Hi,
I installed Rocky Linux 8.5 on VMWare with UEFI and secure boot enabled.
If I have a look at the certifictates used I´m missing a Rocky certificate.
Also “mokutil --list-enrolled” doesn´t report any cert.
I also regonized a mokutils error message during boot.
See everything below.
keyctl show %:.platform
Keyring
640117210 ---lswrv 0 0 keyring: .platform
791514808 ---lswrv 0 0 \_ asymmetric: VMware, Inc.: 4ad8ba0472073d28127706ddc6ccb9050441bbc7
540131083 ---lswrv 0 0 \_ asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
759592932 ---lswrv 0 0 \_ asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
382667462 ---lswrv 0 0 \_ asymmetric: VMware, Inc.: VMware Secure Boot Signing: 04597f3e1ffb240bba0ff0f05d5eb05f3e15f6d7
mokutil --list-enrolled
dmesg | grep -i mok
[ 0.000000] efi: SMBIOS=0xcfc6000 ACPI 2.0=0xbbac000 MEMATTR=0xbbcf698 MOKvar=0xbb9a000
[ 0.000000] mokvar: EFI MOKvar config table is not in EFI runtime memory
When I install RHEL 8.5 or Alma Linux 8.5 the keys are displayed the right way and the error message from mokutils during boot does not occur. See below:
keyctl show %:.platform
Keyring
356880736 ---lswrv 0 0 keyring: .platform
808767509 ---lswrv 0 0 \_ asymmetric: VMware, Inc.: 4ad8ba0472073d28127706ddc6ccb9050441bbc7
263488758 ---lswrv 0 0 \_ asymmetric: Cloud Linux Software, Inc: 858e9d64bb6fbac59a62065485a7b61c45e2b9f8
235429892 ---lswrv 0 0 \_ asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
193290181 ---lswrv 0 0 \_ asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
904662369 ---lswrv 0 0 \_ asymmetric: VMware, Inc.: VMware Secure Boot Signing: 04597f3e1ffb240bba0ff0f05d5eb05f3e15f6d7
[root@localhost ~]# mokutil --list-enrolled
[key 1]
SHA1 Fingerprint: 20:3c:5f:34:44:fc:e6:70:b8:67:8c:c3:05:3f:c6:72:4c:48:e2:91
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
63:a7:fa:56:77:19:74:88:71:c9:6e:a9:de:a6:3c:30
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Extended Validation Code Signing CA SHA2
Validity
Not Before: Mar 26 11:54:52 2021 GMT
Not After : Mar 25 11:54:52 2024 GMT
Subject: jurisdictionC=US/jurisdictionST=Delaware/postalCode=FL 33913/street=15068 Blue Bay Circle/businessCategory=Private Organization/serialNumber=83-0923043, C=US, ST=Florida, L=Fort Myers, O=Cloud Linux Software, Inc, CN=Cloud Linux Software, Inc
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:88:f3:9a:0c:be:c3:59:62:54:9e:b2:8b:ac:63:
32:5e:17:46:13:ef:bf:a6:90:76:a3:81:3d:2f:bc:
03:4b:bc:e4:df:a9:5f:71:61:f9:82:39:53:a7:83:
e3:6e:93:53:a6:72:e3:9f:c6:32:6b:3b:f1:7d:ea:
01:13:9e:89:fc:f4:4c:8d:18:66:db:fc:19:52:49:
ee:c3:e1:1f:bb:97:46:3d:cf:3b:bb:7d:74:a7:5f:
88:14:f3:ea:be:82:6c:c2:f2:c3:89:34:39:72:91:
93:0d:a2:b4:98:e4:cb:53:57:b2:a0:b6:a9:7d:53:
f6:bc:bb:e0:01:49:a5:6d:39:8c:8f:83:90:9f:2b:
51:e4:04:01:5b:25:99:c1:69:be:53:91:66:6a:48:
4d:7b:23:00:9e:72:0a:ee:0d:7a:2b:b8:50:a6:13:
60:d1:42:8f:90:d9:f2:d1:24:1d:21:7a:88:24:d0:
c4:74:44:b0:91:42:d0:50:21:a1:5f:e7:fd:00:60:
35:a5:72:d8:01:da:12:72:27:5f:8b:54:ef:2d:b3:
c0:cb:2a:ef:bf:5e:b6:8e:11:27:b2:f1:e5:3c:db:
f7:3a:5b:90:89:2f:2e:f4:7e:59:e3:4b:44:5e:1b:
08:3a:e7:d2:92:49:13:87:f5:b0:5c:df:9e:29:35:
43:8d
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.certum.pl/evcscasha2.crl
Authority Information Access:
OCSP - URI:http://evcscasha2.ocsp-certum.com
CA Issuers - URI:http://repository.certum.pl/evcscasha2.cer
X509v3 Authority Key Identifier:
keyid:A2:C5:2A:11:74:2D:BB:2B:34:44:B5:E3:CE:81:74:68:C2:AA:65:17
X509v3 Subject Key Identifier:
85:8E:9D:64:BB:6F:BA:C5:9A:62:06:54:85:A7:B6:1C:45:E2:B9:F8
X509v3 Issuer Alternative Name:
email:evcscasha2@certum.pl
X509v3 Certificate Policies:
Policy: 2.23.140.1.3
Policy: 1.2.616.1.113527.2.5.1.7
CPS: https://www.certum.pl/CPS
X509v3 Extended Key Usage:
Code Signing, 1.3.6.1.4.1.311.61.1.1
X509v3 Key Usage: critical
Digital Signature
X509v3 Subject Alternative Name:
othername:<unsupported>
Signature Algorithm: sha256WithRSAEncryption
3f:38:a7:79:d7:7e:e0:ff:c6:f3:89:24:9c:26:42:6a:ee:e7:
f0:d4:b3:f3:07:73:e8:ef:ee:85:47:cd:0c:9a:33:10:ff:c0:
8c:95:96:78:e0:79:2f:63:4c:a3:c9:22:90:2e:94:58:f9:0c:
f4:3d:9b:34:59:2a:b5:77:61:96:c7:86:5f:95:3c:ce:40:40:
67:ce:fb:29:e9:84:0b:0d:0b:00:f8:2b:07:07:33:34:a3:4c:
ea:21:1b:44:36:7a:d6:23:8a:d0:28:ae:17:14:6d:79:a9:bc:
86:6c:7c:b3:41:0c:88:ec:0b:6e:ea:4c:ae:01:b3:8f:ec:ab:
40:a8:91:95:00:ee:46:72:72:29:2e:26:1b:73:69:4d:44:3a:
af:95:4f:73:49:b5:de:c8:5f:18:a9:04:48:0e:46:a2:58:9b:
03:38:61:25:dc:16:3f:19:3f:de:90:ef:3a:4b:7b:b7:84:78:
64:61:1d:13:e4:a5:61:cb:41:48:ef:d1:35:b8:b6:20:31:0d:
e5:19:f6:64:de:9d:1e:88:b4:e3:1e:76:2a:eb:43:43:66:45:
75:01:53:2a:35:20:63:69:74:91:5f:06:b9:b7:17:b0:7f:16:
a0:8e:69:77:04:a0:a5:f5:0e:f2:df:c1:a3:87:c9:e1:28:fb:
4f:52:a9:c8
dmesg | grep -i mok
[ 0.000000] efi: SMBIOS=0xdf86000 ACPI 2.0=0xdf75000 MEMATTR=0xb5dc018 MOKvar=0xdf30000
[ 1.008856] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
I don´t know if this is a real issue but it´s at least a different behavior between RHEL/Alma 8.5 and Rocky Linux 8.5.
Does anybody experince the same issue ?
Any idea how to solve this ?