Enroll a new Machine-Owner Key?

Question

I installed Ubuntu and then decided to install virtualbox via apt install.

Out of the blue, I am asked this:

  ┌───────────────────────┤ Configuring Secure Boot ├────────────────────────┐
  │ A new Machine-Owner key has been generated for this system to use when   │
  │ signing third-party drivers. This key now needs to be enrolled in your   │
  │ firmware, which will be done at the next reboot.                         │
  │                                                                          │
  │ If Secure Boot validation was previously disabled on your system,        │
  │ validation will also be re-enabled as part of this key enrollment        │
  │ process.                                                                 │
  │                                                                          │
  │ Enroll a new Machine-Owner Key?                                          │
  │                                                                          │
  │                    <Yes>                       <No>                      │
  │                                                                          │
  └──────────────────────────────────────────────────────────────────────────┘

I have no idea what that means, but it does not sound like something I would have a strong opinion about.

What is the "safe" choice?

The default choice is "No", so I guess it is what most users choose?

Update: I just read all of https://wiki.ubuntu.com/UEFI/SecureBoot but I am still not sure. I vaguely remember a similar step when I installed the OS, so I guess I should have a key already, and creating a new one might cause problems.

Update 2: I just got this prompt again, this time with an intro message saying "UEFI Secure Boot requires additional configuration to work with third-party drivers." I clicked "Next" just to see, but then pressing "Back" unexpectedly made the dialog disappear.

rcpa0 · Answer 1 · 2022-09-16T17:43:26.770

sudo dpkg-reconfigure virtualbox-dkms

if you need to get back to that dialog again.

Ubuntu 18.04 + virtualbox-dkms will only bring up that dialog box if you do not have a Machine Owner Key (MOK) already enrolled. If a MOK is already enrolled [see /var/lib/shim-signed/mok/MOK.{der,priv}], dkms will just uninstall and reinstall the virtualbox dkms drivers.

The Secure Boot enabled method is the "safe" method ['mokutil --sb-state' will output "SecureBoot enabled"]. Tell it to enroll a new MOK. It will generate it and "prepare" it for enrolling after you specify a "transport" password and reboot.

When you reboot, MOK Manager (instead of GRUB) will display in blue. Choose, [Enroll MOK]. Enter the "transport" password previously entered before the reboot. You will never be asked for this "transport" password again so you can forget about it now. Verify the MOK certificate information (creation date) shows the time you generated it. Continue enrolling the MOK.

You can reboot back into Ubuntu and run

sudo dpkg-reconfigure virtualbox-dkms

again. It should just uninstall and reinstall.

Future dkms kernel drivers should automatically be signed with the MOK key without further special action on your part.

score 1 · Answer 2 · answered Feb 21 '24 at 15:55

This command won't bring back the desired dialog again:

sudo dpkg-reconfigure virtualbox-dkms

You need another command:

sudo /usr/bin/perl -w /usr/share/debconf/frontend /usr/sbin/update-secureboot-policy --enroll-key

MOK menu will appear, you will be able to input a password, after reboot you will be able to see MOK boot menu again.

Enroll a new Machine-Owner Key?

2 Answers2