Rocky Linux 8.5 UEFI Secure Boot Key problem on VMware

Hi,

I installed Rocky Linux 8.5 on VMWare with UEFI and secure boot enabled.
If I have a look at the certifictates used I´m missing a Rocky certificate.
Also “mokutil --list-enrolled” doesn´t report any cert.
I also regonized a mokutils error message during boot.
See everything below.

keyctl show %:.platform
Keyring
 640117210 ---lswrv      0     0  keyring: .platform
 791514808 ---lswrv      0     0   \_ asymmetric: VMware, Inc.: 4ad8ba0472073d28127706ddc6ccb9050441bbc7
 540131083 ---lswrv      0     0   \_ asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
 759592932 ---lswrv      0     0   \_ asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
 382667462 ---lswrv      0     0   \_ asymmetric: VMware, Inc.: VMware Secure Boot Signing: 04597f3e1ffb240bba0ff0f05d5eb05f3e15f6d7

mokutil --list-enrolled

dmesg | grep -i mok
[    0.000000] efi:  SMBIOS=0xcfc6000  ACPI 2.0=0xbbac000  MEMATTR=0xbbcf698  MOKvar=0xbb9a000
[    0.000000] mokvar: EFI MOKvar config table is not in EFI runtime memory

When I install RHEL 8.5 or Alma Linux 8.5 the keys are displayed the right way and the error message from mokutils during boot does not occur. See below:

 keyctl show %:.platform
Keyring
 356880736 ---lswrv      0     0  keyring: .platform
 808767509 ---lswrv      0     0   \_ asymmetric: VMware, Inc.: 4ad8ba0472073d28127706ddc6ccb9050441bbc7
 263488758 ---lswrv      0     0   \_ asymmetric: Cloud Linux Software, Inc: 858e9d64bb6fbac59a62065485a7b61c45e2b9f8
 235429892 ---lswrv      0     0   \_ asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
 193290181 ---lswrv      0     0   \_ asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
 904662369 ---lswrv      0     0   \_ asymmetric: VMware, Inc.: VMware Secure Boot Signing: 04597f3e1ffb240bba0ff0f05d5eb05f3e15f6d7

[root@localhost ~]# mokutil --list-enrolled
[key 1]
SHA1 Fingerprint: 20:3c:5f:34:44:fc:e6:70:b8:67:8c:c3:05:3f:c6:72:4c:48:e2:91
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            63:a7:fa:56:77:19:74:88:71:c9:6e:a9:de:a6:3c:30
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Extended Validation Code Signing CA SHA2
        Validity
            Not Before: Mar 26 11:54:52 2021 GMT
            Not After : Mar 25 11:54:52 2024 GMT
        Subject: jurisdictionC=US/jurisdictionST=Delaware/postalCode=FL 33913/street=15068 Blue Bay Circle/businessCategory=Private Organization/serialNumber=83-0923043, C=US, ST=Florida, L=Fort Myers, O=Cloud Linux Software, Inc, CN=Cloud Linux Software, Inc
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:88:f3:9a:0c:be:c3:59:62:54:9e:b2:8b:ac:63:
                    32:5e:17:46:13:ef:bf:a6:90:76:a3:81:3d:2f:bc:
                    03:4b:bc:e4:df:a9:5f:71:61:f9:82:39:53:a7:83:
                    e3:6e:93:53:a6:72:e3:9f:c6:32:6b:3b:f1:7d:ea:
                    01:13:9e:89:fc:f4:4c:8d:18:66:db:fc:19:52:49:
                    ee:c3:e1:1f:bb:97:46:3d:cf:3b:bb:7d:74:a7:5f:
                    88:14:f3:ea:be:82:6c:c2:f2:c3:89:34:39:72:91:
                    93:0d:a2:b4:98:e4:cb:53:57:b2:a0:b6:a9:7d:53:
                    f6:bc:bb:e0:01:49:a5:6d:39:8c:8f:83:90:9f:2b:
                    51:e4:04:01:5b:25:99:c1:69:be:53:91:66:6a:48:
                    4d:7b:23:00:9e:72:0a:ee:0d:7a:2b:b8:50:a6:13:
                    60:d1:42:8f:90:d9:f2:d1:24:1d:21:7a:88:24:d0:
                    c4:74:44:b0:91:42:d0:50:21:a1:5f:e7:fd:00:60:
                    35:a5:72:d8:01:da:12:72:27:5f:8b:54:ef:2d:b3:
                    c0:cb:2a:ef:bf:5e:b6:8e:11:27:b2:f1:e5:3c:db:
                    f7:3a:5b:90:89:2f:2e:f4:7e:59:e3:4b:44:5e:1b:
                    08:3a:e7:d2:92:49:13:87:f5:b0:5c:df:9e:29:35:
                    43:8d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.certum.pl/evcscasha2.crl

            Authority Information Access:
                OCSP - URI:http://evcscasha2.ocsp-certum.com
                CA Issuers - URI:http://repository.certum.pl/evcscasha2.cer

            X509v3 Authority Key Identifier:
                keyid:A2:C5:2A:11:74:2D:BB:2B:34:44:B5:E3:CE:81:74:68:C2:AA:65:17

