[Kernel-packages] [Bug 1975741] [NEW] linux-oem-22.04(a) does not load MOK certificates

[Thomas Boerner]

Public bug reported:

I started to test the oem kernel on ubuntu 22.04 jammy. Doing so I
wondered why all my dkms modules don't load when secure boot is active
although they are correctly signed. After investigating quite a while I
found that the MOK certificates are not loaded during boot. This is from
journalctl -k with the hwe kernel (currently 5.15.0-33-generic) where
everything is fine:

```
Mai 25 00:14:56 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time 
autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live 
Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel 
Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Mai 25 00:14:56 silvershadow kernel: blacklist: Loading compiled-in revocation 
X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure 
Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Mai 25 00:14:56 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 25 00:14:56 silvershadow kernel: Key type ._fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type .fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type fscrypt-provisioning registered
Mai 25 00:14:56 silvershadow kernel: Key type trusted registered
Mai 25 00:14:56 silvershadow kernel: Key type encrypted registered
Mai 25 00:14:56 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing 
enabled
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: 
Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: 
Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft 
Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft 
Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
Mai 25 00:14:56 silvershadow kernel: integrity: Revoking X.509 certificate: 
UEFI:dbx
Mai 25 00:14:56 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft 
Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical 
Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b66>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'silvershadow 
Secure Boot Module Signature key: d0f162f7b494c7188637ff51f>
Mai 25 00:14:56 silvershadow kernel: Loading compiled-in module X.509 
certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time 
autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
Mai 25 00:14:56 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 25 00:14:56 silvershadow kernel: ima: No architecture policies found
```

And this is from journalctl -k with the oem kernel (currently
5.17.0-1006-oem) where the MOK certificates are not loaded:

```
Mai 24 23:53:20 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time 
autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live 
Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel 
Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Mai 24 23:53:20 silvershadow kernel: blacklist: Loading compiled-in revocation 
X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure 
Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Mai 24 23:53:20 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 24 23:53:20 silvershadow kernel: Key type ._fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type .fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type fscrypt-provisioning registered
Mai 24 23:53:20 silvershadow kernel: Key type trusted registered
Mai 24 23:53:20 silvershadow kernel: Key type encrypted registered
Mai 24 23:53:20 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing 
enabled
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: 
Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: 
Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft 
Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft 
Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
Mai 24 23:53:20 silvershadow kernel: integrity: Revoking X.509 certificate: 
UEFI:dbx
Mai 24 23:53:20 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft 
Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
Mai 24 23:53:20 silvershadow kernel: Loading compiled-in module X.509 
certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time 
autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
Mai 24 23:53:20 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 24 23:53:20 silvershadow kernel: ima: No architecture policies found
```


I started to test the oem kernel on ubuntu 22.04 jammy. Doing so I
wondered why all my dkms modules don't load when secure boot is active
although they are correctly signed. After investigating quite a while I
found that the MOK certificates are not loaded during boot. This is from
journalctl -k with the hwe kernel (currently 5.15.0-33-generic) where
everything is fine:

Mai 25 00:14:56 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time 
autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live 
Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel 
Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Mai 25 00:14:56 silvershadow kernel: blacklist: Loading compiled-in revocation 
X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure 
Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Mai 25 00:14:56 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 25 00:14:56 silvershadow kernel: Key type ._fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type .fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type fscrypt-provisioning registered
Mai 25 00:14:56 silvershadow kernel: Key type trusted registered
Mai 25 00:14:56 silvershadow kernel: Key type encrypted registered
Mai 25 00:14:56 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing 
enabled
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: 
Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: 
Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft 
Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft 
Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
Mai 25 00:14:56 silvershadow kernel: integrity: Revoking X.509 certificate: 
UEFI:dbx
Mai 25 00:14:56 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft 
Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical 
Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b66>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'silvershadow 
Secure Boot Module Signature key: d0f162f7b494c7188637ff51f>
Mai 25 00:14:56 silvershadow kernel: Loading compiled-in module X.509 
certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time 
autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
Mai 25 00:14:56 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 25 00:14:56 silvershadow kernel: ima: No architecture policies found

And this is from journalctl -k with the oem kernel (currently
5.17.0-1006-oem) where the MOK certificates are not loaded:

Mai 24 23:53:20 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time 
autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live 
Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel 
Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Mai 24 23:53:20 silvershadow kernel: blacklist: Loading compiled-in revocation 
X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure 
Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Mai 24 23:53:20 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 24 23:53:20 silvershadow kernel: Key type ._fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type .fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type fscrypt-provisioning registered
Mai 24 23:53:20 silvershadow kernel: Key type trusted registered
Mai 24 23:53:20 silvershadow kernel: Key type encrypted registered
Mai 24 23:53:20 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing 
enabled
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: 
Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: 
Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft 
Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft 
Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
Mai 24 23:53:20 silvershadow kernel: integrity: Revoking X.509 certificate: 
UEFI:dbx
Mai 24 23:53:20 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft 
Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
Mai 24 23:53:20 silvershadow kernel: Loading compiled-in module X.509 
certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time 
autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
Mai 24 23:53:20 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 24 23:53:20 silvershadow kernel: ima: No architecture policies found


The part where the MOK certificates are loaded (in 5.15.0-33-generic):
```Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical 
Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b66>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'silvershadow 
Secure Boot Module Signature key: d0f162f7b494c7188637ff51f>
```
is missing when booting 5.17.0-1006-oem.

