Bug 1866107 - Following 1861977, the MOK list is inaccessible with "Couldn't get UEFI MokListRT" visible in the logs
Summary: Following 1861977, the MOK list is inaccessible with "Couldn't get UEFI MokLi...
Keywords:
Status: CLOSED DUPLICATE of bug 1877343
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: shim
Version: 8.2
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: 8.0
Assignee: Bootloader engineering team
QA Contact: Release Test Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-08-04 21:14 UTC by Kyle Walker
Modified: 2020-10-13 22:20 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-09-23 06:52:02 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 5295541 0 None None None 2020-08-04 23:31:51 UTC

Description Kyle Walker 2020-08-04 21:14:42 UTC 
Description of problem:
 As noted in https://bugzilla.redhat.com/show_bug.cgi?id=1861977#c70, third party modules are no longer above to be loaded. This seems to be due to the systems Machine Owner Keyring being unavailable. 

Version-Release number of selected component (if applicable):
  kernel-4.18.0-193.14.3.el8_2.x86_64
  shim-x64-15-15.el8_2.x86_64
  mokutil-0.3.0-9.el8.x86_64

How reproducible:
 Easily

Steps to Reproduce:
1. On a UEFI system with Secure Boot enabled, update the kernel/shim-*/mokutil packages
    $ yum update kernel shim mokutil

2. Reboot
    $ sudo reboot

3. Verify that the MOK list is empty
    $ sudo mokutil --list-enrolled

Actual results:
    $ sudo mokutil --list-enrolled
    MokListRT is empty


Expected results:
    $ sudo mokutil --list-enrolled
    <Multiple entries with "[key <val>]" at the heading>

Additional info:
 The kernel ring buffer includes the following errors when the failure occurs:

    kernel: Couldn't get size: 0x800000000000000e
    kernel: Couldn't get UEFI MokListRT

Downgrading shim and the kernel are sufficient to restore functionality.
Comment 1 Kyle Walker 2020-08-04 21:17:26 UTC 
Sorry, downgrading shim-x64 alone is sufficient to restore functionality.
Comment 3 mckweb 2020-08-26 23:02:08 UTC 
on rhel 7.8 I am having a very similar issue where mokutil is not adding keys to the system keyring.

I attempted to downgrade shim-x64 and it has mokutils as a dependency.  When I downgraded them both, now my machine won't start...

---> Package mokutil.x86_64 0:15-7el7_8 will be a downgrade
---> Package mokutil.x86_64 0:15-8el7_8 will be erased
---> Package shim-x64.x86_64 0:15-7el7_8 will be a downgrade
---> Package shim-x64.x86_64 0:15-8el7_8 will be erased

luckily mokutils was set in verbose and the black screen is printing text about mirroring key list and that what I believe is holding it up.
Comment 7 Javier Martinez Canillas 2020-09-23 06:52:02 UTC 
Renaud confirmed that this is a duplicate of bug #1877343.

*** This bug has been marked as a duplicate of bug 1877343 ***
Comment 8 Peter Ajamian 2020-09-23 11:46:04 UTC 
Why is this (original) bug being marked as a duplicate of another (newer) bug?  1877343 should be marked as the duplicate, not this one.  Or is it because you don't want the public to have access?
Comment 9 Phil Perry 2020-09-23 12:42:14 UTC 
If anyone has access to the new bug, please add me to the CC list.

Do we need to open a support case to get this fixed? It took 6 weeks to be marked as urgent.
Comment 10 Renaud Métrich 2020-09-23 12:56:03 UTC 
Sorry we did some cleanup and didn't realize the BZ was private. It's now public and I added you to CC.
Comment 11 Peter Ajamian 2020-09-23 12:57:59 UTC 
Thanks Renaud
Note You need to log in before you can comment on or make changes to this bug.