This is due to the patch "[patch] integrity: Do not load MOK and MOKx when secure boot be disabled" was added to check if secureboot enabled for trusting the MOK key, https://lore.kernel.org/lkml/9b93e099fc6ee2a56d70ed338cd79f2c1ddcffa5.ca...@linux.ibm.com/T/
Unfortunately, the checking function, arch_ima_get_secureboot(), needs the config, CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y and it's dependency CONFIG_IMA_ARCH_POLICY https://bugs.launchpad.net/oem-priority/+bug/1972802 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1981449 Title: 5.19 kernel does not load MOK keys Status in linux package in Ubuntu: Confirmed Bug description: The 5.19 kernel only reads the db and dbx keys: jak@jak-t480s:~:master$ journalctl -b -1 -k | grep integrity Jul 09 21:34:14 jak-t480s kernel: integrity: Platform Keyring initialized Jul 09 21:34:14 jak-t480s kernel: integrity: Machine keyring initialized Jul 09 21:34:14 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db Jul 09 21:34:14 jak-t480s kernel: integrity: Loaded X.509 cert 'Lenovo Ltd.: ThinkPad Product CA 2012: 838b1f54c1550463f45f98700640f11069265949' Jul 09 21:34:14 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db Jul 09 21:34:14 jak-t480s kernel: integrity: Loaded X.509 cert 'Lenovo UEFI CA 2014: 4b91a68732eaefdd2c8ffffc6b027ec3449e9c8f' Jul 09 21:34:14 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db Jul 09 21:34:14 jak-t480s kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' Jul 09 21:34:14 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db Jul 09 21:34:14 jak-t480s kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' Jul 09 21:34:14 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db Jul 09 21:34:14 jak-t480s kernel: integrity: Loaded X.509 cert 'UEFI key for ~ubuntu-uefi-team/ubuntu/ppa UEFI: 131b868222e85383c2e71ae489372ffac6ce29ed' Jul 09 21:34:14 jak-t480s kernel: integrity: Revoking X.509 certificate: UEFI:dbx Jul 09 21:34:14 jak-t480s kernel: integrity: Revoking X.509 certificate: UEFI:dbx The 5.15 kernel also loads the mok keys jak@jak-t480s:~:master$ journalctl -b -2 -k | grep integrity Jun 27 23:10:55 jak-t480s kernel: integrity: Platform Keyring initialized Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'Lenovo Ltd.: ThinkPad Product CA 2012: 838b1f54c1550463f45f98700640f11069265949' Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'Lenovo UEFI CA 2014: 4b91a68732eaefdd2c8ffffc6b027ec3449e9c8f' Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:db Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'UEFI key for ~ubuntu-uefi-team/ubuntu/ppa UEFI: 131b868222e85383c2e71ae489372ffac6ce29ed' Jun 27 23:10:55 jak-t480s kernel: integrity: Revoking X.509 certificate: UEFI:dbx Jun 27 23:10:55 jak-t480s kernel: integrity: Revoking X.509 certificate: UEFI:dbx Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63' Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'jak-t480s Secure Boot Module Signature key: ac5ed055ca0a71e3a2343dd42d5afe0cffdd3ef8' Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'jak-t480s Secure Boot Module Signature key: dc4bc63447738df295a67d455ef7ea0eb3e14945' Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'UEFI key for ~ci-train-ppa-service/ubuntu/4093 UEFI: bbfd16fec6b3ba059a0f011203a5cd493a4529b7' Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert 'UEFI key for ~ubuntu-uefi-team/ubuntu/ppa UEFI: 131b868222e85383c2e71ae489372ffac6ce29ed' Jun 27 23:10:55 jak-t480s kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) Jun 27 23:10:55 jak-t480s kernel: integrity: Loaded X.509 cert '4845da95ac2b4c1ba5f604ff45a89d83 db: 34c5d6debab4133cf0b663f5799e580f31f594c1' ProblemType: Bug DistroRelease: Ubuntu 22.10 Package: linux-image-5.19.0-9-generic 5.19.0-9.9 ProcVersionSignature: Ubuntu 5.19.0-9.9-generic 5.19.0-rc5 Uname: Linux 5.19.0-9-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.22.0-0ubuntu4 Architecture: amd64 AudioDevicesInUse: USER PID ACCESS COMMAND /dev/snd/controlC2: jak 3308 F.... wireplumber /dev/snd/controlC1: jak 3308 F.... wireplumber /dev/snd/controlC0: jak 3308 F.... wireplumber /dev/snd/seq: jak 3291 F.... pipewire CasperMD5CheckResult: unknown CurrentDesktop: GNOME Date: Tue Jul 12 15:40:34 2022 HibernationDevice: RESUME=none InstallationDate: Installed on 2018-03-14 (1580 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Alpha amd64 (20180313) MachineType: LENOVO 20L8S02D00 ProcFB: 0 i915drmfb ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-5.19.0-9-generic root=/dev/mapper/ubuntu--vg-root ro rootflags=subvol=@ quiet splash zswap.enabled=1 zswap.compressor=zstd zswap.max_pool_percent=20 zswap.zpool=z3fold vt.handoff=7 PulseList: Error: command ['pacmd', 'list'] failed with exit code 1: No PulseAudio daemon running, or not running as session daemon. RelatedPackageVersions: linux-restricted-modules-5.19.0-9-generic N/A linux-backports-modules-5.19.0-9-generic N/A linux-firmware 20220711.gitdfa29317-0ubuntu1 SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 08/11/2021 dmi.bios.release: 1.47 dmi.bios.vendor: LENOVO dmi.bios.version: N22ET70W (1.47 ) dmi.board.asset.tag: Not Available dmi.board.name: 20L8S02D00 dmi.board.vendor: LENOVO dmi.board.version: Not Defined dmi.chassis.asset.tag: No Asset Information dmi.chassis.type: 10 dmi.chassis.vendor: LENOVO dmi.chassis.version: None dmi.ec.firmware.release: 1.22 dmi.modalias: dmi:bvnLENOVO:bvrN22ET70W(1.47):bd08/11/2021:br1.47:efr1.22:svnLENOVO:pn20L8S02D00:pvrThinkPadT480s:rvnLENOVO:rn20L8S02D00:rvrNotDefined:cvnLENOVO:ct10:cvrNone:skuLENOVO_MT_20L8_BU_Think_FM_ThinkPadT480s: dmi.product.family: ThinkPad T480s dmi.product.name: 20L8S02D00 dmi.product.sku: LENOVO_MT_20L8_BU_Think_FM_ThinkPad T480s dmi.product.version: ThinkPad T480s dmi.sys.vendor: LENOVO To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1981449/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