This is on a Dell XPS-17 9710, latest BIOS updates (1.81), latest jammy
updates. silvershadow is the hostname ;-)

If you need any more information please let me know

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: linux-oem-22.04 5.17.0.1006.6
ProcVersionSignature: Ubuntu 5.15.0-33.34-generic 5.15.30
Uname: Linux 5.15.0-33-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl icp
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckResult: pass
Date: Wed May 25 15:55:37 2022
InstallationDate: Installed on 2022-04-07 (48 days ago)
InstallationMedia: Ubuntu 21.10 "Impish Indri" - Release amd64 (20211012)
SourcePackage: linux-meta-oem-5.17
UpgradeStatus: Upgraded to jammy on 2022-04-07 (48 days ago)

** Affects: linux-meta-oem-5.17 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug jammy

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-meta-oem-5.17 in Ubuntu.
https://bugs.launchpad.net/bugs/1975741

Title:
  linux-oem-22.04(a) does not load MOK certificates

Status in linux-meta-oem-5.17 package in Ubuntu:
  New

Bug description:
  I started to test the oem kernel on ubuntu 22.04 jammy. Doing so I
  wondered why all my dkms modules don't load when secure boot is active
  although they are correctly signed. After investigating quite a while
  I found that the MOK certificates are not loaded during boot. This is
  from journalctl -k with the hwe kernel (currently 5.15.0-33-generic)
  where everything is fine:

  ```
  Mai 25 00:14:56 silvershadow kernel: Loading compiled-in X.509 certificates
  Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time 
autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
  Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live 
Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
  Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel 
Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
  Mai 25 00:14:56 silvershadow kernel: blacklist: Loading compiled-in 
revocation X.509 certificates
  Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure 
Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
  Mai 25 00:14:56 silvershadow kernel: zswap: loaded using pool lzo/zbud
  Mai 25 00:14:56 silvershadow kernel: Key type ._fscrypt registered
  Mai 25 00:14:56 silvershadow kernel: Key type .fscrypt registered
  Mai 25 00:14:56 silvershadow kernel: Key type fscrypt-provisioning registered
  Mai 25 00:14:56 silvershadow kernel: Key type trusted registered
  Mai 25 00:14:56 silvershadow kernel: Key type encrypted registered
  Mai 25 00:14:56 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing 
enabled
  Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
  Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: 
Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
  Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
  Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: 
Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
  Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
  Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft 
Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
  Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
  Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft 
Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
  Mai 25 00:14:56 silvershadow kernel: integrity: Revoking X.509 certificate: 
UEFI:dbx
  Mai 25 00:14:56 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft 
Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
  Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:MokListRT (MOKvar table)
  Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical 
Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b66>
  Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:MokListRT (MOKvar table)
  Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 
'silvershadow Secure Boot Module Signature key: d0f162f7b494c7188637ff51f>
  Mai 25 00:14:56 silvershadow kernel: Loading compiled-in module X.509 
certificates
  Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time 
autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
  Mai 25 00:14:56 silvershadow kernel: ima: Allocated hash algorithm: sha1
  Mai 25 00:14:56 silvershadow kernel: ima: No architecture policies found
  ```

  And this is from journalctl -k with the oem kernel (currently
  5.17.0-1006-oem) where the MOK certificates are not loaded:

  ```
  Mai 24 23:53:20 silvershadow kernel: Loading compiled-in X.509 certificates
  Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time 
autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
  Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live 
Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
  Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel 
Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
  Mai 24 23:53:20 silvershadow kernel: blacklist: Loading compiled-in 
revocation X.509 certificates
  Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure 
Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
  Mai 24 23:53:20 silvershadow kernel: zswap: loaded using pool lzo/zbud
  Mai 24 23:53:20 silvershadow kernel: Key type ._fscrypt registered
  Mai 24 23:53:20 silvershadow kernel: Key type .fscrypt registered
  Mai 24 23:53:20 silvershadow kernel: Key type fscrypt-provisioning registered
  Mai 24 23:53:20 silvershadow kernel: Key type trusted registered
  Mai 24 23:53:20 silvershadow kernel: Key type encrypted registered
  Mai 24 23:53:20 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing 
enabled
  Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
  Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: 
Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
  Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
  Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: 
Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
  Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
  Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft 
Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
  Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
  Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft 
Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
  Mai 24 23:53:20 silvershadow kernel: integrity: Revoking X.509 certificate: 
UEFI:dbx
  Mai 24 23:53:20 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft 
Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
  Mai 24 23:53:20 silvershadow kernel: Loading compiled-in module X.509 
certificates
  Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time 
autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
  Mai 24 23:53:20 silvershadow kernel: ima: Allocated hash algorithm: sha1
  Mai 24 23:53:20 silvershadow kernel: ima: No architecture policies found
  ```


