Public bug reported:
I'm not sure if this would be filed under linux, mokutils, efitools or whatever
package handles the system keyring (methinks linux).
My related thread: http://ubuntuforums.org/showthread.php?t=2280063&p=13296983
There is only ONE key in the system_keyring
$ sudo keyctl list %:.system_keyring
*****
1 key in keyring:
506366910: ---lswrv 0 0 asymmetric: Magrathea: Glacier signing key:
084a8d7d7040cfda9434734a2c4fd9135026b772
*****
Not even the Canonical Mok is in the ring, nor the rest of the secure-boot keys.
$ sudo mokutil --list-enrolled
*****
[key 1]
SHA1 Fingerprint: e1:65:d2:54:9f:e4:df:5a:be:c3:03:42:3c:f5:6a:97:e1:aa:69:1d
//mine
[key 2]
SHA1 Fingerprint: 4e:ce:a3:2f:f1:e8:91:ee:e9:35:eb:27:63:43:04:96:57:83:13:13
//mine
[key 3]
SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0
//Canonical
*****
EFI packages knows the secure-boot keys are there, but won't recognize any Moks
having been enrolled.
$ sudo efi-readvar
*****
Variable PK, length 639
PK: List 0, type X509
Signature 0, size 611, owner eea2f5d2-c835-4e8c-ae00-c1605a53bb43
Subject:
CN=ASOCK - PK
Issuer:
CN=Root Agency
Variable KEK, length 1560
KEK: List 0, type X509
Signature 0, size 1532, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
Subject:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation,
CN=Microsoft Corporation KEK CA 2011
Issuer:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation,
CN=Microsoft Corporation Third Party Marketplace Root
Variable db, length 3143
db: List 0, type X509
Signature 0, size 1515, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
Subject:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation,
CN=Microsoft Windows Production PCA 2011
Issuer:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation,
CN=Microsoft Root Certificate Authority 2010
db: List 1, type X509
Signature 0, size 1572, owner 77fa9abd-0359-4d32-bd60-28f4e78f784b
Subject:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation,
CN=Microsoft Corporation UEFI CA 2011
Issuer:
C=US, ST=Washington, L=Redmond, O=Microsoft Corporation,
CN=Microsoft Corporation Third Party Marketplace Root
Variable dbx, length 76
dbx: List 0, type SHA256
Signature 0, size 48, owner 26dc4851-195f-4ae1-9a19-fbf883bbb35e
Hash:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Variable MokList has no entries
*****
My expectation:
http://docs.fedoraproject.org/en-US/Fedora/21/html/System_Administrators_Guide/sect-kernel-module-authentication.html
All secure-boot keys would be loaded in the system_keyring.
ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: linux-image-3.19.0-20-generic 3.19.0-20.20
ProcVersionSignature: Ubuntu 3.19.0-20.20-generic 3.19.8
Uname: Linux 3.19.0-20-generic x86_64
ApportVersion: 2.17.2-0ubuntu1.1
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/controlC1: nater 1772 F.... pulseaudio
/dev/snd/controlC0: nater 1772 F.... pulseaudio
Date: Wed Jun 3 01:44:33 2015
EcryptfsInUse: Yes
HibernationDevice: RESUME=UUID=cb697e57-b770-47d0-9629-add00e16ddd2
InstallationDate: Installed on 2015-05-31 (2 days ago)
InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422)
MachineType: To Be Filled By O.E.M. To Be Filled By O.E.M.
ProcEnviron:
LANGUAGE=en_US
TERM=xterm
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-3.19.0-20-generic.efi.signed
root=/dev/mapper/ubuntu--vg-root ro quiet splash vt.handoff=7
PulseList:
Error: command ['pacmd', 'list'] failed with exit code 1: Home directory not
accessible: Permission denied
No PulseAudio daemon running, or not running as session daemon.
RelatedPackageVersions:
linux-restricted-modules-3.19.0-20-generic N/A
linux-backports-modules-3.19.0-20-generic N/A
linux-firmware 1.143.1
SourcePackage: linux
UdevLog: Error: [Errno 2] No such file or directory: '/var/log/udev'
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 12/15/2014
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: P1.50
dmi.board.name: H97M-ITX/ac
dmi.board.vendor: ASRock
dmi.chassis.asset.tag: To Be Filled By O.E.M.
dmi.chassis.type: 3
dmi.chassis.vendor: To Be Filled By O.E.M.
dmi.chassis.version: To Be Filled By O.E.M.
dmi.modalias:
dmi:bvnAmericanMegatrendsInc.:bvrP1.50:bd12/15/2014:svnToBeFilledByO.E.M.:pnToBeFilledByO.E.M.:pvrToBeFilledByO.E.M.:rvnASRock:rnH97M-ITX/ac:rvr:cvnToBeFilledByO.E.M.:ct3:cvrToBeFilledByO.E.M.:
dmi.product.name: To Be Filled By O.E.M.
dmi.product.version: To Be Filled By O.E.M.
dmi.sys.vendor: To Be Filled By O.E.M.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: Confirmed
** Tags: amd64 apport-bug package-from-proposed vivid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1461412
Title:
Mok Not In System Keyring
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1461412/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
