Ubuntu
linux-hwe-5.8 package

Comment 7 for bug 1928679

Revision history for this message

Dimitri John Ledkov (xnox) wrote on 2021-09-01 (last edit on 2021-09-01):

# grep CODENAME /etc/os-release
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

# uname -r
5.11.0-34-generic

dmesg:
[ 0.797134] blacklist: Loading compiled-in revocation X.509 certificates
[ 0.797696] Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'

built-in revocation cert is loaded

[ 0.806069] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[ 0.806848] integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63'

mokvar table is available, and is used.

# keyctl list %:.blacklist | grep Canonical
613299796: ---lswrv 0 0 asymmetric: Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0

# keyctl list %:.blacklist | grep bin: | wc
79 474 8853

# mokutil --list-enrolled --mokx
[key 1]
[SHA-256]
0000000000000000000000000000000000000000000000000000000000000000

Revoked binaries are correctly loaded from MOKvar table, despite not being mirrored into MokListXRT efi variable.

Ubuntulinux-hwe-5.8 package

Comment 7 for bug 1928679

Ubuntu
linux-hwe-5.8 package