By "Zorin one," I meant the one that is enrolled on the OS's installation.
But, thinking about it more, either the key is somewhere on the system, or it can't sign anything with it anyway.
I know it's not a der/priv file combo though. I searched with sudo privileges from /
Does anyone know where it's stored or how to enroll it?
Thank you,
chronosJ
The Ubuntu Shim certificate is the one used by Zorin OS.
It should remain valid, even after fully resetting MOK.
When you enroll MOK, you are not storing a key on Zorin OS. Instead, that enrollment is a state that is a variable in the EFI system.
Reenrolling should be as straightforward as ensuring the EFI settings are correct, then running Mokutil to enroll, then running
sudo mokutil --import mok.der
Where mok above is a stand-in for the certificate you are enrolling.
That works for the Nvidia key (one Zorin-issued key), but mokutils --list-enrolled on my other computers has a pair of Zorin-issued ones listed instead of just the one.
Granted, everything seems to be working with secure boot enabled.
Is the second Zorin-issued key on the other computers superfluous? Is there a way to see if something failed to load due to a secure boot block?
You can check the logs:
sudo journalctl -k | grep -Ei 'secure|lockdown|signature|mok'
If everything is working, that implies no problems with the certificates.
I would not assume one is superfluous without seeing the output, though.
Alrighty.
I changed the computer name to 'computer-name' and the "0x" hex strings and the signature SHAs "70:24:etc" to "letters-and-numbers," but here's the output.
Jun 02 19:51:11 computer-name kernel: efi: ACPI=letters-and-numbers ACPI 2.0=letters-and-numbers TPMFinalLog=letters-and-numbers SMBIOS=letters-and-numbers MEMATTR=letters-and-numbers ESRT=letters-and-numbers MOKvar=letters-and-numbers RNG=letters-and-numbers TPMEventLog=letters-and-numbers
Jun 02 19:51:11 computer-name kernel: secureboot: Secure boot enabled
Jun 02 19:51:11 computer-name kernel: Kernel is locked down from EFI Secure Boot mode; see man kernel_lockdown.7
Jun 02 19:51:11 computer-name kernel: secureboot: Secure boot enabled
Jun 02 19:51:11 computer-name kernel: LSM: initializing lsm=lockdown,capability,landlock,yama,apparmor,integrity
Jun 02 19:51:11 computer-name kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: letters-and-numbers'
Jun 02 19:51:11 computer-name kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2017): letters-and-numbers'
Jun 02 19:51:11 computer-name kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (ESM 2018): letters-and-numbers'
Jun 02 19:51:11 computer-name kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2019): letters-and-numbers'
Jun 02 19:51:11 computer-name kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v1): letters-and-numbers'
Jun 02 19:51:11 computer-name kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v2): letters-and-numbers'
Jun 02 19:51:11 computer-name kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v3): letters-and-numbers'
Jun 02 19:51:11 computer-name kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019): letters-and-numbers'
Jun 02 19:51:11 computer-name kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Jun 02 19:51:11 computer-name kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Jun 02 19:51:11 computer-name kernel: integrity: Loaded X.509 cert 'zorin Secure Boot Module Signature key: letters-and-numbers'
Jun 02 19:51:11 computer-name kernel: Lockdown: swapper/0: hibernation is restricted; see man kernel_lockdown.7
Jun 02 19:51:11 computer-name kernel: Lockdown: systemd: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7
Jun 02 19:51:12 computer-name kernel: Bluetooth: hci0: Secure boot is enabled
Jun 02 19:51:21 computer-name kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
Jun 02 19:51:44 computer-name kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
Jun 02 19:51:48 computer-name kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
Jun 02 21:02:54 computer-name kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
Jun 02 21:02:54 computer-name kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
Jun 02 21:28:30 computer-name kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
Jun 02 21:28:45 computer-name kernel: Lockdown: systemd-logind: hibernation is restricted; see man kernel_lockdown.7
I am sorry, I was unclear.
I meant the output of mokutil --list-enrolled, as that is in regard to whether the extra certificate is superfluous.
On your above output, nothing there shows anything being blocked by Secure Boot. (Those lockdown alerts are normal on Ubuntu based systems).
Nah, you're good. I also checked that the journalctl was fairly consistent across computers.
I'm not sure what parts of the "mokutil --list-enrolled" keys are public (aside from the public keys part). But each of the Zorin key values/Signatures are unique, as are the "X509v3 Subject Key Identifiers," but they do share the "X509v3 Extended Key Usage: Code Signing" numeric part.
Perhaps the most telling part is that one key was created 3 days ahead of another back in December 2024, which wouldn't make much sense if they were all made during the same system install.
It was my first Linux test computer. It's definitely possible I just reinstalled Zorin that many times on it when I was first learning to Linux at all (it was actually 3 instances of Zorin keys for that one computer: the format is just a little hard to read when the terminal is small).
I think you're right, and that re-enrolling that one key was all there was to do because the Ubuntu one survived.
Unless you have something to add, I'll mark your solution.
Most likely, this is it. It is nothing to worry about, though.