5.19 kernel does not load MOK keys
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
The 5.19 kernel only reads the db and dbx keys:
jak@jak-
Jul 09 21:34:14 jak-t480s kernel: integrity: Platform Keyring initialized
Jul 09 21:34:14 jak-t480s kernel: integrity: Machine keyring initialized
Jul 09 21:34:14 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db
Jul 09 21:34:14 jak-t480s kernel: integrity: Loaded X.509 cert 'Lenovo Ltd.: ThinkPad Product CA 2012: 838b1f54c155046
Jul 09 21:34:14 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db
Jul 09 21:34:14 jak-t480s kernel: integrity: Loaded X.509 cert 'Lenovo UEFI CA 2014: 4b91a68732eaefd
Jul 09 21:34:14 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db
Jul 09 21:34:14 jak-t480s kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd827
Jul 09 21:34:14 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db
Jul 09 21:34:14 jak-t480s kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49
Jul 09 21:34:14 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db
Jul 09 21:34:14 jak-t480s kernel: integrity: Loaded X.509 cert 'UEFI key for ~ubuntu-
Jul 09 21:34:14 jak-t480s kernel: integrity: Revoking X.509 certificate: UEFI:dbx
Jul 09 21:34:14 jak-t480s kernel: integrity: Revoking X.509 certificate: UEFI:dbx
The 5.15 kernel also loads the mok keys
jak@jak-
Jun 27 23:10:55 jak-t480s kernel: integrity: Platform Keyring initialized
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'Lenovo Ltd.: ThinkPad Product CA 2012: 838b1f54c155046
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'Lenovo UEFI CA 2014: 4b91a68732eaefd
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd827
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'UEFI key for ~ubuntu-
Jun 27 23:10:55 jak-t480s kernel: integrity: Revoking X.509 certificate: UEFI:dbx
Jun 27 23:10:55 jak-t480s kernel: integrity: Revoking X.509 certificate: UEFI:dbx
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'jak-t480s Secure Boot Module Signature key: ac5ed055ca0a71e
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'jak-t480s Secure Boot Module Signature key: dc4bc63447738df
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'UEFI key for ~ci-train-
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'UEFI key for ~ubuntu-
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert '4845da95ac2b4c
ProblemType: Bug
DistroRelease: Ubuntu 22.10
Package: linux-image-
ProcVersionSign
Uname: Linux 5.19.0-9-generic x86_64
NonfreeKernelMo
ApportVersion: 2.22.0-0ubuntu4
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/
/dev/snd/
/dev/snd/
/dev/snd/seq: jak 3291 F.... pipewire
CasperMD5CheckR
CurrentDesktop: GNOME
Date: Tue Jul 12 15:40:34 2022
HibernationDevice: RESUME=none
InstallationDate: Installed on 2018-03-14 (1580 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Alpha amd64 (20180313)
MachineType: LENOVO 20L8S02D00
ProcFB: 0 i915drmfb
ProcKernelCmdLine: BOOT_IMAGE=
PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon.
RelatedPackageV
linux-
linux-
linux-firmware 20220711.
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 08/11/2021
dmi.bios.release: 1.47
dmi.bios.vendor: LENOVO
dmi.bios.version: N22ET70W (1.47 )
dmi.board.
dmi.board.name: 20L8S02D00
dmi.board.vendor: LENOVO
dmi.board.version: Not Defined
dmi.chassis.
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.
dmi.ec.
dmi.modalias: dmi:bvnLENOVO:
dmi.product.family: ThinkPad T480s
dmi.product.name: 20L8S02D00
dmi.product.sku: LENOVO_
dmi.product.
dmi.sys.vendor: LENOVO
In case you wonder: Yes I have the ubuntu UEFI PPA key in db as I needed to test out shims signed from there :)