Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-19245

Backport MokListTrusted efi variable in shim

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • mokutil
    • rhel-sst-desktop-firmware-bootloaders
    • ssg_display
    • 5
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      What were you trying to do that didn't work?

      In order to use systemd-sysext initrd extensions, we need to sign an extension with some key that is part of the .machine keyring.

      In order to add the MOK keys into .machine (by default they are inserted into .platform), the variable MokListTrusted needs to be set, according to

       

      https://github.com/rhboot/shim/commit/4e513405b4f1641710115780d19dcec130c5208f

      https://github.com/rhboot/shim/blob/4e513405b4f1641710115780d19dcec130c5208f/MokVars.txt#L81

      Steps to reproduce

      1. mokutil --trust-mok
      2. reboot and follow mok menu to make key trusted
      3. mokutil --import <yourkey>.der
      4. reboot and follow mok menu to insert the key
      5. verify the key is in .machine: keyctl show %:.machine

      Expected results

      key is in .machine keyring

      Actual results

      key is in .platform keyring

              bootloader-eng-team bootloader -eng-team
              eesposit@redhat.com Emanuele Giuseppe Esposito
              bootloader -eng-team bootloader -eng-team
              Oliver Gutiérrez Suárez Oliver Gutiérrez Suárez
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: