kernel signed by mok failed to boot if secure boot is on
Bug #1939565 reported by
Yuan-Chen Cheng
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OEM Priority Project |
Invalid
|
Critical
|
Yuan-Chen Cheng | ||
shim (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
On Focal, create a mok and enroll it, use it to sign test kernel as the secure boot is on.
# sh -x test.sh
+ sbverify --cert TestKer.pem /boot/vmlinuz-
Signature verification OK
+ openssl x509 -in TestKer.pem -outform der -out TestKernel.der
+ mokutil --test-key TestKernel.der
TestKernel.der is already enrolled
As the secure boot is on, can't load above kernel.
The error message is:
/boot/vmlinuz-
Machine: Latitude 7520
bios: 1.6.0
shim-signed: 1.40.6+
grub-efi-
downgrade shim-signed to 1.40.4+ 15+1552672080. a4a1fbe- 0ubuntu2 and a4a1fbe- 0ubuntu2
shim 15+1552672080.
Then I can't reproduce this issue.