[Bug 1993646] Re: MOK-enrolled Secure Boot keys are not saved on the installed system when doing an OEM installation

Steve Langasek 1993646 at bugs.launchpad.net
Fri Oct 21 01:58:05 UTC 2022 

Files being preserved or not in OEM mode is ubiquity, not shim;
reassigning.

However, I'm not sure we WANT mok keys to be kept in OEM mode.  Part of
the intent of OEM mode is that the resulting disk image could then be
copied between multiple systems.  You would certainly not want all
customer systems to have access to a single private key that can be used
to sign kernel modules for all other customer systems.  If anything, I
think the bug here is probably that OEM lets you enroll a MOK key at all
rather than blocking this (and saving an additional reboot).

** Package changed: shim-signed (Ubuntu) => ubiquity (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to ubiquity in Ubuntu.
https://bugs.launchpad.net/bugs/1993646

Title:
  MOK-enrolled Secure Boot keys are not saved on the installed system
  when doing an OEM installation

Status in ubiquity package in Ubuntu:
  New

Bug description:
  Steps to reproduce:

  1: Enable Secure Boot.
  2: Install the latest Ubuntu Kinetic ISO using the OEM installation option. Make sure to allow the installation of proprietary drivers and choose to configure Secure Boot.
  3: Reboot and do the key enrollment with mokutil.
  4: Reboot again, open a terminal, and run "ls /var/lib/shim-signed/mok". Then prepare the system for the end user (double-clicking the shortcut on the desktop).
  5: Reboot again, then finish setup.
  6: Run "ls /var/lib/shim-signed/moK" again.

  Expected result: The files "MOK.priv" and "MOK.der" should be shown
  with each "ls" command.

  Actual result: The listed directory is empty both times.

  Notes:

  This did NOT happen to me on a non-OEM installation. I noticed it
  attempting to manually sign a driver while grappling with bug 1991725.
  It probably will interfere with the use of DKMS modules even if they
  get installed and signed properly the first time.

  For some reason "ubuntu-bug shim-signed" thought that shim-signed
  wasn't an official Ubuntu package, so I'm reporting this without using
  ubuntu-bug. I can provide any desired log files from the test system
  upon request.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubiquity/+bug/1993646/+subscriptions

More information about the foundations-bugs mailing list