Mok Not In System Keyring
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
efitools (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
I'm not sure if this would be filed under linux, mokutils, efitools or whatever package handles the system keyring (methinks linux).
My related thread: http://
There is only ONE key in the system_keyring
$ sudo keyctl list %:.system_keyring
*****
1 key in keyring:
506366910: ---lswrv 0 0 asymmetric: Magrathea: Glacier signing key: 084a8d7d7040cfd
*****
Not even the Canonical Mok is in the ring, nor the rest of the secure-boot keys.
$ sudo mokutil --list-enrolled
*****
[key 1]
SHA1 Fingerprint: e1:65:d2:
//mine
[key 2]
SHA1 Fingerprint: 4e:ce:a3:
//mine
[key 3]
SHA1 Fingerprint: 76:a0:92:
//Canonical
*****
EFI packages knows the secure-boot keys are there, but won't recognize any Moks having been enrolled.
$ sudo efi-readvar
*****
Variable PK, length 639
PK: List 0, type X509
Signature 0, size 611, owner eea2f5d2-
Subject:
Issuer:
CN=Root Agency
Variable KEK, length 1560
KEK: List 0, type X509
Signature 0, size 1532, owner 77fa9abd-
Subject:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
Issuer:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
Variable db, length 3143
db: List 0, type X509
Signature 0, size 1515, owner 77fa9abd-
Subject:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
Issuer:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
db: List 1, type X509
Signature 0, size 1572, owner 77fa9abd-
Subject:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
Issuer:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
Variable dbx, length 76
dbx: List 0, type SHA256
Signature 0, size 48, owner 26dc4851-
Variable MokList has no entries
*****
My expectation: http://
All secure-boot keys would be loaded in the system_keyring.
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: linux-image-
ProcVersionSign
Uname: Linux 3.19.0-20-generic x86_64
ApportVersion: 2.17.2-0ubuntu1.1
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/
/dev/snd/
Date: Wed Jun 3 01:44:33 2015
EcryptfsInUse: Yes
HibernationDevice: RESUME=
InstallationDate: Installed on 2015-05-31 (2 days ago)
InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
MachineType: To Be Filled By O.E.M. To Be Filled By O.E.M.
ProcEnviron:
LANGUAGE=en_US
TERM=xterm
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=
PulseList:
Error: command ['pacmd', 'list'] failed with exit code 1: Home directory not accessible: Permission denied
No PulseAudio daemon running, or not running as session daemon.
RelatedPackageV
linux-
linux-
linux-firmware 1.143.1
SourcePackage: linux
UdevLog: Error: [Errno 2] No such file or directory: '/var/log/udev'
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 12/15/2014
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: P1.50
dmi.board.name: H97M-ITX/ac
dmi.board.vendor: ASRock
dmi.chassis.
dmi.chassis.type: 3
dmi.chassis.vendor: To Be Filled By O.E.M.
dmi.chassis.
dmi.modalias: dmi:bvnAmerican
dmi.product.name: To Be Filled By O.E.M.
dmi.product.
dmi.sys.vendor: To Be Filled By O.E.M.
affects: | linux (Ubuntu) → efitools (Ubuntu) |
Changed in efitools (Ubuntu): | |
status: | Confirmed → New |
This change was made by a bot.