Troubleshooting

Could not insert 'zfs': Key was rejected by service

Secure boot enabled systems require the MOK (Machine Owner's Key) for signed DKMS modules to be loaded into the kernel, otherwise errors like the following will occur:

/sbin/modprobe zfs

modprobe: ERROR: could not insert 'zfs': Key was rejected by service

Certificates must be added to secure boot certificate store before enabling secure boot; intentionally requires physical presence (or pre-existing keys to be installed during bare-metal turn-up via firmware/BIOS).

mokutil manages this process and generates changes for MOK Manager (loaded by the secure boot shim) to process on next reboot.

Security Policy Violation

Microsoft changed secure boot shim and disabled previously allowed shims used in older installers.

Verifying shim SBAT data failed: Security Policy Violation Something has gone seriously wrong: SBAT self-check failed: Security Policy Violation

Disable secure boot, disable SBAT policy, and install updated shims.

1. Disable secure boot.
2. Boot live cd.

3. install mokutil and delete SBAT policy.

   mokutil --set-sbat-policy delete

4. Reboot.

5. Update and re-enable secure boot.

integrity: Problem loading X.509 certificate -22

These are invalidated keys from the 2024 key leak. Secure boot still works.

integrity: Loading X.509 certificate: UEFI:db
integrity: Problem loading X.509 certificate -22
integrity: Error adding keys to platform keyring UEFI:db
integrity: Loading X.509 certificate: UEFI:db
integrity: Problem loading X.509 certificate -22
integrity: Error adding keys to platform keyring UEFI:db

Reference¹²³⁴

---

1. https://mjg59.dreamwidth.org/70348.html ↩

2. https://old.reddit.com/r/linuxquestions/comments/1euuha4/please_help_error_message_verifying_shim_sbat/ ↩

3. https://en.opensuse.org/openSUSE:UEFI#Reset_SBAT_string_for_booting_to_old_shim_in_old_Leap_image ↩

4. https://forums.linuxmint.com/viewtopic.php?t=427297 ↩