linux-oem-22.04(a) does not load MOK certificates
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-meta-oem-5.17 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
I started to test the oem kernel on ubuntu 22.04 jammy. Doing so I wondered why all my dkms modules don't load when secure boot is active although they are correctly signed. After investigating quite a while I found that the MOK certificates are not loaded during boot. This is from journalctl -k with the hwe kernel (currently 5.15.0-33-generic) where everything is fine:
```
Mai 25 00:14:56 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time autogenerated kernel key: cee583cd7127fcb
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live Patch Signing: 14df34d1a87cf37
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel Module Signing: 88f752e560a1e07
Mai 25 00:14:56 silvershadow kernel: blacklist: Loading compiled-in revocation X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab
Mai 25 00:14:56 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 25 00:14:56 silvershadow kernel: Key type ._fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type .fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type fscrypt-
Mai 25 00:14:56 silvershadow kernel: Key type trusted registered
Mai 25 00:14:56 silvershadow kernel: Key type encrypted registered
Mai 25 00:14:56 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing enabled
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios DB Key: 637fa7a9f74471b
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd827
Mai 25 00:14:56 silvershadow kernel: integrity: Revoking X.509 certificate: UEFI:dbx
Mai 25 00:14:56 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft Windows PCA 2010: d14fa98a0708cef
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'silvershadow Secure Boot Module Signature key: d0f162f7b494c71
Mai 25 00:14:56 silvershadow kernel: Loading compiled-in module X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time autogenerated kernel key: cee583cd7127fcb
Mai 25 00:14:56 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 25 00:14:56 silvershadow kernel: ima: No architecture policies found
```
And this is from journalctl -k with the oem kernel (currently 5.17.0-1006-oem) where the MOK certificates are not loaded:
```
Mai 24 23:53:20 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time autogenerated kernel key: f588ef5f31df3af
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live Patch Signing: 14df34d1a87cf37
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel Module Signing: 88f752e560a1e07
Mai 24 23:53:20 silvershadow kernel: blacklist: Loading compiled-in revocation X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab
Mai 24 23:53:20 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 24 23:53:20 silvershadow kernel: Key type ._fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type .fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type fscrypt-
Mai 24 23:53:20 silvershadow kernel: Key type trusted registered
Mai 24 23:53:20 silvershadow kernel: Key type encrypted registered
Mai 24 23:53:20 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing enabled
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios DB Key: 637fa7a9f74471b
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd827
Mai 24 23:53:20 silvershadow kernel: integrity: Revoking X.509 certificate: UEFI:dbx
Mai 24 23:53:20 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft Windows PCA 2010: d14fa98a0708cef
Mai 24 23:53:20 silvershadow kernel: Loading compiled-in module X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time autogenerated kernel key: f588ef5f31df3af
Mai 24 23:53:20 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 24 23:53:20 silvershadow kernel: ima: No architecture policies found
```
I started to test the oem kernel on ubuntu 22.04 jammy. Doing so I wondered why all my dkms modules don't load when secure boot is active although they are correctly signed. After investigating quite a while I found that the MOK certificates are not loaded during boot. This is from journalctl -k with the hwe kernel (currently 5.15.0-33-generic) where everything is fine:
Mai 25 00:14:56 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time autogenerated kernel key: cee583cd7127fcb
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live Patch Signing: 14df34d1a87cf37
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel Module Signing: 88f752e560a1e07
Mai 25 00:14:56 silvershadow kernel: blacklist: Loading compiled-in revocation X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab
Mai 25 00:14:56 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 25 00:14:56 silvershadow kernel: Key type ._fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type .fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type fscrypt-
Mai 25 00:14:56 silvershadow kernel: Key type trusted registered
Mai 25 00:14:56 silvershadow kernel: Key type encrypted registered
Mai 25 00:14:56 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing enabled
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios DB Key: 637fa7a9f74471b
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd827
Mai 25 00:14:56 silvershadow kernel: integrity: Revoking X.509 certificate: UEFI:dbx
Mai 25 00:14:56 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft Windows PCA 2010: d14fa98a0708cef
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'silvershadow Secure Boot Module Signature key: d0f162f7b494c71
Mai 25 00:14:56 silvershadow kernel: Loading compiled-in module X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time autogenerated kernel key: cee583cd7127fcb
Mai 25 00:14:56 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 25 00:14:56 silvershadow kernel: ima: No architecture policies found
And this is from journalctl -k with the oem kernel (currently 5.17.0-1006-oem) where the MOK certificates are not loaded:
Mai 24 23:53:20 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time autogenerated kernel key: f588ef5f31df3af
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live Patch Signing: 14df34d1a87cf37
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel Module Signing: 88f752e560a1e07
Mai 24 23:53:20 silvershadow kernel: blacklist: Loading compiled-in revocation X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab
Mai 24 23:53:20 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 24 23:53:20 silvershadow kernel: Key type ._fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type .fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type fscrypt-
Mai 24 23:53:20 silvershadow kernel: Key type trusted registered
Mai 24 23:53:20 silvershadow kernel: Key type encrypted registered
Mai 24 23:53:20 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing enabled
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios DB Key: 637fa7a9f74471b
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd827
Mai 24 23:53:20 silvershadow kernel: integrity: Revoking X.509 certificate: UEFI:dbx
Mai 24 23:53:20 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft Windows PCA 2010: d14fa98a0708cef
Mai 24 23:53:20 silvershadow kernel: Loading compiled-in module X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time autogenerated kernel key: f588ef5f31df3af
Mai 24 23:53:20 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 24 23:53:20 silvershadow kernel: ima: No architecture policies found
The part where the MOK certificates are loaded (in 5.15.0-33-generic):
```Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'silvershadow Secure Boot Module Signature key: d0f162f7b494c71
```
is missing when booting 5.17.0-1006-oem.
This is on a Dell XPS-17 9710, latest BIOS updates (1.81), latest jammy updates. silvershadow is the hostname ;-)
If you need any more information please let me know
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: linux-oem-22.04 5.17.0.1006.6
ProcVersionSign
Uname: Linux 5.15.0-33-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckR
Date: Wed May 25 15:55:37 2022
InstallationDate: Installed on 2022-04-07 (48 days ago)
InstallationMedia: Ubuntu 21.10 "Impish Indri" - Release amd64 (20211012)
SourcePackage: linux-meta-oem-5.17
UpgradeStatus: Upgraded to jammy on 2022-04-07 (48 days ago)
Sorry something went wrong with copy/paste in the description.
Central issue is that the part where the MOK certificates are loaded (in 5.15.0-33-generic): 517048c23b66> 88637ff51f>
```Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'silvershadow Secure Boot Module Signature key: d0f162f7b494c71
```
is missing when booting 5.17.0-1006-oem.
Hope that helps