[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Can't find a solution to a failed secure boot kernel loading

From: Dimitri John Ledkov
Subject: Re: Can't find a solution to a failed secure boot kernel loading
Date: Tue, 10 May 2022 14:24:40 +0100

the MOK key as generated by Ubuntu/Debian tooling, creates a signing
certificate that self-limits itself to only support Kernel Module
Signatures made by such certificate, are not trusted by shim for the
purpose of code signing of bootloaders (i.e. grub) or kernels (i.e.
I also responded this on stackoverflow.

The automatically generated MOK key is only usable to sign kernel
modules, i.e. self-built DKMS modules.



On Tue, 10 May 2022 at 11:33, Łukasz Piątkowski <> wrote:
> Hi everyone - I'm new here!
> Sorry for going with my problem directly to the grub-devel maling list, but 
> I'm pretty sure my problem is GRUB related. Still, I've spent some hours 
> trying to find a solution on the Internet and I failed :( So, here it comes - 
> if anyone has time to explain my problem to a layman, it would be awesome. 
> Even better, if you can maybe answer here on stackoverflow, where it can be 
> easier to find, I believe 
> (
> I'm running ubuntu with Secure Boot on. Everything works fine when I use a 
> kernel that comes packaged from cannonical. Still, I have issues running a 
> self-signed kernel (this is actually an externally built kernel, that I have 
> verified and want to use for my own machine). I'm pretty sure my signature 
> with MOK key is OK (verification below), but still when I try to boot the 
> kernel from grub, after selecting the correct entry, I get an error that 
> reads "Loading ... error: bad shim signature." I'm wrapping my head around it 
> and can't find a solution. Why, even though both kernels are signed with MOK 
> keys, one of them works and the other doesn't?
> Here's info about kernel signatures:
> root@T495:~# sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert 
> /var/lib/shim-signed/mok/MOK.pem /boot/vmlinuz
> Image was already signed; adding additional signature
> root@T495:~# sbverify --list /boot/vmlinuz
> signature 1
> image signature issuers:
>  - /C=PL/ST=Poznan/L=Poznan/O=none/CN=Secure Boot 
> Signing/
> image signature certificates:
>  - subject: /C=PL/ST=yes/L=yes/O=none/CN=Secure Boot 
> Signing/
>    issuer:  /C=PL/ST=yes/L=yes/O=none/CN=Secure Boot 
> Signing/
> signature 2
> image signature issuers:
>  - /CN=ubuntu Secure Boot Module Signature key
> image signature certificates:
>  - subject: /CN=ubuntu Secure Boot Module Signature key
>    issuer:  /CN=ubuntu Secure Boot Module Signature key
> And here about MOK keys:
> root@T495:~# openssl x509 -in /var/lib/shim-signed/mok/MOK.pem -fingerprint 
> -noout
> SHA1 Fingerprint=81:A2:93:CB:06:6F:52:BA:D9:E2:39:68:9D:FA:E2:2B:0C:95:3C:F7
> root@T495:~# mokutil --list-enrolled | grep "81:a2:93"
> SHA1 Fingerprint: 81:a2:93:cb:06:6f:52:ba:d9:e2:39:68:9d:fa:e2:2b:0c:95:3c:f7
> If there are any docs that help understand that, I'm happy to be redirected 
> there :)
> piontec
> _______________________________________________
> Grub-devel mailing list

reply via email to

[Prev in Thread] Current Thread [Next in Thread]