[Bug 1939565] Re: kernel signed by mok failed to boot if secure boot is on
Steve Langasek
1939565 at bugs.launchpad.net
Tue Aug 24 20:00:22 UTC 2021
The original bug report does not say how the MOK has been generated.
If it is generated using the maintainer script integrations in shim-
signed (the update-secureboot-policy command), note that the openssl
config in /usr/lib/shim/mok/openssl.cnf generates a key which is
specifically annotated as only being allowed for signing modules, NOT
kernels. It is invalid to use this dkms key for signing kernels, you
would need to generate another key (as shown in various comments in this
bug report) that does not have the EKU set to say it's only for modules.
It is possible that an earlier version of shim was not enforcing this
constraint and that's why it worked for you before upgrade.
** Changed in: shim (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1939565
Title:
kernel signed by mok failed to boot if secure boot is on
Status in OEM Priority Project:
Confirmed
Status in shim package in Ubuntu:
Incomplete
Bug description:
On Focal, create a mok and enroll it, use it to sign test kernel as
the secure boot is on.
# sh -x test.sh
+ sbverify --cert TestKer.pem /boot/vmlinuz-5.13.0-9010-oem
Signature verification OK
+ openssl x509 -in TestKer.pem -outform der -out TestKernel.der
+ mokutil --test-key TestKernel.der
TestKernel.der is already enrolled
As the secure boot is on, can't load above kernel.
The error message is:
/boot/vmlinuz-5.13.0-9010-oem has invalid signature.
Machine: Latitude 7520
bios: 1.6.0
shim-signed: 1.40.6+15.4-0ubuntu7
grub-efi-amd64-signed: 1.167.2+2.04-1ubuntu44.2
To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1939565/+subscriptions
More information about the foundations-bugs
mailing list