  I started to test the oem kernel on ubuntu 22.04 jammy. Doing so I
  wondered why all my dkms modules don't load when secure boot is active
  although they are correctly signed. After investigating quite a while
  I found that the MOK certificates are not loaded during boot. This is
  from journalctl -k with the hwe kernel (currently 5.15.0-33-generic)
  where everything is fine:

  Mai 25 00:14:56 silvershadow kernel: Loading compiled-in X.509 certificates
  Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time 
autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
  Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live 
Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
  Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel 
Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
  Mai 25 00:14:56 silvershadow kernel: blacklist: Loading compiled-in 
revocation X.509 certificates
  Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure 
Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
  Mai 25 00:14:56 silvershadow kernel: zswap: loaded using pool lzo/zbud
  Mai 25 00:14:56 silvershadow kernel: Key type ._fscrypt registered
  Mai 25 00:14:56 silvershadow kernel: Key type .fscrypt registered
  Mai 25 00:14:56 silvershadow kernel: Key type fscrypt-provisioning registered
  Mai 25 00:14:56 silvershadow kernel: Key type trusted registered
  Mai 25 00:14:56 silvershadow kernel: Key type encrypted registered
  Mai 25 00:14:56 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing 
enabled
  Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
  Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: 
Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
  Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
  Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: 
Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
  Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
  Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft 
Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
  Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
  Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft 
Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
  Mai 25 00:14:56 silvershadow kernel: integrity: Revoking X.509 certificate: 
UEFI:dbx
  Mai 25 00:14:56 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft 
Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
  Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:MokListRT (MOKvar table)
  Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical 
Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b66>
  Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:MokListRT (MOKvar table)
  Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 
'silvershadow Secure Boot Module Signature key: d0f162f7b494c7188637ff51f>
  Mai 25 00:14:56 silvershadow kernel: Loading compiled-in module X.509 
certificates
  Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time 
autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
  Mai 25 00:14:56 silvershadow kernel: ima: Allocated hash algorithm: sha1
  Mai 25 00:14:56 silvershadow kernel: ima: No architecture policies found

  And this is from journalctl -k with the oem kernel (currently
  5.17.0-1006-oem) where the MOK certificates are not loaded:

  Mai 24 23:53:20 silvershadow kernel: Loading compiled-in X.509 certificates
  Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time 
autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
  Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live 
Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
  Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel 
Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
  Mai 24 23:53:20 silvershadow kernel: blacklist: Loading compiled-in 
revocation X.509 certificates
  Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure 
Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
  Mai 24 23:53:20 silvershadow kernel: zswap: loaded using pool lzo/zbud
  Mai 24 23:53:20 silvershadow kernel: Key type ._fscrypt registered
  Mai 24 23:53:20 silvershadow kernel: Key type .fscrypt registered
  Mai 24 23:53:20 silvershadow kernel: Key type fscrypt-provisioning registered
  Mai 24 23:53:20 silvershadow kernel: Key type trusted registered
  Mai 24 23:53:20 silvershadow kernel: Key type encrypted registered
  Mai 24 23:53:20 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing 
enabled
  Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
  Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: 
Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
  Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
  Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: 
Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
  Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
  Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft 
Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
  Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:db
  Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft 
Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
  Mai 24 23:53:20 silvershadow kernel: integrity: Revoking X.509 certificate: 
UEFI:dbx
  Mai 24 23:53:20 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft 
Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
  Mai 24 23:53:20 silvershadow kernel: Loading compiled-in module X.509 
certificates
  Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time 
autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
  Mai 24 23:53:20 silvershadow kernel: ima: Allocated hash algorithm: sha1
  Mai 24 23:53:20 silvershadow kernel: ima: No architecture policies found

  
  The part where the MOK certificates are loaded (in 5.15.0-33-generic):
  ```Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:MokListRT (MOKvar table)
  Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical 
Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b66>
  Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: 
UEFI:MokListRT (MOKvar table)
  Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 
'silvershadow Secure Boot Module Signature key: d0f162f7b494c7188637ff51f>
  ```
  is missing when booting 5.17.0-1006-oem.

  This is on a Dell XPS-17 9710, latest BIOS updates (1.81), latest
  jammy updates. silvershadow is the hostname ;-)

  If you need any more information please let me know

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: linux-oem-22.04 5.17.0.1006.6
  ProcVersionSignature: Ubuntu 5.15.0-33.34-generic 5.15.30
  Uname: Linux 5.15.0-33-generic x86_64
  NonfreeKernelModules: zfs zunicode zcommon znvpair zavl icp
  ApportVersion: 2.20.11-0ubuntu82.1
  Architecture: amd64
  CasperMD5CheckResult: pass
  Date: Wed May 25 15:55:37 2022
  InstallationDate: Installed on 2022-04-07 (48 days ago)
  InstallationMedia: Ubuntu 21.10 "Impish Indri" - Release amd64 (20211012)
  SourcePackage: linux-meta-oem-5.17
  UpgradeStatus: Upgraded to jammy on 2022-04-07 (48 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-meta-oem-5.17/+bug/1975741/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp