[Bug 1883906] [NEW] update-secureboot-policy: fails to trigger mok loading

Andy Whitcroft 1883906 at bugs.launchpad.net
Wed Jun 17 13:08:39 UTC 2020 

Public bug reported:

In both eoan and bionic I have had cases where I add a new dkms package
and dkms triggers update-secureboot-policy to try and enroll a key for
me. When it does this I reboot and nothing is prompted and the key is
not enrolled.

Tracking this through update-secureboot-policy is calling mokutil as
below:

  enroll_mok()
  {
[...]
    echo "Adding '$SB_KEY' to shim:"
    printf '%s\n%s\n' "$key" "$again" | mokutil --timeout -1 --import "$SB_KEY" >/dev/null || true
  }

If I try this at the command line this is reported as invalid, dispite
listing both options as valid:

 # printf "%s\n%s\n" '12345678' '12345678' | mokutil --timeout 1 --import MOK.der
 Usage:
  mokutil OPTIONS [ARGS...]

 Options:
[...]
  --import <der file...>                Import keys
[...]
  --timeout <-1,0..0x7fff>              Set the timeout for MOK prompt
[...]

Dropping --timeout allows the command to complete:

 # printf "%s\n%s\n" '12345678' '12345678' | mokutil --import MOK.der
 input password: 
 input password again: 

And on reboot I am prompted and the key is enrolled.

** Affects: mokutil (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: shim-signed (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1883906

Title:
  update-secureboot-policy: fails to trigger mok loading

Status in mokutil package in Ubuntu:
  New
Status in shim-signed package in Ubuntu:
  New

Bug description:
  In both eoan and bionic I have had cases where I add a new dkms
  package and dkms triggers update-secureboot-policy to try and enroll a
  key for me. When it does this I reboot and nothing is prompted and the
  key is not enrolled.

  Tracking this through update-secureboot-policy is calling mokutil as
  below:

    enroll_mok()
    {
  [...]
      echo "Adding '$SB_KEY' to shim:"
      printf '%s\n%s\n' "$key" "$again" | mokutil --timeout -1 --import "$SB_KEY" >/dev/null || true
    }

  If I try this at the command line this is reported as invalid, dispite
  listing both options as valid:

   # printf "%s\n%s\n" '12345678' '12345678' | mokutil --timeout 1 --import MOK.der
   Usage:
    mokutil OPTIONS [ARGS...]

   Options:
  [...]
    --import <der file...>                Import keys
  [...]
    --timeout <-1,0..0x7fff>              Set the timeout for MOK prompt
  [...]

  Dropping --timeout allows the command to complete:

   # printf "%s\n%s\n" '12345678' '12345678' | mokutil --import MOK.der
   input password: 
   input password again: 

  And on reboot I am prompted and the key is enrolled.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/1883906/+subscriptions

More information about the foundations-bugs mailing list