← Back to team overview

kernel-packages team mailing list archive

  1. kernel-packages team
  2. Mailing list archive
  3. Message #121804

[Bug 1461412] Status changed to Confirmed

  Thread PreviousDate PreviousThread Next 
This change was made by a bot.

** Changed in: linux (Ubuntu)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1461412

Title:
  Mok Not In System Keyring

Status in linux package in Ubuntu:
  Confirmed

Bug description:
  I'm not sure if this would be filed under linux, mokutils, efitools or whatever package handles the system keyring (methinks linux).
  My related thread: http://ubuntuforums.org/showthread.php?t=2280063&p=13296983

  There is only ONE key in the system_keyring
  $ sudo keyctl list %:.system_keyring
  *****
  1 key in keyring:
  506366910: ---lswrv     0     0 asymmetric: Magrathea: Glacier signing key: 084a8d7d7040cfda9434734a2c4fd9135026b772
  *****

  Not even the Canonical Mok is in the ring, nor the rest of the secure-boot keys.
  $ sudo mokutil --list-enrolled
  *****
  [key 1]
  SHA1 Fingerprint: e1:65:d2:54:9f:e4:df:5a:be:c3:03:42:3c:f5:6a:97:e1:aa:69:1d
  //mine

  [key 2]
  SHA1 Fingerprint: 4e:ce:a3:2f:f1:e8:91:ee:e9:35:eb:27:63:43:04:96:57:83:13:13
  //mine

  [key 3]
  SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0
  //Canonical
  *****

  EFI packages knows the secure-boot keys are there, but won't recognize any Moks having been enrolled.
  $ sudo efi-readvar 
  *****
  Variable PK, length 639
  PK: List 0, type X509
      Signature 0, size 611, owner eea2f5d2-c835-4e8c-ae00-c1605a53bb43
          Subject:
              CN=ASOCK - PK
          Issuer:
              CN=Root Agency
  Variable KEK, length 1560
  KEK: List 0, type X509
      Signature 0, size 1532, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
          Subject:
              C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
          Issuer:
              C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
  Variable db, length 3143
  db: List 0, type X509
      Signature 0, size 1515, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
          Subject:
              C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
          Issuer:
              C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
  db: List 1, type X509
      Signature 0, size 1572, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
          Subject:
              C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
          Issuer:
              C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
  Variable dbx, length 76
  dbx: List 0, type SHA256
      Signature 0, size 48, owner 26dc4851-195f-4ae1-9a19-fbf883bbb35e
          Hash:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
  Variable MokList has no entries
  *****

  My expectation: http://docs.fedoraproject.org/en-US/Fedora/21/html/System_Administrators_Guide/sect-kernel-module-authentication.html
  All secure-boot keys would be loaded in the system_keyring.

  ProblemType: Bug
  DistroRelease: Ubuntu 15.04
  Package: linux-image-3.19.0-20-generic 3.19.0-20.20
  ProcVersionSignature: Ubuntu 3.19.0-20.20-generic 3.19.8
  Uname: Linux 3.19.0-20-generic x86_64
  ApportVersion: 2.17.2-0ubuntu1.1
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC1:  nater      1772 F.... pulseaudio
   /dev/snd/controlC0:  nater      1772 F.... pulseaudio
  Date: Wed Jun  3 01:44:33 2015
  EcryptfsInUse: Yes
  HibernationDevice: RESUME=UUID=cb697e57-b770-47d0-9629-add00e16ddd2
  InstallationDate: Installed on 2015-05-31 (2 days ago)
  InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
  MachineType: To Be Filled By O.E.M. To Be Filled By O.E.M.
  ProcEnviron:
   LANGUAGE=en_US
   TERM=xterm
   PATH=(custom, no user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-20-generic.efi.signed root=/dev/mapper/ubuntu--vg-root ro quiet splash vt.handoff=7
  PulseList:
   Error: command ['pacmd', 'list'] failed with exit code 1: Home directory not accessible: Permission denied
   No PulseAudio daemon running, or not running as session daemon.
  RelatedPackageVersions:
   linux-restricted-modules-3.19.0-20-generic N/A
   linux-backports-modules-3.19.0-20-generic  N/A
   linux-firmware                             1.143.1
  SourcePackage: linux
  UdevLog: Error: [Errno 2] No such file or directory: '/var/log/udev'
  UpgradeStatus: No upgrade log present (probably fresh install)
  dmi.bios.date: 12/15/2014
  dmi.bios.vendor: American Megatrends Inc.
  dmi.bios.version: P1.50
  dmi.board.name: H97M-ITX/ac
  dmi.board.vendor: ASRock
  dmi.chassis.asset.tag: To Be Filled By O.E.M.
  dmi.chassis.type: 3
  dmi.chassis.vendor: To Be Filled By O.E.M.
  dmi.chassis.version: To Be Filled By O.E.M.
  dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvrP1.50:bd12/15/2014:svnToBeFilledByO.E.M.:pnToBeFilledByO.E.M.:pvrToBeFilledByO.E.M.:rvnASRock:rnH97M-ITX/ac:rvr:cvnToBeFilledByO.E.M.:ct3:cvrToBeFilledByO.E.M.:
  dmi.product.name: To Be Filled By O.E.M.
  dmi.product.version: To Be Filled By O.E.M.
  dmi.sys.vendor: To Be Filled By O.E.M.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1461412/+subscriptions

References

  Thread PreviousDate PreviousThread Next