Bug 2228419

Summary: mokutil --db gives empty result when UEFI db is not empty
Product: Red Hat Enterprise Linux 9 Reporter: Coiby <coxu>
Component: mokutilAssignee: Bootloader engineering team <bootloader-eng-team>
Status: NEW --- QA Contact: Oliver GutiƩrrez <ogutierr>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.3   
Target Milestone: rc   
Target Release: ---   
Hardware: aarch64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Coiby 2023-08-02 11:12:46 UTC
Description of problem:

mokutil --db outputs nothing when UEFI db is not empty (these certificates have been successfully added to the .platform keyring).


    [root@ampere-mtsnow-altramax-56 ~]# mokutil --db
    # only one MOK key
    [root@ampere-mtsnow-altramax-56 ~]# mokutil --list-enrolled
    [key 1]
    SHA1 Fingerprint: cf:92:30:e6:90:00:07:67:27:e5:b7:84:ec:87:1d:22:71:6d:c5:da
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                ad:8e:19:64:68:34:ff:5d
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN=Red Hat Secure Boot (CA key 1)/emailAddress=secalert
            Subject: CN=Red Hat Secure Boot (CA key 1)/emailAddress=secalert
    # Red Hat Secure Boot (CA key 1) is the VENDOR_CERT 
    # the rest certificates are from UEFI db
    [root@ampere-mtsnow-altramax-56 ~]# keyctl show %:.platform
    Keyring
     908170642 ---lswrv      0     0  keyring: .platform
     361514782 ---lswrv      0     0   \_ asymmetric: SUSE Linux Enterprise Secure Boot CA: 3d4d40cf938539024b1cfc5a12dedfe8b17e755f
     281841880 ---lswrv      0     0   \_ asymmetric: Red Hat Secure Boot (CA key 1): 4016841644ce3a810408050766e8f8a29c65f85c
     466944821 ---lswrv      0     0   \_ asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
     137624747 ---lswrv      0     0   \_ asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
     777544007 ---lswrv      0     0   \_ asymmetric: Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42
     797997726 ---lswrv      0     0   \_ asymmetric: Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63


Version-Release number of selected component (if applicable):


How reproducible:

Always

Steps to Reproduce:
1. Install RHEL9.3 on an UEFI machine e.g. ampere-mtsnow-altramax-56.khw4.lab.eng.bos.redhat.com which has non-empty factory default db 
2. mokutil --db

Actual results:

"mokutil --db" outputs nothing.

Expected results:

"mokutil --db" should list the certificates in UEFI db.

Additional info:

This can be reproduced on Fedora 38 and 39 as well.

Comment 1 Coiby 2023-08-09 01:52:33 UTC
Note "mokutil --dbx" is empty as well while %:.blacklist is not,

    [root@ampere-mtsnow-altramax-04 ~]# mokutil --dbx
    [root@ampere-mtsnow-altramax-04 ~]# keyctl show %:.blacklist
    Keyring
     698261956 ---lswrv      0     0  keyring: .blacklist
      63779173 ---lswrv      0     0   \_ blacklist: bin:075eea060589548ba060b2feed10da3c20c7fe9b17cd026b94e8a683b8115238
     863401660 ---lswrv      0     0   \_ blacklist: bin:c83cb13922ad99f560744675dd37cc94dcad5a1fcba6472fee341171d939e884
     409547307 ---lswrv      0     0   \_ blacklist: bin:cb6b858b40d3a098765815b592c1514a49604fafd60819da88d7a76e9778fef7
    ...