OEM Priority Project

5.17 kernel won't load mok, so it refused to load dkms signed by mok

Bug #1969432 reported by Yuan-Chen Cheng
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OEM Priority Project
Fix Released
Critical
Yuan-Chen Cheng
linux (Ubuntu)
Incomplete
Undecided
Unassigned
linux-oem-5.17 (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

lp:1972802

Steps to reproduce:

1. enroll mok, and use the mok to sign dkms
2. make sure secure boot is on, and boots with kernel
3. load the kernel by either modprobe or insmod.

Expected:
the kernel module can be loaded.

Actually:
the kernel module can't be loaded.

Failed kernel: 5.17.0-1003-oem
Passed kernel: 5.15.0-25-generic

With 5.17 kernel, using command "dmesg | grep 509", I can't see the mok key.
With 5.15 kernel above, I can see the mok key is loaded like:

[ 0.896168] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[ 0.896283] integrity: Loaded X.509 cert 'ubuntu Secure Boot Module Signature key: 670bc7d76f65d9cfc786f5501de6af89bf3973e7'

See original description
Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

dmesg for 5.15 kernel.

information type: Proprietary → Public
tags: added: oem-priority
Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

dmesg for 5.17 kernel.

Yuan-Chen Cheng (ycheng-twn)
Changed in oem-priority:
assignee: Yuan-Chen Cheng (ycheng-twn) → nobody
Yuan-Chen Cheng (ycheng-twn)
tags: added: originate-from-1969557 somerville
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

is there a bug reported upstream yet?

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

seems this just needs a config change? from the private bug:

"This is due to the patch "[patch] integrity: Do not load MOK and MOKx when secure boot be disabled" was added to check if secureboot enabled for trusting the MOK key,
https://lore<email address hidden>/T/

Unfortunately, the checking function, arch_ima_get_secureboot(), needs the config,
CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y and it's dependency CONFIG_IMA_ARCH_POLICY
"

Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1969432

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

the fix is not in 5.17.0-1004-oem yet.

AceLan Kao (acelankao)
Changed in linux-oem-5.17 (Ubuntu):
importance: Undecided → Critical
importance: Critical → Undecided
Yuan-Chen Cheng (ycheng-twn)
Changed in oem-priority:
assignee: nobody → Yuan-Chen Cheng (ycheng-twn)
Yuan-Chen Cheng (ycheng-twn)
description: updated
Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

bug verified passed with linux-oem-22.04 5.17.0.1009.9 in jammy-proposed

Changed in oem-priority:
status: Confirmed → Fix Committed
Yuan-Chen Cheng (ycheng-twn)
Changed in oem-priority:
status: Fix Committed → Fix Released
Changed in linux-oem-5.17 (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.