Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-4393

mokutil --db gives empty result when UEFI db is not empty

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.3.0
    • mokutil
    • None
    • None
    • rhel-sst-desktop-firmware-bootloaders
    • ssg_display
    • 2
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None

      Description of problem:

      mokutil --db outputs nothing when UEFI db is not empty (these certificates have been successfully added to the .platform keyring).

      [root@ampere-mtsnow-altramax-56 ~]# mokutil --db

      1. only one MOK key
        [root@ampere-mtsnow-altramax-56 ~]# mokutil --list-enrolled
        [key 1]
        SHA1 Fingerprint: cf:92:30:e6:90:00:07:67:27:e5:b7:84:ec:87:1d:22:71:6d:c5:da
        Certificate:
        Data:
        Version: 3 (0x2)
        Serial Number:
        ad:8e:19:64:68:34:ff:5d
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Red Hat Secure Boot (CA key 1)/emailAddress=secalert@redhat.com
        Subject: CN=Red Hat Secure Boot (CA key 1)/emailAddress=secalert@redhat.com
      2. Red Hat Secure Boot (CA key 1) is the VENDOR_CERT
      3. the rest certificates are from UEFI db
        [root@ampere-mtsnow-altramax-56 ~]# keyctl show %:.platform
        Keyring
        908170642 ---lswrv 0 0 keyring: .platform
        361514782 ---lswrv 0 0 _ asymmetric: SUSE Linux Enterprise Secure Boot CA: 3d4d40cf938539024b1cfc5a12dedfe8b17e755f
        281841880 ---lswrv 0 0 _ asymmetric: Red Hat Secure Boot (CA key 1): 4016841644ce3a810408050766e8f8a29c65f85c
        466944821 ---lswrv 0 0 _ asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
        137624747 ---lswrv 0 0 _ asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
        777544007 ---lswrv 0 0 _ asymmetric: Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42
        797997726 ---lswrv 0 0 _ asymmetric: Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63

      Version-Release number of selected component (if applicable):

      How reproducible:

      Always

      Steps to Reproduce:
      1. Install RHEL9.3 on an UEFI machine e.g. ampere-mtsnow-altramax-56.khw4.lab.eng.bos.redhat.com which has non-empty factory default db
      2. mokutil --db

      Actual results:

      "mokutil --db" outputs nothing.

      Expected results:

      "mokutil --db" should list the certificates in UEFI db.

      Additional info:

      This can be reproduced on Fedora 38 and 39 as well.

              bootloader-eng-team bootloader -eng-team
              coxu@redhat.com Coiby Xu
              bootloader -eng-team bootloader -eng-team
              bootloader -eng-team bootloader -eng-team
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: