如何删除特定的 MOK UEFI 密钥?

如何删除特定的 MOK UEFI 密钥?

戴尔 vostro 3400-4654 笔记本电脑,开箱即用,装有 Ubuntu 20.04。首先,购买后,我尝试安装所有必要的程序。其中之一是 Virtualbox。BIOS 就像从商店购买的一样,处于 UEFI 模式,启用了安全启动。Virtualbox 自然要求添加 MOK 密钥。我不记得在 MOK 管理器中重新启动时是否正确添加了它。因此,我决定禁用安全启动。我将笔记本电脑从出厂恢复分区重置为原始状态。我禁用了安全启动并干净地安装了程序。现在我有一个问题。现在,当我输出时mokutil --list-enrolled,它会显示两个键

sergey@sergey-Vostro-3400:~$ mokutil --list-enrolled [key 1] SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0 Certificate: Data: Version: 3 (0x2) Serial Number: b9:41:24:a0:18:2c:92:67 Signature Algorithm: sha256WithRSAEncryption Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority Validity Not Before: Apr 12 11:12:51 2012 GMT Not After : Apr 11 11:12:51 2042 GMT Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:bf:5b:3a:16:74:ee:21:5d:ae:61:ed:9d:56:ac: bd:de:de:72:f3:dd:7e:2d:4c:62:0f:ac:c0:6d:48: 08:11:cf:8d:8b:fb:61:1f:27:cc:11:6e:d9:55:3d: 39:54:eb:40:3b:b1:bb:e2:85:34:79:ca:f7:7b:bf: ba:7a:c8:10:2d:19:7d:ad:59:cf:a6:d4:e9:4e:0f: da:ae:52:ea:4c:9e:90:ce:c6:99:0d:4e:67:65:78: 5d:f9:d1:d5:38:4a:4a:7a:8f:93:9c:7f:1a:a3:85: db:ce:fa:8b:f7:c2:a2:21:2d:9b:54:41:35:10:57: 13:8d:6c:bc:29:06:50:4a:7e:ea:99:a9:68:a7:3b: c7:07:1b:32:9e:a0:19:87:0e:79:bb:68:99:2d:7e: 93:52:e5:f6:eb:c9:9b:f9:2b:ed:b8:68:49:bc:d9: 95:50:40:5b:c5:b2:71:aa:eb:5c:57:de:71:f9:40: 0a:dd:5b:ac:1e:84:2d:50:1a:52:d6:e1:f3:6b:6e: 90:64:4f:5b:b4:eb:20:e4:61:10:da:5a:f0:ea:e4: 42:d7:01:c4:fe:21:1f:d9:b9:c0:54:95:42:81:52: 72:1f:49:64:7a:c8:6c:24:f1:08:70:0b:4d:a5:a0: 32:d1:a0:1c:57:a8:4d:e3:af:a5:8e:05:05:3e:10: 43:a1 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63 X509v3 Authority Key Identifier: keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63

        X509v3 Basic Constraints: critical
            CA:TRUE
        X509v3 Key Usage:
            Digital Signature, Certificate Sign, CRL Sign
        X509v3 CRL Distribution Points:

            Full Name:
              URI:http://www.canonical.com/secure-boot-master-ca.crl

Signature Algorithm: sha256WithRSAEncryption
     3f:7d:f6:76:a5:b3:83:b4:2b:7a:d0:6d:52:1a:03:83:c4:12:
     a7:50:9c:47:92:cc:c0:94:77:82:d2:ae:57:b3:99:04:f5:32:
     3a:c6:55:1d:07:db:12:a9:56:fa:d8:d4:76:20:eb:e4:c3:51:
     db:9a:5c:9c:92:3f:18:73:da:94:6a:a1:99:38:8c:a4:88:6d:
     c1:fc:39:71:d0:74:76:16:03:3e:56:23:35:d5:55:47:5b:1a:
     1d:41:c2:d3:12:4c:dc:ff:ae:0a:92:9c:62:0a:17:01:9c:73:
     e0:5e:b1:fd:bc:d6:b5:19:11:7a:7e:cd:3e:03:7e:66:db:5b:
     a8:c9:39:48:51:ff:53:e1:9c:31:53:91:1b:3b:10:75:03:17:
     ba:e6:81:02:80:94:70:4c:46:b7:94:b0:3d:15:cd:1f:8e:02:
     e0:68:02:8f:fb:f9:47:1d:7d:a2:01:c6:07:51:c4:9a:cc:ed:
     dd:cf:a3:5d:ed:92:bb:be:d1:fd:e6:ec:1f:33:51:73:04:be:
     3c:72:b0:7d:08:f8:01:ff:98:7d:cb:9c:e0:69:39:77:25:47:
     71:88:b1:8d:27:a5:2e:a8:f7:3f:5f:80:69:97:3e:a9:f4:99:
     14:db:ce:03:0e:0b:66:c4:1c:6d:bd:b8:27:77:c1:42:94:bd:
     fc:6a:0a:bc
[key 2] SHA1 Fingerprint: 62:12:5e:cf:cf:93:44:1b:25:24:86:1d:b3:da:c0:10:6d:ea:9e:1b Certificate: Data: Version: 3 (0x2) Serial Number: 32:0a:68:a6:33:4b:8f:01:c0:8c:7c:d2:dd:be:c8:71:c5:bc:26:e7 Signature Algorithm: sha256WithRSAEncryption Issuer: CN=sergey-Vostro-3400 Secure Boot Module Signature key Validity Not Before: Mar 6 17:31:15 2022 GMT Not After : Feb 10 17:31:15 2122 GMT Subject: CN=sergey-Vostro-3400 Secure Boot Module Signature key Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:ee:41:1e:ac:47:bf:ca:77:f6:68:d8:b3:08:1e: 00:76:c9:b2:a1:fd:de:45:af:23:32:17:35:ce:14: 93:67:ce:63:5f:4b:de:eb:f6:18:d6:51:06:15:2f: 06:78:36:44:71:ab:64:c4:b4:80:77:6e:e5:d5:f7: 84:b6:76:e3:d0:f1:76:6f:1b:52:19:03:68:d3:a0: 7d:b2:27:e7:d2:74:26:d4:4b:7f:a0:0c:a1:3f:70: 37:79:c0:15:a3:9e:3e:63:d3:b4:14:22:59:b0:ca: 84:e5:25:53:67:d4:91:54:9a:1e:3a:f0:1e:89:a6: b1:86:ed:fc:16:ef:ee:5e:a4:d0:e6:65:f3:f1:9d: 45:98:7a:0a:6a:42:d8:00:b1:9a:f4:5f:02:a7:94: 90:b3:2a:e3:f4:fe:fa:2d:6a:f0:f8:8e:74:ff:37: 83:f2:ab:f2:81:11:6d:94:7b:9e:a4:b0:02:08:6d: 37:f9:fd:30:52:c3:13:87:79:55:d2:12:e7:a7:7f: cf:52:b9:66:91:d5:da:7c:ab:90:58:83:04:72:30: 79:7d:10:53:9a:62:a0:86:02:91:90:76:11:44:87: d4:e9:5a:56:dc:69:2f:9e:01:8c:77:4b:64:e6:1b: 66:98:8f:0d:4d:4b:ac:9b:99:e1:e0:59:8b:04:01: c4:19 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: 6E:63:E8:85:FC:C1:7F:3C:30:71:D6:4E:C5:CB:CE:BB:75:85:FA:02 X509v3 Authority Key Identifier: keyid:6E:63:E8:85:FC:C1:7F:3C:30:71:D6:4E:C5:CB:CE:BB:75:85:FA:02

