[Bug 1939565] Re: kernel signed by mok failed to boot if secure boot is on

Ivan Hu 1939565 at bugs.launchpad.net
Tue Aug 24 09:31:37 UTC 2021 

Got the Latitude 7520 machine, from the shim's log, it seems something
wrong in the self signed certificate and the binary is not authorized.

And do some tests, basically base on the comment#6, install another test
kernel and signed/enrolled with another MOK key manually.

1. install test kernel(unsigned), v5.14.0-rc7
2. shim and grub have already been updated.
3. create a MOK key 
   * mkdir -p /var/lib/test_ker/
   * openssl genrsa -out /var/lib/test_ker/TestKer.priv 2048
   * openssl req -new -x509 -sha256 -subj '/CN=TestKer-key' -key /var/lib/test_ker/TestKer.priv -out /var/lib/test_ker/TestKer.pem
   * openssl x509 -in /var/lib/test_ker/TestKer.pem -inform PEM -out /var/lib/test_ker/TestKer.der -outform DER
4. signed kernel
  * sbsign --key /var/lib/test_ker/TestKer.priv --cert /var/lib/test_ker/TestKer.pem --output vmlinuz-5.14.0-051400rc7-generic.signed vmlinuz-5.14.0-051400rc7-generic
6. enroll mok key
 * mokutil --import Testker.der
7. reboot

The test kernel 5.14 and MOK key work normally.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1939565

Title:
  kernel signed by mok failed to boot if secure boot is on

Status in OEM Priority Project:
  Confirmed
Status in shim package in Ubuntu:
  New

Bug description:
  On Focal, create a mok and enroll it, use it to sign test kernel as
  the secure boot is on.

  # sh -x test.sh 
  + sbverify --cert TestKer.pem /boot/vmlinuz-5.13.0-9010-oem
  Signature verification OK
  + openssl x509 -in TestKer.pem -outform der -out TestKernel.der
  + mokutil --test-key TestKernel.der
  TestKernel.der is already enrolled

  As the secure boot is on, can't load above kernel.

  The error message is:

  /boot/vmlinuz-5.13.0-9010-oem has invalid signature.

  Machine: Latitude 7520
  bios: 1.6.0
  shim-signed: 1.40.6+15.4-0ubuntu7
  grub-efi-amd64-signed: 1.167.2+2.04-1ubuntu44.2

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1939565/+subscriptions

More information about the foundations-bugs mailing list