MOK-enrolled Secure Boot keys are not saved on the installed system when doing an OEM installation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubiquity (Ubuntu) |
Triaged
|
Low
|
Unassigned |
Bug Description
Steps to reproduce:
1: Enable Secure Boot.
2: Install the latest Ubuntu Kinetic ISO using the OEM installation option. Make sure to allow the installation of proprietary drivers and choose to configure Secure Boot.
3: Reboot and do the key enrollment with mokutil.
4: Reboot again, open a terminal, and run "ls /var/lib/
5: Reboot again, then finish setup.
6: Run "ls /var/lib/
Expected result: The files "MOK.priv" and "MOK.der" should be shown with each "ls" command.
Actual result: The listed directory is empty both times.
Notes:
This did NOT happen to me on a non-OEM installation. I noticed it attempting to manually sign a driver while grappling with bug 1991725. It probably will interfere with the use of DKMS modules even if they get installed and signed properly the first time.
For some reason "ubuntu-bug shim-signed" thought that shim-signed wasn't an official Ubuntu package, so I'm reporting this without using ubuntu-bug. I can provide any desired log files from the test system upon request.
description: | updated |
description: | updated |
description: | updated |
Changed in ubiquity (Ubuntu): | |
importance: | Undecided → Low |
status: | New → Triaged |
This bug does **not** occur if you install Ubuntu normally. It only appears to strike OEM installs.