[Bug 1939565] Re: kernel signed by mok failed to boot if secure boot is on

Ivan Hu 1939565 at bugs.launchpad.net
Tue Aug 17 10:23:54 UTC 2021 

Manually test with my UEFI develop kit(RainbowPass) platform by
following procedures and cannot reproduce this issue.

1. install focal
2. update shim-signed to 1.40.6+15.4.0ubuntu7 and grub2 to 2.04-1ubuntu26.12
3. install mainline kernel(unsigned), https://kernel.ubuntu.com/~kernel-ppa/mainline/v5.8.18/
4. check or create test kernel key
   * mkdir -p /var/lib/test_ker/
   * openssl genrsa -out /var/lib/test_ker/TestKer.priv 2048
   * openssl req -new -x509 -sha256 -subj '/CN=TestKer-key' -key /var/lib/test_ker/TestKer.priv -out /var/lib/test_ker/TestKer.pem
   * openssl x509 -in /var/lib/test_ker/TestKer.pem -inform PEM -out /var/lib/test_ker/TestKer.der -outform DER
5. signed kernel
  * sbsign --key /var/lib/test_ker/TestKer.priv --cert /var/lib/test_ker/TestKer.pem --output vmlinuz-5.8.18-05.0818-generic.signed vmlinuz-5.8.18-05.0818-generic
6. enroll mok key
 * mokutil --import Testker.der
7. reboot

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1939565

Title:
  kernel signed by mok failed to boot if secure boot is on

Status in OEM Priority Project:
  Confirmed
Status in shim package in Ubuntu:
  New

Bug description:
  On Focal, create a mok and enroll it, use it to sign test kernel as
  the secure boot is on.

  # sh -x test.sh 
  + sbverify --cert TestKer.pem /boot/vmlinuz-5.13.0-9010-oem
  Signature verification OK
  + openssl x509 -in TestKer.pem -outform der -out TestKernel.der
  + mokutil --test-key TestKernel.der
  TestKernel.der is already enrolled

  As the secure boot is on, can't load above kernel.

  The error message is:

  /boot/vmlinuz-5.13.0-9010-oem has invalid signature.

  Machine: Latitude 7520
  bios: 1.6.0
  shim-signed: 1.40.6+15.4-0ubuntu7
  grub-efi-amd64-signed: 1.167.2+2.04-1ubuntu44.2

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1939565/+subscriptions

More information about the foundations-bugs mailing list