[Bug 1939565] [NEW] kernel signed by mok failed to boot if secure boot is on

Yuan-Chen Cheng 1939565 at bugs.launchpad.net
Wed Aug 11 13:11:01 UTC 2021 

Public bug reported:

On Focal, create a mok and enroll it, use it to sign test kernel as the
secure boot is on.

# sh -x test.sh 
+ sbverify --cert TestKer.pem /boot/vmlinuz-5.13.0-9010-oem
Signature verification OK
+ openssl x509 -in TestKer.pem -outform der -out TestKernel.der
+ mokutil --test-key TestKernel.der
TestKernel.der is already enrolled

As the secure boot is on, can't load above kernel.

The error message is:

/boot/vmlinuz-5.13.0-9010-oem has invalid signature.

Machine: Latitude 7520
bios: 1.6.0
shim-signed: 1.40.6+15.4-0ubuntu7
grub-efi-amd64-signed: 1.167.2+2.04-1ubuntu44.2

** Affects: oem-priority
     Importance: Critical
     Assignee: Yuan-Chen Cheng (ycheng-twn)
         Status: Confirmed

** Affects: shim (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Proprietary to Public

** Also affects: shim (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1939565

Title:
  kernel signed by mok failed to boot if secure boot is on

Status in OEM Priority Project:
  Confirmed
Status in shim package in Ubuntu:
  New

Bug description:
  On Focal, create a mok and enroll it, use it to sign test kernel as
  the secure boot is on.

  # sh -x test.sh 
  + sbverify --cert TestKer.pem /boot/vmlinuz-5.13.0-9010-oem
  Signature verification OK
  + openssl x509 -in TestKer.pem -outform der -out TestKernel.der
  + mokutil --test-key TestKernel.der
  TestKernel.der is already enrolled

  As the secure boot is on, can't load above kernel.

  The error message is:

  /boot/vmlinuz-5.13.0-9010-oem has invalid signature.

  Machine: Latitude 7520
  bios: 1.6.0
  shim-signed: 1.40.6+15.4-0ubuntu7
  grub-efi-amd64-signed: 1.167.2+2.04-1ubuntu44.2

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1939565/+subscriptions

More information about the foundations-bugs mailing list