[Bug 2131181] Re: Loading certificate with --import enrolls it into the platform keyring instead of the machine keyring
John A Meinel
2131181 at bugs.launchpad.net
Mon Dec 15 18:47:26 UTC 2025
** Summary changed:
- Loading certificate with --import enrolls it into the playform keyring instead of the machine keyring
+ Loading certificate with --import enrolls it into the platform keyring instead of the machine keyring
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to mokutil in Ubuntu.
Matching subscriptions: mokutil-bugs
https://bugs.launchpad.net/bugs/2131181
Title:
Loading certificate with --import enrolls it into the platform keyring
instead of the machine keyring
Status in mokutil package in Ubuntu:
New
Bug description:
A certificate imported via mokutil --import and successfully enrolled
using the interactive MokManager screen is being loaded into the
kernel's .platform keyring, instead of the expected .machine keyring.
Allowing user-enrolled MOK keys to enter the .platform keyring
bypasses this security boundary and could enable unauthorized trust
for third-party modules or components under the guise of the Platform
Key.
I was able to reproduce this behavior in an LXD VM running Ubuntu
24.04. Documentation about this behavior can be found at 'https://ima-
doc.readthedocs.io/en/latest/ima-concepts.html#keyrings'.
Environment
Host OS: Ubuntu 24.04
Guest OS: Ubuntu 24.04 VM launched with LXD
Kernel
6.8.0-86-generic
Package Versions
mokutil - 0.6.0-2build3
openssl - 3.0.13-0ubuntu3.6
keyutils - 1.6.3-3build1
Steps to Reproduce
Generate a self signed certificate and export it in DER format:
openssl req -x509 -new -nodes -keyout custom_ima_ca.key -out custom_ima_ca.crt -days 365 -subj "/C=US/ST=Test/L=Test/O=Test/CN=custom_ima_ca"
openssl x509 -in custom_ima_ca.crt -outform der -out custom_ima_ca.der
Create an enrollment request for your new certificate:
mokutil --import custom_ima_ca.der
Reboot the VM:
reboot
During the boot process, enter a console on the VM by running the
following command on the host:
lxc console <VM-NAME> --type=vga
Enroll the certificate in the MokManager screen:
Select "Enroll MOK"
Select "Continue"
Select "Yes" to enroll
Enter the password set during enrollment
Select "Reboot"
Now, enter a shell in the VM and confirm the certificate is
enrolled:
mokutil -t custom_ima_ca.der
Run the following commands to check the machine keyring and
platform keyring:
keyctl show %:.machine
keyctl show %:.platform
You will see that your new certificate is enrolled in the .platform
keyring even though mokutil should not be able to do this. The key
should NOT be present in the .platform keyring, as keys in this
keyring are reserved for those loaded directly from the UEFI DB/KEK
variables.
On my test VM, the following certificates were present in the machine
and platform keyrings after performing the steps above:
keyctl show %:.machine
Keyring
176967492 ---lswrv 0 0 keyring: .machine
keyctl show %:.platform
Keyring
85465097 ---lswrv 0 0 keyring: .platform
488749135 ---lswrv 0 0 \_ asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
85391987 ---lswrv 0 0 \_ asymmetric: Test: custom_ima_ca: d195e2b6a22adbb4a4b3d1f0894bffe2eece3903
805573327 ---lswrv 0 0 \_ asymmetric: Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63
1057025125 ---lswrv 0 0 \_ asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/2131181/+subscriptions
More information about the foundations-bugs
mailing list