Public bug reported: The shim shipped in Ubuntu suffers from a bug that does not allow propagating its keys into the Linux keyring. Thus at kexec_file_load time, the signature validation fails.
This is explained in these bugs/links: https://github.com/rhboot/shim/pull/153 https://bugzilla.redhat.com/show_bug.cgi?id=1662929 This problem is in Ubuntu 16.04 as well as 18.04. There is a workaround; essentially by loading an additional cert into the MOK, the bug goes away. lsb_release -rd Description: Ubuntu 18.04.3 LTS Release: 18.04 apt-cache policy shim-signed shim-signed: Installed: 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1 Candidate: 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1 Version table: *** 1.37~18.04.3+15+1533136590.3beb971-0ubuntu1 500 500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.34.9+13-0ubuntu2 500 500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages Expected to happen: Canonical keys to be listed in the Linux keyring is enabled. systemctl start kdump-tools.service is expected to succeeed What happened instead: Canonical keys not in the Linux keyring, thus kdump fails to load/start. systemctl start kdump-tools.service systemctl status kdump-tools.service Aug 21 15:43:53 vm362 systemd[1]: Starting Kernel crash dump capture service... Aug 21 15:43:53 vm362 kdump-tools[980]: Starting kdump-tools: * Creating symlin Aug 21 15:43:53 vm362 kdump-tools[980]: * Creating symlink /var/lib/kdump/initr Aug 21 15:43:54 vm362 kdump-tools[980]: kexec_file_load failed: Required key not Aug 21 15:43:54 vm362 kdump-tools[980]: * failed to load kdump kernel ** Affects: shim-signed (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1840941 Title: kdump fails to start with secure boot enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1840941/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
