Ubuntu
linux-meta-oem-5.17 package

linux-oem-22.04(a) does not load MOK certificates

Bug #1975741 reported by Thomas Boerner
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-meta-oem-5.17 (Ubuntu)
New
Undecided
Unassigned

Bug Description

I started to test the oem kernel on ubuntu 22.04 jammy. Doing so I wondered why all my dkms modules don't load when secure boot is active although they are correctly signed. After investigating quite a while I found that the MOK certificates are not loaded during boot. This is from journalctl -k with the hwe kernel (currently 5.15.0-33-generic) where everything is fine:

```
Mai 25 00:14:56 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Mai 25 00:14:56 silvershadow kernel: blacklist: Loading compiled-in revocation X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Mai 25 00:14:56 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 25 00:14:56 silvershadow kernel: Key type ._fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type .fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type fscrypt-provisioning registered
Mai 25 00:14:56 silvershadow kernel: Key type trusted registered
Mai 25 00:14:56 silvershadow kernel: Key type encrypted registered
Mai 25 00:14:56 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing enabled
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
Mai 25 00:14:56 silvershadow kernel: integrity: Revoking X.509 certificate: UEFI:dbx
Mai 25 00:14:56 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b66>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'silvershadow Secure Boot Module Signature key: d0f162f7b494c7188637ff51f>
Mai 25 00:14:56 silvershadow kernel: Loading compiled-in module X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
Mai 25 00:14:56 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 25 00:14:56 silvershadow kernel: ima: No architecture policies found
```

And this is from journalctl -k with the oem kernel (currently 5.17.0-1006-oem) where the MOK certificates are not loaded:

```
Mai 24 23:53:20 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Mai 24 23:53:20 silvershadow kernel: blacklist: Loading compiled-in revocation X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Mai 24 23:53:20 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 24 23:53:20 silvershadow kernel: Key type ._fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type .fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type fscrypt-provisioning registered
Mai 24 23:53:20 silvershadow kernel: Key type trusted registered
Mai 24 23:53:20 silvershadow kernel: Key type encrypted registered
Mai 24 23:53:20 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing enabled
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
Mai 24 23:53:20 silvershadow kernel: integrity: Revoking X.509 certificate: UEFI:dbx
Mai 24 23:53:20 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
Mai 24 23:53:20 silvershadow kernel: Loading compiled-in module X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
Mai 24 23:53:20 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 24 23:53:20 silvershadow kernel: ima: No architecture policies found
```

I started to test the oem kernel on ubuntu 22.04 jammy. Doing so I wondered why all my dkms modules don't load when secure boot is active although they are correctly signed. After investigating quite a while I found that the MOK certificates are not loaded during boot. This is from journalctl -k with the hwe kernel (currently 5.15.0-33-generic) where everything is fine:

Mai 25 00:14:56 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Mai 25 00:14:56 silvershadow kernel: blacklist: Loading compiled-in revocation X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Mai 25 00:14:56 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 25 00:14:56 silvershadow kernel: Key type ._fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type .fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type fscrypt-provisioning registered
Mai 25 00:14:56 silvershadow kernel: Key type trusted registered
Mai 25 00:14:56 silvershadow kernel: Key type encrypted registered
Mai 25 00:14:56 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing enabled
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
Mai 25 00:14:56 silvershadow kernel: integrity: Revoking X.509 certificate: UEFI:dbx
Mai 25 00:14:56 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b66>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'silvershadow Secure Boot Module Signature key: d0f162f7b494c7188637ff51f>
Mai 25 00:14:56 silvershadow kernel: Loading compiled-in module X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
Mai 25 00:14:56 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 25 00:14:56 silvershadow kernel: ima: No architecture policies found

And this is from journalctl -k with the oem kernel (currently 5.17.0-1006-oem) where the MOK certificates are not loaded:

Mai 24 23:53:20 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Mai 24 23:53:20 silvershadow kernel: blacklist: Loading compiled-in revocation X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Mai 24 23:53:20 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 24 23:53:20 silvershadow kernel: Key type ._fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type .fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type fscrypt-provisioning registered
Mai 24 23:53:20 silvershadow kernel: Key type trusted registered
Mai 24 23:53:20 silvershadow kernel: Key type encrypted registered
Mai 24 23:53:20 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing enabled
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
Mai 24 23:53:20 silvershadow kernel: integrity: Revoking X.509 certificate: UEFI:dbx
Mai 24 23:53:20 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
Mai 24 23:53:20 silvershadow kernel: Loading compiled-in module X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
Mai 24 23:53:20 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 24 23:53:20 silvershadow kernel: ima: No architecture policies found

The part where the MOK certificates are loaded (in 5.15.0-33-generic):
```Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b66>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'silvershadow Secure Boot Module Signature key: d0f162f7b494c7188637ff51f>
```
is missing when booting 5.17.0-1006-oem.

This is on a Dell XPS-17 9710, latest BIOS updates (1.81), latest jammy updates. silvershadow is the hostname ;-)

If you need any more information please let me know

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: linux-oem-22.04 5.17.0.1006.6
ProcVersionSignature: Ubuntu 5.15.0-33.34-generic 5.15.30
Uname: Linux 5.15.0-33-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl icp
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckResult: pass
Date: Wed May 25 15:55:37 2022
InstallationDate: Installed on 2022-04-07 (48 days ago)
InstallationMedia: Ubuntu 21.10 "Impish Indri" - Release amd64 (20211012)
SourcePackage: linux-meta-oem-5.17
UpgradeStatus: Upgraded to jammy on 2022-04-07 (48 days ago)

Revision history for this message
Thomas Boerner (tboerner) wrote :
Revision history for this message
Thomas Boerner (tboerner) wrote :

Sorry something went wrong with copy/paste in the description.

Central issue is that the part where the MOK certificates are loaded (in 5.15.0-33-generic):
```Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b66>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'silvershadow Secure Boot Module Signature key: d0f162f7b494c7188637ff51f>
```
is missing when booting 5.17.0-1006-oem.

Hope that helps

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.