Public bug reported:
I started to test the oem kernel on ubuntu 22.04 jammy. Doing so I
wondered why all my dkms modules don't load when secure boot is active
although they are correctly signed. After investigating quite a while I
found that the MOK certificates are not loaded during boot. This is from
journalctl -k with the hwe kernel (currently 5.15.0-33-generic) where
everything is fine:
```
Mai 25 00:14:56 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time
autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live
Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel
Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Mai 25 00:14:56 silvershadow kernel: blacklist: Loading compiled-in revocation
X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure
Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Mai 25 00:14:56 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 25 00:14:56 silvershadow kernel: Key type ._fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type .fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type fscrypt-provisioning registered
Mai 25 00:14:56 silvershadow kernel: Key type trusted registered
Mai 25 00:14:56 silvershadow kernel: Key type encrypted registered
Mai 25 00:14:56 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing
enabled
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.:
Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.:
Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft
Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft
Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
Mai 25 00:14:56 silvershadow kernel: integrity: Revoking X.509 certificate:
UEFI:dbx
Mai 25 00:14:56 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft
Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical
Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b66>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'silvershadow
Secure Boot Module Signature key: d0f162f7b494c7188637ff51f>
Mai 25 00:14:56 silvershadow kernel: Loading compiled-in module X.509
certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time
autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
Mai 25 00:14:56 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 25 00:14:56 silvershadow kernel: ima: No architecture policies found
```
And this is from journalctl -k with the oem kernel (currently
5.17.0-1006-oem) where the MOK certificates are not loaded:
```
Mai 24 23:53:20 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time
autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live
Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel
Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Mai 24 23:53:20 silvershadow kernel: blacklist: Loading compiled-in revocation
X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure
Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Mai 24 23:53:20 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 24 23:53:20 silvershadow kernel: Key type ._fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type .fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type fscrypt-provisioning registered
Mai 24 23:53:20 silvershadow kernel: Key type trusted registered
Mai 24 23:53:20 silvershadow kernel: Key type encrypted registered
Mai 24 23:53:20 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing
enabled
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.:
Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.:
Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft
Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft
Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
Mai 24 23:53:20 silvershadow kernel: integrity: Revoking X.509 certificate:
UEFI:dbx
Mai 24 23:53:20 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft
Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
Mai 24 23:53:20 silvershadow kernel: Loading compiled-in module X.509
certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time
autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
Mai 24 23:53:20 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 24 23:53:20 silvershadow kernel: ima: No architecture policies found
```
I started to test the oem kernel on ubuntu 22.04 jammy. Doing so I
wondered why all my dkms modules don't load when secure boot is active
although they are correctly signed. After investigating quite a while I
found that the MOK certificates are not loaded during boot. This is from
journalctl -k with the hwe kernel (currently 5.15.0-33-generic) where
everything is fine:
Mai 25 00:14:56 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time
autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live
Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel
Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Mai 25 00:14:56 silvershadow kernel: blacklist: Loading compiled-in revocation
X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure
Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Mai 25 00:14:56 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 25 00:14:56 silvershadow kernel: Key type ._fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type .fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type fscrypt-provisioning registered
Mai 25 00:14:56 silvershadow kernel: Key type trusted registered
Mai 25 00:14:56 silvershadow kernel: Key type encrypted registered
Mai 25 00:14:56 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing
enabled
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.:
Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.:
Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft
Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft
Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
Mai 25 00:14:56 silvershadow kernel: integrity: Revoking X.509 certificate:
UEFI:dbx
Mai 25 00:14:56 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft
Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical
Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b66>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'silvershadow
Secure Boot Module Signature key: d0f162f7b494c7188637ff51f>
Mai 25 00:14:56 silvershadow kernel: Loading compiled-in module X.509
certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time
autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
Mai 25 00:14:56 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 25 00:14:56 silvershadow kernel: ima: No architecture policies found
And this is from journalctl -k with the oem kernel (currently
5.17.0-1006-oem) where the MOK certificates are not loaded:
Mai 24 23:53:20 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time
autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live
Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel
Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Mai 24 23:53:20 silvershadow kernel: blacklist: Loading compiled-in revocation
X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure
Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Mai 24 23:53:20 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 24 23:53:20 silvershadow kernel: Key type ._fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type .fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type fscrypt-provisioning registered
Mai 24 23:53:20 silvershadow kernel: Key type trusted registered
Mai 24 23:53:20 silvershadow kernel: Key type encrypted registered
Mai 24 23:53:20 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing
enabled
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.:
Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.:
Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft
Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft
Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
Mai 24 23:53:20 silvershadow kernel: integrity: Revoking X.509 certificate:
UEFI:dbx
Mai 24 23:53:20 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft
Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
Mai 24 23:53:20 silvershadow kernel: Loading compiled-in module X.509
certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time
autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
Mai 24 23:53:20 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 24 23:53:20 silvershadow kernel: ima: No architecture policies found
The part where the MOK certificates are loaded (in 5.15.0-33-generic):
```Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical
Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b66>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'silvershadow
Secure Boot Module Signature key: d0f162f7b494c7188637ff51f>
```
is missing when booting 5.17.0-1006-oem.
This is on a Dell XPS-17 9710, latest BIOS updates (1.81), latest jammy
updates. silvershadow is the hostname ;-)
If you need any more information please let me know
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: linux-oem-22.04 5.17.0.1006.6
ProcVersionSignature: Ubuntu 5.15.0-33.34-generic 5.15.30
Uname: Linux 5.15.0-33-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl icp
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckResult: pass
Date: Wed May 25 15:55:37 2022
InstallationDate: Installed on 2022-04-07 (48 days ago)
InstallationMedia: Ubuntu 21.10 "Impish Indri" - Release amd64 (20211012)
SourcePackage: linux-meta-oem-5.17
UpgradeStatus: Upgraded to jammy on 2022-04-07 (48 days ago)
** Affects: linux-meta-oem-5.17 (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug jammy
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-meta-oem-5.17 in Ubuntu.
https://bugs.launchpad.net/bugs/1975741
Title:
linux-oem-22.04(a) does not load MOK certificates
Status in linux-meta-oem-5.17 package in Ubuntu:
New
Bug description:
I started to test the oem kernel on ubuntu 22.04 jammy. Doing so I
wondered why all my dkms modules don't load when secure boot is active
although they are correctly signed. After investigating quite a while
I found that the MOK certificates are not loaded during boot. This is
from journalctl -k with the hwe kernel (currently 5.15.0-33-generic)
where everything is fine:
```
Mai 25 00:14:56 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time
autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live
Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel
Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Mai 25 00:14:56 silvershadow kernel: blacklist: Loading compiled-in
revocation X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure
Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Mai 25 00:14:56 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 25 00:14:56 silvershadow kernel: Key type ._fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type .fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type fscrypt-provisioning registered
Mai 25 00:14:56 silvershadow kernel: Key type trusted registered
Mai 25 00:14:56 silvershadow kernel: Key type encrypted registered
Mai 25 00:14:56 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing
enabled
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.:
Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.:
Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft
Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft
Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
Mai 25 00:14:56 silvershadow kernel: integrity: Revoking X.509 certificate:
UEFI:dbx
Mai 25 00:14:56 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft
Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical
Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b66>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert
'silvershadow Secure Boot Module Signature key: d0f162f7b494c7188637ff51f>
Mai 25 00:14:56 silvershadow kernel: Loading compiled-in module X.509
certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time
autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
Mai 25 00:14:56 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 25 00:14:56 silvershadow kernel: ima: No architecture policies found
```
And this is from journalctl -k with the oem kernel (currently
5.17.0-1006-oem) where the MOK certificates are not loaded:
```
Mai 24 23:53:20 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time
autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live
Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel
Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Mai 24 23:53:20 silvershadow kernel: blacklist: Loading compiled-in
revocation X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure
Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Mai 24 23:53:20 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 24 23:53:20 silvershadow kernel: Key type ._fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type .fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type fscrypt-provisioning registered
Mai 24 23:53:20 silvershadow kernel: Key type trusted registered
Mai 24 23:53:20 silvershadow kernel: Key type encrypted registered
Mai 24 23:53:20 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing
enabled
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.:
Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.:
Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft
Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft
Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
Mai 24 23:53:20 silvershadow kernel: integrity: Revoking X.509 certificate:
UEFI:dbx
Mai 24 23:53:20 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft
Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
Mai 24 23:53:20 silvershadow kernel: Loading compiled-in module X.509
certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time
autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
Mai 24 23:53:20 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 24 23:53:20 silvershadow kernel: ima: No architecture policies found
```
I started to test the oem kernel on ubuntu 22.04 jammy. Doing so I
