Ubuntu
linux package

5.19 kernel does not load MOK keys

Bug #1981449 reported by Julian Andres Klode on 2022-07-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

The 5.19 kernel only reads the db and dbx keys:

jak@jak-t480s:~:master$ journalctl -b -1 -k | grep integrity
Jul 09 21:34:14 jak-t480s kernel: integrity: Platform Keyring initialized
Jul 09 21:34:14 jak-t480s kernel: integrity: Machine keyring initialized
Jul 09 21:34:14 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db
Jul 09 21:34:14 jak-t480s kernel: integrity: Loaded X.509 cert 'Lenovo Ltd.: ThinkPad Product CA 2012: 838b1f54c1550463f45f98700640f11069265949'
Jul 09 21:34:14 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db
Jul 09 21:34:14 jak-t480s kernel: integrity: Loaded X.509 cert 'Lenovo UEFI CA 2014: 4b91a68732eaefdd2c8ffffc6b027ec3449e9c8f'
Jul 09 21:34:14 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db
Jul 09 21:34:14 jak-t480s kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
Jul 09 21:34:14 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db
Jul 09 21:34:14 jak-t480s kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
Jul 09 21:34:14 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db
Jul 09 21:34:14 jak-t480s kernel: integrity: Loaded X.509 cert 'UEFI key for ~ubuntu-uefi-team/ubuntu/ppa UEFI: 131b868222e85383c2e71ae489372ffac6ce29ed'
Jul 09 21:34:14 jak-t480s kernel: integrity: Revoking X.509 certificate: UEFI:dbx
Jul 09 21:34:14 jak-t480s kernel: integrity: Revoking X.509 certificate: UEFI:dbx

The 5.15 kernel also loads the mok keys

jak@jak-t480s:~:master$ journalctl -b -2 -k | grep integrity
Jun 27 23:10:55 jak-t480s kernel: integrity: Platform Keyring initialized
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'Lenovo Ltd.: ThinkPad Product CA 2012: 838b1f54c1550463f45f98700640f11069265949'
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'Lenovo UEFI CA 2014: 4b91a68732eaefdd2c8ffffc6b027ec3449e9c8f'
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'UEFI key for ~ubuntu-uefi-team/ubuntu/ppa UEFI: 131b868222e85383c2e71ae489372ffac6ce29ed'
Jun 27 23:10:55 jak-t480s kernel: integrity: Revoking X.509 certificate: UEFI:dbx
Jun 27 23:10:55 jak-t480s kernel: integrity: Revoking X.509 certificate: UEFI:dbx
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63'
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'jak-t480s Secure Boot Module Signature key: ac5ed055ca0a71e3a2343dd42d5afe0cffdd3ef8'
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'jak-t480s Secure Boot Module Signature key: dc4bc63447738df295a67d455ef7ea0eb3e14945'
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'UEFI key for ~ci-train-ppa-service/ubuntu/4093 UEFI: bbfd16fec6b3ba059a0f011203a5cd493a4529b7'
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'UEFI key for ~ubuntu-uefi-team/ubuntu/ppa UEFI: 131b868222e85383c2e71ae489372ffac6ce29ed'
Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert '4845da95ac2b4c1ba5f604ff45a89d83 db: 34c5d6debab4133cf0b663f5799e580f31f594c1'

ProblemType: Bug
DistroRelease: Ubuntu 22.10
Package: linux-image-5.19.0-9-generic 5.19.0-9.9
ProcVersionSignature: Ubuntu 5.19.0-9.9-generic 5.19.0-rc5
Uname: Linux 5.19.0-9-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.22.0-0ubuntu4
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/controlC2: jak 3308 F.... wireplumber
/dev/snd/controlC1: jak 3308 F.... wireplumber
/dev/snd/controlC0: jak 3308 F.... wireplumber
/dev/snd/seq: jak 3291 F.... pipewire
CasperMD5CheckResult: unknown
CurrentDesktop: GNOME
Date: Tue Jul 12 15:40:34 2022
HibernationDevice: RESUME=none
InstallationDate: Installed on 2018-03-14 (1580 days ago)
InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Alpha amd64 (20180313)
MachineType: LENOVO 20L8S02D00
ProcFB: 0 i915drmfb
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.19.0-9-generic root=/dev/mapper/ubuntu--vg-root ro rootflags=subvol=@ quiet splash zswap.enabled=1 zswap.compressor=zstd zswap.max_pool_percent=20 zswap.zpool=z3fold vt.handoff=7
PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon.
RelatedPackageVersions:
linux-restricted-modules-5.19.0-9-generic N/A
linux-backports-modules-5.19.0-9-generic N/A
linux-firmware 20220711.gitdfa29317-0ubuntu1
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 08/11/2021
dmi.bios.release: 1.47
dmi.bios.vendor: LENOVO
dmi.bios.version: N22ET70W (1.47 )
dmi.board.asset.tag: Not Available
dmi.board.name: 20L8S02D00
dmi.board.vendor: LENOVO
dmi.board.version: Not Defined
dmi.chassis.asset.tag: No Asset Information
dmi.chassis.type: 10
dmi.chassis.vendor: LENOVO
dmi.chassis.version: None
dmi.ec.firmware.release: 1.22
dmi.modalias: dmi:bvnLENOVO:bvrN22ET70W(1.47):bd08/11/2021:br1.47:efr1.22:svnLENOVO:pn20L8S02D00:pvrThinkPadT480s:rvnLENOVO:rn20L8S02D00:rvrNotDefined:cvnLENOVO:ct10:cvrNone:skuLENOVO_MT_20L8_BU_Think_FM_ThinkPadT480s:
dmi.product.family: ThinkPad T480s
dmi.product.name: 20L8S02D00
dmi.product.sku: LENOVO_MT_20L8_BU_Think_FM_ThinkPad T480s
dmi.product.version: ThinkPad T480s
dmi.sys.vendor: LENOVO

Tags: