Follow up the tests for comment#12, the same test kernel v5.14.0-rc7 signed with the original created key in /var/lib/shim-signed/test_kernel will not boot up with getting the invalid signature error.
compare the keys between /var/lib/shim-signed/test_kernel and comment#12(/var/lib/test_ker/), the fail one(in /var/lib/shim- signed/test_kernel) has the (1.3.6.1.4.1.2312.16.1.2) KeyUsage OID. It seems it is because using the "Module-signing only" (1.3.6.1.4.1.2312.16.1.2) KeyUsage OID to sign the test kernel that cause signature verify failed. @YC I know the OEM projects base on the my EFI applicaiton and script to generate/enroll MOK keys for test kernels, https://github.com/Ivanhu5866/MokEnrollKey/blob/master/mok_testkernel_key.sh Could you provide the exact script how the MOK has been generated/enrolled and maybe openssl.cnf for checking? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1939565 Title: kernel signed by mok failed to boot if secure boot is on To manage notifications about this bug go to: https://bugs.launchpad.net/oem-priority/+bug/1939565/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs