[Bug 1993646] Re: MOK-enrolled Secure Boot keys are not saved on the installed system when doing an OEM installation
Aaron Rainbolt
1993646 at bugs.launchpad.net
Thu Oct 20 12:05:54 UTC 2022
** Description changed:
Steps to reproduce:
1: Enable Secure Boot.
2: Install the latest Ubuntu Kinetic ISO using the OEM installation option. Make sure to allow the installation of proprietary drivers and choose to configure Secure Boot.
3: Reboot and do the key enrollment with mokutil.
- 4: Reboot again, then prepare the system for use by the end user (just double-click the shortcut), then reboot again.
- 5: Finish setup.
- 6: Run "ls /var/lib/shim-signed/mok".'
+ 4: Reboot again, open a terminal, and run "ls /var/lib/shim-signed/mok".
Expected result: The files "MOK.priv" and "MOK.der" should be shown.
Actual result: The listed directory is empty.
Notes:
This did NOT happen to me on a non-OEM installation. I noticed it
attempting to manually sign a driver while grappling with bug 1991725.
It probably will interfere with the use of DKMS modules even if they get
installed and signed properly the first time.
For some reason "ubuntu-bug shim-signed" thought that shim-signed wasn't
an official Ubuntu package, so I'm reporting this without using ubuntu-
bug. I can provide any desired log files from the test system upon
request.
** Description changed:
Steps to reproduce:
1: Enable Secure Boot.
2: Install the latest Ubuntu Kinetic ISO using the OEM installation option. Make sure to allow the installation of proprietary drivers and choose to configure Secure Boot.
3: Reboot and do the key enrollment with mokutil.
- 4: Reboot again, open a terminal, and run "ls /var/lib/shim-signed/mok".
+ 4: Reboot again, open a terminal, and run "ls /var/lib/shim-signed/mok". Then prepare the system for the end user (double-clicking the shortcut on the desktop).
+ 5: Reboot again, then finish setup.
+ 6: Run "ls /var/lib/shim-signed/moK" again.
- Expected result: The files "MOK.priv" and "MOK.der" should be shown.
+ Expected result: The files "MOK.priv" and "MOK.der" should be shown with
+ each "ls" command.
- Actual result: The listed directory is empty.
+ Actual result: The listed directory is empty both times.
Notes:
This did NOT happen to me on a non-OEM installation. I noticed it
attempting to manually sign a driver while grappling with bug 1991725.
It probably will interfere with the use of DKMS modules even if they get
installed and signed properly the first time.
For some reason "ubuntu-bug shim-signed" thought that shim-signed wasn't
an official Ubuntu package, so I'm reporting this without using ubuntu-
bug. I can provide any desired log files from the test system upon
request.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shim-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1993646
Title:
MOK-enrolled Secure Boot keys are not saved on the installed system
when doing an OEM installation
Status in shim-signed package in Ubuntu:
New
Bug description:
Steps to reproduce:
1: Enable Secure Boot.
2: Install the latest Ubuntu Kinetic ISO using the OEM installation option. Make sure to allow the installation of proprietary drivers and choose to configure Secure Boot.
3: Reboot and do the key enrollment with mokutil.
4: Reboot again, open a terminal, and run "ls /var/lib/shim-signed/mok". Then prepare the system for the end user (double-clicking the shortcut on the desktop).
5: Reboot again, then finish setup.
6: Run "ls /var/lib/shim-signed/moK" again.
Expected result: The files "MOK.priv" and "MOK.der" should be shown
with each "ls" command.
Actual result: The listed directory is empty both times.
Notes:
This did NOT happen to me on a non-OEM installation. I noticed it
attempting to manually sign a driver while grappling with bug 1991725.
It probably will interfere with the use of DKMS modules even if they
get installed and signed properly the first time.
For some reason "ubuntu-bug shim-signed" thought that shim-signed
wasn't an official Ubuntu package, so I'm reporting this without using
ubuntu-bug. I can provide any desired log files from the test system
upon request.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shim-signed/+bug/1993646/+subscriptions
More information about the foundations-bugs
mailing list