Bug 2004384 - [aarch64] kernel image signed by MOK key couldn't be loaded via kexec when lockdown is enabled
Summary: [aarch64] kernel image signed by MOK key couldn't be loaded via kexec when lo...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: kernel
Version: 9.0
Hardware: aarch64
OS: Unspecified
medium
unspecified
Target Milestone: beta
: ---
Assignee: Coiby
QA Contact: Jie Li
URL:
Whiteboard:
Depends On: 1986249 2002350
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-15 07:35 UTC by Coiby
Modified: 2023-05-09 09:29 UTC (History)
5 users (show)

Fixed In Version: kernel-5.14.0-178.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1986249
Environment:
Last Closed: 2023-05-09 07:55:38 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Gitlab redhat/centos-stream/src/kernel centos-stream-9 merge_requests 1378 0 None opened arm64: kexec_file: use more system keyrings to verify kernel image signature 2022-10-11 01:43:00 UTC
Red Hat Issue Tracker RHELPLAN-98189 0 None None None 2021-09-26 01:09:41 UTC
Red Hat Product Errata RHSA-2023:2458 0 None None None 2023-05-09 07:56:02 UTC

Description Coiby 2021-09-15 07:35:15 UTC 
+++ This bug was initially created as a clone of Bug #1986249 +++

Description of problem:

If a kernel image is signed by a MOK key which has been enrolled but is not included in the system keyring, this kernel image would be rejected with the error "Lockdown: kexec: kexec of unsigned images is restricted; see man kernel_lockdown.7". 

Version-Release number of selected component (if applicable):


How reproducible:

always

Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 14 errata-xmlrpc 2023-05-09 07:55:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: kernel security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2458
Note You need to log in before you can comment on or make changes to this bug.