        X509v3 Basic Constraints: critical
            CA:FALSE
        X509v3 Extended Key Usage:
            Code Signing, 1.3.6.1.4.1.2312.16.1.2
        Netscape Comment:
            OpenSSL Generated Certificate
Signature Algorithm: sha256WithRSAEncryption
     94:7c:e9:5f:0e:3f:f1:7d:2c:02:f2:7a:83:68:2a:73:15:d0:
     21:e7:30:89:54:c5:72:da:67:c9:fd:fd:f8:85:82:88:a5:6d:
     85:09:78:52:c8:30:af:46:e2:9d:c1:e7:57:07:8c:a8:6d:bd:
     59:0c:50:46:ea:0d:7c:1c:95:65:dc:39:94:f0:43:be:f9:9d:
     58:2f:da:69:fa:92:9e:0c:71:1e:1d:b3:78:49:80:2c:7f:cb:
     17:2f:6b:88:13:d7:d7:52:12:a9:7e:ce:72:bc:76:78:e2:8b:
     23:2e:61:09:89:be:4d:60:8d:c3:5c:25:77:2a:8d:5e:6b:1f:
     0a:ed:45:f1:23:a3:4a:a7:10:c6:aa:c2:99:26:20:ad:29:cc:
     2c:f0:ee:47:14:dd:5c:93:59:25:e0:65:55:c2:d8:56:16:95:
     a3:db:9d:8e:06:a5:3a:8c:70:45:b8:05:cc:70:c9:1f:5d:ca:
     9b:9f:49:77:10:75:03:09:0a:ab:46:27:d9:01:7a:b1:90:ee:
     ba:5b:ab:55:cf:95:64:4c:11:71:d8:2e:47:fb:65:d1:af:70:
     e1:85:0c:a2:c6:40:d1:69:85:3f:e7:28:18:5e:ef:3a:16:7e:
     e7:7d:67:e9:c6:9b:8f:f1:d3:17:e9:31:91:0f:bd:7d:78:3a:
     42:27:90:2e

第一个 Ubuntu 密钥。第二个密钥Not Before: Mar 6 17:31:15 2022 GMT可能是我第一次尝试安装 Virtualbox 时添加的密钥?第一次尝试是在 2022 年 3 月 6 日。3 月 8 日,我从出厂恢复分区恢复了系统并安装好了所有内容。我是否理解正确,可以按照下面指示的方式删除第二个密钥?或者这个密钥是必需的并且与 Virtualbox 无关?

要从数据库中删除一个特定的键,您可以首先使用 --export 标志,如下所示:

$ mokutil --export

这会将所有机器所有者密钥导出到当前目录:

$ ls -1 MOK* MOK-0001.der MOK-0002.der ...

它们按照以下列表进行编号

$ mokutil --list-enrolled
[key 1] SHA1 Fingerprint:.... ...
[key 2] SHA1 Fingerprint:....

这样您就可以删除一个特定的键,例如键 2:

mokutil --delete MOK-0002.der

第二个问题是,如果我同时重置密钥sudo mokutil --reset,密钥 MOK0002.der 将被删除,而 Ubuntu MOK0001.der 的密钥将保留,还是两个 MOK 密钥都会被删除?一般来说,需要有经验的同志的建议,以免破坏任何东西。我以前没有处理过密钥,如果我问了愚蠢的问题,我深表歉意。建议正确的选择如何进行。提前谢谢您!

相关内容