            X509v3 Subject Key Identifier:
                85:8E:9D:64:BB:6F:BA:C5:9A:62:06:54:85:A7:B6:1C:45:E2:B9:F8
            X509v3 Issuer Alternative Name:
                email:evcscasha2@certum.pl
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.3
                Policy: 1.2.616.1.113527.2.5.1.7
                  CPS: https://www.certum.pl/CPS

            X509v3 Extended Key Usage:
                Code Signing, 1.3.6.1.4.1.311.61.1.1
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Subject Alternative Name:
                othername:<unsupported>
    Signature Algorithm: sha256WithRSAEncryption
         3f:38:a7:79:d7:7e:e0:ff:c6:f3:89:24:9c:26:42:6a:ee:e7:
         f0:d4:b3:f3:07:73:e8:ef:ee:85:47:cd:0c:9a:33:10:ff:c0:
         8c:95:96:78:e0:79:2f:63:4c:a3:c9:22:90:2e:94:58:f9:0c:
         f4:3d:9b:34:59:2a:b5:77:61:96:c7:86:5f:95:3c:ce:40:40:
         67:ce:fb:29:e9:84:0b:0d:0b:00:f8:2b:07:07:33:34:a3:4c:
         ea:21:1b:44:36:7a:d6:23:8a:d0:28:ae:17:14:6d:79:a9:bc:
         86:6c:7c:b3:41:0c:88:ec:0b:6e:ea:4c:ae:01:b3:8f:ec:ab:
         40:a8:91:95:00:ee:46:72:72:29:2e:26:1b:73:69:4d:44:3a:
         af:95:4f:73:49:b5:de:c8:5f:18:a9:04:48:0e:46:a2:58:9b:
         03:38:61:25:dc:16:3f:19:3f:de:90:ef:3a:4b:7b:b7:84:78:
         64:61:1d:13:e4:a5:61:cb:41:48:ef:d1:35:b8:b6:20:31:0d:
         e5:19:f6:64:de:9d:1e:88:b4:e3:1e:76:2a:eb:43:43:66:45:
         75:01:53:2a:35:20:63:69:74:91:5f:06:b9:b7:17:b0:7f:16:
         a0:8e:69:77:04:a0:a5:f5:0e:f2:df:c1:a3:87:c9:e1:28:fb:
         4f:52:a9:c8


dmesg | grep -i mok
[    0.000000] efi:  SMBIOS=0xdf86000  ACPI 2.0=0xdf75000  MEMATTR=0xb5dc018  MOKvar=0xdf30000
[    1.008856] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)

I don´t know if this is a real issue but it´s at least a different behavior between RHEL/Alma 8.5 and Rocky Linux 8.5.

Does anybody experince the same issue ?
Any idea how to solve this ?

The message is harmless and doesn’t affect the functionality of secure boot, so it’s safe to ignore. For context, due to the patches that the shim folks had us put in during our review, this message unfortunately comes up. We’re hoping the next version of shim will make that message go away (and also fix some other issues with vmware ESX stuff).

I also have some issue witk mokutil on Rocky 8.5. I’m trying to import certificate in the MOK to support Trend Micro Agent. The import look working, in the MOK menu I see the certificate. When I log back on the vm, the testkey tell the certificate is not enrolled and the list-enrolled command show nothing. On VMware 6.7

Can I safely ignore my issues then ?
Do you know when this new shim version will be available ?

I also did a quick test on my environment. I was also not able to import keys with mokutils
I have a try with Trend Micro Agent and the elrepo keys.
Both are not listed as enrolled after reboot.

Could it be that there is a problem with MOK on VMWare ?

I am also unable to import keys for crowdstrike. Upon further investigation. It doesn’t even look like Rocky’s is getting loaded.

 keyctl show %:.platform
Keyring
 988869318 ---lswrv      0     0  keyring: .platform
 775921918 ---lswrv      0     0   \_ asymmetric: VMware, Inc.: 4ad8ba0472073d28127706ddc6ccb9050441bbc7
 279154520 ---lswrv      0     0   \_ asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
 405526653 ---lswrv      0     0   \_ asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
 150495544 ---lswrv      0     0   \_ asymmetric: VMware, Inc.: VMware Secure Boot Signing: 04597f3e1ffb240bba0ff0f05d5eb05f3e15f6d7

I am seeing the same thing. VMWare, CentOS system migrated to Rocky 8. “mokutil --list-enrolled” shows nothing. “mokutil --sb” shows that SecureBoot is enabled. “keyctl show %:.platform” shows similar to @benjoshyo but does not list the last key.

If I use “mokutil --import …” to import the CrowdStrike key, I am prompted for a password. During reboot, I go through the steps to approve the key and enter the password. Rebooting after that shows the CrowdStrike module not loaded and “mokutil --list-enrolled” is still blank.

For others who stumble on this thread like I did, there’s a better discussion at Rocky Linux 8.5 Secure Boot Error

There was a bug in the upstream shim code that asked UEFI to delete some keys. Most ignore it, but ESXi does not.

So, we are waiting for that fix to be released in the upstream repo and then to be incorporated into Rocky Linux.