-data-2:9.1.113-1.fc39.noarch        @updates
    Upgrade  vim-minimal-2:9.1.113-1.fc39.x86_64     @updates
    Upgraded ansible-srpm-macros-1-11.fc39.noarch    @@System
    Upgraded bind-libs-32:9.18.21-2.fc39.x86_64      @@System
    Upgraded bind-license-32:9.18.21-2.fc39.noarch   @@System
    Upgraded bind-utils-32:9.18.21-2.fc39.x86_64     @@System
    Upgraded cups-browsed-1:2.0.0-1.fc39.x86_64      @@System
    Upgraded dnsmasq-2.89-7.fc39.x86_64              @@System
    Upgraded ibus-1.5.29~rc2-6.fc39.x86_64           @@System
    Upgraded ibus-gtk3-1.5.29~rc2-6.fc39.x86_64      @@System
    Upgraded ibus-gtk4-1.5.29~rc2-6.fc39.x86_64      @@System
    Upgraded ibus-libs-1.5.29~rc2-6.fc39.x86_64      @@System
    Upgraded ibus-setup-1.5.29~rc2-6.fc39.noarch     @@System
    Upgraded python3-unbound-1.19.0-7.fc39.x86_64    @@System
    Upgraded qt5-qtbase-5.15.12-1.fc39.x86_64        @@System
    Upgraded qt5-qtbase-common-5.15.12-1.fc39.noarch @@System
    Upgraded qt5-qtbase-gui-5.15.12-1.fc39.x86_64    @@System
    Upgraded skopeo-1:1.14.0-1.fc39.x86_64           @@System
    Upgraded unbound-anchor-1.19.0-7.fc39.x86_64     @@System
    Upgraded unbound-libs-1.19.0-7.fc39.x86_64       @@System
    Upgraded vim-data-2:9.1.076-2.fc39.noarch        @@System
    Upgraded vim-minimal-2:9.1.076-2.fc39.x86_64     @@System

vekruse · February 20, 2024, 5:04am

That message comes from shim and indicates trouble reading the installed mok certificates.

It is possible that the non-volatile memory of the UEFI firmware is failing, or perhaps it has run out out of space, for example by a recent dbx update or too many entries in the boot list.

barryascott · February 20, 2024, 8:23am

If this is the case then following the motherboards procedure to reset uefi nvram might fix things.
I have uefi memory issues happen a long time ago and used the reset procedure to fix it.

treecivilization · February 22, 2024, 12:18am

Good point, Barry. Ill try resetting the motherboard’s nvram. I cleared cmos a few times but that doesnt clearn nvram boot entries. Ive been hopping between a bunch of different linux kernels and my boot list has become very long.

computersavvy · February 25, 2024, 7:38pm

Those entries can be managed with the efibootmgr command on fedora, which would not require a full nvram reset.

Topic		Replies	Views
Suddenly getting mok.c dump on every boot just before the grub menu Ask Fedora f36 , secure-boot	4	9471	August 20, 2022
Anomaly upgrading from Fedora 30 to Fedora 31 Ask Fedora f31 , upgrades	9	1613	May 11, 2020
Upgrade failes for F32, prevents upgrade to f33 Ask Fedora f32	13	976	June 2, 2021
Nvidia drivers with secure boot no longer working and cannot enroll new key Ask Fedora f38 , secure-boot , nvidia	10	1487	October 14, 2023
Fedora new kernel not working after dnf upgrade --refresh Ask Fedora f30	22	15762	August 3, 2019

Update caused new error message (secure boot)

Related topics