[Bug 1939565] Re: kernel signed by mok failed to boot if secure boot is on

Mon Aug 30 07:06:08 UTC 2021

Follow up the tests for comment#12,

the same test kernel v5.14.0-rc7 signed with the original created key in
/var/lib/shim-signed/test_kernel will not boot up with getting the
invalid signature error.

compare the keys between /var/lib/shim-signed/test_kernel and
comment#12(/var/lib/test_ker/), the fail one(in /var/lib/shim-
signed/test_kernel) has the (1.3.6.1.4.1.2312.16.1.2) KeyUsage OID.

It seems it is because using the "Module-signing only"
(1.3.6.1.4.1.2312.16.1.2) KeyUsage OID to sign the test kernel that
cause signature verify failed.

@YC
I know the OEM projects base on the my EFI applicaiton and script to generate/enroll MOK keys for test kernels, https://github.com/Ivanhu5866/MokEnrollKey/blob/master/mok_testkernel_key.sh
Could you provide the exact script how the MOK has been generated/enrolled and maybe openssl.cnf for checking?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim in Ubuntu.
https://bugs.launchpad.net/bugs/1939565

Title:
  kernel signed by mok failed to boot if secure boot is on

Status in OEM Priority Project:
  Confirmed
Status in shim package in Ubuntu:
  Incomplete

Bug description:
  On Focal, create a mok and enroll it, use it to sign test kernel as
  the secure boot is on.

  # sh -x test.sh 
  + sbverify --cert TestKer.pem /boot/vmlinuz-5.13.0-9010-oem
  Signature verification OK
  + openssl x509 -in TestKer.pem -outform der -out TestKernel.der
  + mokutil --test-key TestKernel.der
  TestKernel.der is already enrolled

  As the secure boot is on, can't load above kernel.

  The error message is:

  /boot/vmlinuz-5.13.0-9010-oem has invalid signature.

  Machine: Latitude 7520
  bios: 1.6.0
  shim-signed: 1.40.6+15.4-0ubuntu7
  grub-efi-amd64-signed: 1.167.2+2.04-1ubuntu44.2

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1939565/+subscriptions