Public bug reported: A certificate imported via mokutil --import and successfully enrolled using the interactive MokManager screen is being loaded into the kernel's .platform keyring, instead of the expected .machine keyring. Allowing user-enrolled MOK keys to enter the .platform keyring bypasses this security boundary and could enable unauthorized trust for third- party modules or components under the guise of the Platform Key.
I was able to reproduce this behavior in an LXD VM running Ubuntu 24.04. Documentation about this behavior can be found at 'https://ima- doc.readthedocs.io/en/latest/ima-concepts.html#keyrings'. Environment Host OS: Ubuntu 24.04 Guest OS: Ubuntu 24.04 VM launched with LXD Kernel 6.8.0-86-generic Package Versions mokutil - 0.6.0-2build3 openssl - 3.0.13-0ubuntu3.6 keyutils - 1.6.3-3build1 Steps to Reproduce Generate a self signed certificate and export it in DER format: openssl req -x509 -new -nodes -keyout custom_ima_ca.key -out custom_ima_ca.crt -days 365 -subj "/C=US/ST=Test/L=Test/O=Test/CN=custom_ima_ca" openssl x509 -in custom_ima_ca.crt -outform der -out custom_ima_ca.der Create an enrollment request for your new certificate: mokutil --import custom_ima_ca.der Reboot the VM: reboot During the boot process, enter a console on the VM by running the following command on the host: lxc console <VM-NAME> --type=vga Enroll the certificate in the MokManager screen: Select "Enroll MOK" Select "Continue" Select "Yes" to enroll Enter the password set during enrollment Select "Reboot" Now, enter a shell in the VM and confirm the certificate is enrolled: mokutil -t custom_ima_ca.der Run the following commands to check the machine keyring and platform keyring: keyctl show %:.machine keyctl show %:.platform You will see that your new certificate is enrolled in the .platform keyring even though mokutil should not be able to do this. The key should NOT be present in the .platform keyring, as keys in this keyring are reserved for those loaded directly from the UEFI DB/KEK variables. On my test VM, the following certificates were present in the machine and platform keyrings after performing the steps above: keyctl show %:.machine Keyring 176967492 ---lswrv 0 0 keyring: .machine keyctl show %:.platform Keyring 85465097 ---lswrv 0 0 keyring: .platform 488749135 ---lswrv 0 0 \_ asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53 85391987 ---lswrv 0 0 \_ asymmetric: Test: custom_ima_ca: d195e2b6a22adbb4a4b3d1f0894bffe2eece3903 805573327 ---lswrv 0 0 \_ asymmetric: Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63 1057025125 ---lswrv 0 0 \_ asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4 ** Affects: mokutil (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2131181 Title: Loading certificate with --import enrolls it into the playform keyring instead of the machine keyring To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mokutil/+bug/2131181/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
