Bug 1322076

Summary: uefi secure boot, update examples that are fedora specific
Product: [Fedora] Fedora Documentation Reporter: Chris Murphy <bugzilla>
Component: system-administrator's-guideAssignee: Stephen Wadeley <swadeley>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Docs QA <docs-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: develCC: bugzilla, swadeley
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-11 19:43:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Chris Murphy 2016-03-29 18:10:37 UTC 
Super low priority. The existing examples aren't Fedora specific and are more verbose than on a Fedora system.
https://docs.fedoraproject.org/en-US/Fedora/23/html/System_Administrators_Guide/sect-kernel-module-authentication.html


Fedora 23, system without secure boot:

# keyctl list %:.system_keyring
1 key in keyring:
436069891: ---lswrv     0     0 asymmetric: Fedora kernel signing key: 123842f3d8cc3f140fa50a22fc9bc014cefcf2bf


Fedora 23, system with secure boot enabled:

# keyctl list %:.system_keyring
4 keys in keyring:
 57620495: ---lswrv     0     0 asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
 17001967: ---lswrv     0     0 asymmetric: Fedora kernel signing key: 123842f3d8cc3f140fa50a22fc9bc014cefcf2bf
462910956: ---lswrv     0     0 asymmetric: Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42
837240830: ---lswrv     0     0 asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
Comment 1 Stephen Wadeley 2016-03-29 18:52:30 UTC 
Thank you for raising this bug
Comment 2 Stephen Wadeley 2016-05-19 20:02:41 UTC 
Hello


What do you see for:
dmesg | grep 'EFI: Loaded cert'

Thank you
Comment 3 Chris Murphy 2016-05-19 20:21:12 UTC 
(In reply to Stephen Wadeley from comment #2)
> dmesg | grep 'EFI: Loaded cert'

Returns no results.

Possibly more reliable indicator of Secure Boot state is:

[chris@f23s ~]$ journalctl -k | grep 'Secure boot'
May 12 14:02:05 f23s.localdomain kernel: Secure boot enabled

Or

[chris@f23s ~]$ mokutil --sb-state
SecureBoot enabled

Where on a non-secure boot system:

[chris@f24m ~]$ journalctl -k | grep 'Secure boot'
[chris@f24m ~]$ mokutil --sb-state
Failed to read SecureBoot
Comment 4 Stephen Wadeley 2016-05-23 20:21:15 UTC 
Thank you Chris for comment 3

My feeling would be to go for a command that did not require using grep.

I will try to get someone to confirm.
Comment 5 Stephen Wadeley 2016-05-23 21:03:22 UTC 
Hello

Peter Jones confirms this is the best:
 ~]$ mokutil --sb-state
SecureBoot enabled


= = = =



commit d14f565da512a70f079cb0a10cfd7e1981366c23
Author: Stephen Wadeley <swadeley>
Date:   Mon May 23 22:57:50 2016 +0200

    To confirm if Secure Boot is enabled
    
    Bug 1322076 - uefi secure boot, update examples that are fedora specific
Comment 6 Stephen Wadeley 2016-05-23 21:20:58 UTC 
Re this bit:

    ~]# keyctl list %:.system_keyring
     5 keys in keyring:
     ...asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c497...
     ...asymmetric: Fedora kernel signing key: ba8e2919f98f3f8e2e27541cde0d...
     ...asymmetric: Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4...
     ...asymmetric: Red Hat Test Certifying CA: 08a0ef5800cb02fb587c12b4032...
     ...asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8...
     
    The above output shows the addition of two keys from the UEFI Secure Boot "db" keys plus the Fedora Secure Boot CA which is embedded in the shim.efi boot loader


the description, or explanation, is not very clear.