Where is the MOK key used for Ubuntu install at post installation, or override with my own?

I am successfully installing the 410 and 415 drivers on several machines using the ppa and ppa-staging drivers, using Ubuntu 18.04.

The Ubuntu installer correctly notices that secure boot is enabled and calls MokUtil to enroll the key. It does go through a GUI process and asks for a mok enrollment password.

However, for various reasons, I’d like to be able to get the generated key post-installation and/or be able to specify a key using Ubuntu’s GUI installer. Either way is fine.

One of my Xeon workstations has a UEFI bug such that mokutil cannot work. I can manually enroll a key by putting it on a USB and enrolling it directly in the bios (UEFI setup) screen.

It would be most convenient to be able to get the key generated by the installer after the gui runs. However, i haven’t been able to figure out where it is, or if it persists after installation.

The other great answer would be some means to specify my own key for the installation, being one that’s already enrolled in the bios.

The other scenario is when the machine’s NVRAM is cleared for some reason, taking the MOK keys out. Being able to manually enroll the key would be helpful.

Maybe /var/lib/shim-signed/mok
https://wiki.ubuntu.com/UEFI/SecureBoot/Signing

1 Like

Thanks! I think that may be it. I’ll have to experiment a little to make sure.