Yes, and it all goes well in the secure-boot VM. As this covers the testing in bug description, changing verification tags to done.
Thanks. Procedure ========= Generate x509 certificate: --- # openssl genrsa -out key.pem 4096 # openssl req -new -sha256 -key key.pem -out csr.csr # openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out cert.pem # openssl x509 -in cert.pem -outform der -out cert.der Key Enrollment: --- # mokutil --import cert.der # reboot < MOK management menu, enroll key, reboot > # cat /proc/keys # that key is listed Toggling Validation (Secure Boot State) --- 1) Disable # ls /sys/firmware/efi/efivars/MokSBStateRT-* ls: cannot access /sys/firmware/efi/efivars/MokSBStateRT-*: Invalid argument # mokutil --disable-validation # reboot < MOK management menu, change secure boot state to disabled, reboot > # cat /proc/keys # does not list secure-boot related keys anymore # ls /sys/firmware/efi/efivars/MokSBStateRT-* /sys/firmware/efi/efivars/MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23 # hexdump -Cv /sys/firmware/efi/efivars/MokSBStateRT-* # the last byte is 1 00000000 06 00 00 00 01 |.....| 2) Enable # mokutil --enable-validation # reboot < MOK management menu, change secure boot state to enabled, reboot > # cat /proc/keys # lists secure-boot related keys and cert.der # ls /sys/firmware/efi/efivars/MokSBStateRT-* ls: cannot access /sys/firmware/efi/efivars/MokSBStateRT-*: Invalid argument Toggling Validation and Enrolling --- # mokutil --disable-validation # reboot < MOK management menu, change secure boot state to disabled, reboot > # ... generate another x509 certificate (see above) # mokutil --import cert.der # mokutil --enable-validation # reboot < MOK management menu, enroll key, change secure boot state to enabled, reboot > # cat /proc/keys # the new key is listed # ls /sys/firmware/efi/efivars/MokSBStateRT-* ls: cannot access /sys/firmware/efi/efivars/MokSBStateRT-*: Invalid argument ** Tags removed: verification-needed-trusty ** Tags added: verification-done-trusty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1708245 Title: shim can't enable validation and enroll keys in one sitting To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1708245/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