wondered why all my dkms modules don't load when secure boot is active
although they are correctly signed. After investigating quite a while
I found that the MOK certificates are not loaded during boot. This is
from journalctl -k with the hwe kernel (currently 5.15.0-33-generic)
where everything is fine:
Mai 25 00:14:56 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time
autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live
Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel
Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Mai 25 00:14:56 silvershadow kernel: blacklist: Loading compiled-in
revocation X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure
Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Mai 25 00:14:56 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 25 00:14:56 silvershadow kernel: Key type ._fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type .fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type fscrypt-provisioning registered
Mai 25 00:14:56 silvershadow kernel: Key type trusted registered
Mai 25 00:14:56 silvershadow kernel: Key type encrypted registered
Mai 25 00:14:56 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing
enabled
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.:
Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.:
Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft
Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft
Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
Mai 25 00:14:56 silvershadow kernel: integrity: Revoking X.509 certificate:
UEFI:dbx
Mai 25 00:14:56 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft
Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical
Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b66>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert
'silvershadow Secure Boot Module Signature key: d0f162f7b494c7188637ff51f>
Mai 25 00:14:56 silvershadow kernel: Loading compiled-in module X.509
certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time
autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
Mai 25 00:14:56 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 25 00:14:56 silvershadow kernel: ima: No architecture policies found
And this is from journalctl -k with the oem kernel (currently
5.17.0-1006-oem) where the MOK certificates are not loaded:
Mai 24 23:53:20 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time
autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live
Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel
Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Mai 24 23:53:20 silvershadow kernel: blacklist: Loading compiled-in
revocation X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure
Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Mai 24 23:53:20 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 24 23:53:20 silvershadow kernel: Key type ._fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type .fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type fscrypt-provisioning registered
Mai 24 23:53:20 silvershadow kernel: Key type trusted registered
Mai 24 23:53:20 silvershadow kernel: Key type encrypted registered
Mai 24 23:53:20 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing
enabled
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.:
Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.:
Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft
Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft
Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
Mai 24 23:53:20 silvershadow kernel: integrity: Revoking X.509 certificate:
UEFI:dbx
Mai 24 23:53:20 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft
Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
Mai 24 23:53:20 silvershadow kernel: Loading compiled-in module X.509
certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time
autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
Mai 24 23:53:20 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 24 23:53:20 silvershadow kernel: ima: No architecture policies found
The part where the MOK certificates are loaded (in 5.15.0-33-generic):
```Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical
Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b66>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate:
UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert
'silvershadow Secure Boot Module Signature key: d0f162f7b494c7188637ff51f>
```
is missing when booting 5.17.0-1006-oem.
This is on a Dell XPS-17 9710, latest BIOS updates (1.81), latest
jammy updates. silvershadow is the hostname ;-)
If you need any more information please let me know
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: linux-oem-22.04 5.17.0.1006.6
ProcVersionSignature: Ubuntu 5.15.0-33.34-generic 5.15.30
Uname: Linux 5.15.0-33-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl icp
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckResult: pass
Date: Wed May 25 15:55:37 2022
InstallationDate: Installed on 2022-04-07 (48 days ago)
InstallationMedia: Ubuntu 21.10 "Impish Indri" - Release amd64 (20211012)
SourcePackage: linux-meta-oem-5.17
UpgradeStatus: Upgraded to jammy on 2022-04-07 (48 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-meta-oem-5.17/+bug/1975741/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
