Bug 1866107

Summary: Following 1861977, the MOK list is inaccessible with "Couldn't get UEFI MokListRT" visible in the logs
Product: Red Hat Enterprise Linux 8 Reporter: Kyle Walker <kwalker>
Component: shimAssignee: Bootloader engineering team <bootloader-eng-team>
Status: CLOSED DUPLICATE QA Contact: Release Test Team <release-test-team-automation>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 8.2CC: ajb, berend, chref, fedoraproject, fmartine, gregory.m.mckenzie, kbost, manuel.wolfshant, mckweb, miabbott, mmatsuya, pasteur, peter, phil, ptalbert, rboza89, rmetrich, sbarcomb, toracat, twaugh
Target Milestone: rcKeywords: Regression
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-23 06:52:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kyle Walker 2020-08-04 21:14:42 UTC 
Description of problem:
 As noted in https://bugzilla.redhat.com/show_bug.cgi?id=1861977#c70, third party modules are no longer above to be loaded. This seems to be due to the systems Machine Owner Keyring being unavailable. 

Version-Release number of selected component (if applicable):
  kernel-4.18.0-193.14.3.el8_2.x86_64
  shim-x64-15-15.el8_2.x86_64
  mokutil-0.3.0-9.el8.x86_64

How reproducible:
 Easily

Steps to Reproduce:
1. On a UEFI system with Secure Boot enabled, update the kernel/shim-*/mokutil packages
    $ yum update kernel shim mokutil

2. Reboot
    $ sudo reboot

3. Verify that the MOK list is empty
    $ sudo mokutil --list-enrolled

Actual results:
    $ sudo mokutil --list-enrolled
    MokListRT is empty


Expected results:
    $ sudo mokutil --list-enrolled
    <Multiple entries with "[key <val>]" at the heading>

Additional info:
 The kernel ring buffer includes the following errors when the failure occurs:

    kernel: Couldn't get size: 0x800000000000000e
    kernel: Couldn't get UEFI MokListRT

Downgrading shim and the kernel are sufficient to restore functionality.
Comment 1 Kyle Walker 2020-08-04 21:17:26 UTC 
Sorry, downgrading shim-x64 alone is sufficient to restore functionality.
Comment 3 mckweb 2020-08-26 23:02:08 UTC 
on rhel 7.8 I am having a very similar issue where mokutil is not adding keys to the system keyring.

I attempted to downgrade shim-x64 and it has mokutils as a dependency.  When I downgraded them both, now my machine won't start...

---> Package mokutil.x86_64 0:15-7el7_8 will be a downgrade
---> Package mokutil.x86_64 0:15-8el7_8 will be erased
---> Package shim-x64.x86_64 0:15-7el7_8 will be a downgrade
---> Package shim-x64.x86_64 0:15-8el7_8 will be erased

luckily mokutils was set in verbose and the black screen is printing text about mirroring key list and that what I believe is holding it up.
Comment 7 Javier Martinez Canillas 2020-09-23 06:52:02 UTC 
Renaud confirmed that this is a duplicate of bug #1877343.

*** This bug has been marked as a duplicate of bug 1877343 ***
Comment 8 Peter Ajamian 2020-09-23 11:46:04 UTC 
Why is this (original) bug being marked as a duplicate of another (newer) bug?  1877343 should be marked as the duplicate, not this one.  Or is it because you don't want the public to have access?
Comment 9 Phil Perry 2020-09-23 12:42:14 UTC 
If anyone has access to the new bug, please add me to the CC list.

Do we need to open a support case to get this fixed? It took 6 weeks to be marked as urgent.
Comment 10 Renaud Métrich 2020-09-23 12:56:03 UTC 
Sorry we did some cleanup and didn't realize the BZ was private. It's now public and I added you to CC.
Comment 11 Peter Ajamian 2020-09-23 12:57:59 UTC 
Thanks Renaud