This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2228419 - mokutil --db gives empty result when UEFI db is not empty
Summary: mokutil --db gives empty result when UEFI db is not empty
Keywords:
Status: CLOSED MIGRATED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: mokutil
Version: 9.3
Hardware: aarch64
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Bootloader engineering team
QA Contact: Oliver Gutiérrez
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-08-02 11:12 UTC by Coiby
Modified: 2023-09-16 19:44 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-09-16 19:44:11 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker   RHEL-4393 0 None Migrated None 2023-09-16 19:44:05 UTC
Red Hat Issue Tracker RHELPLAN-164944 0 None None None 2023-08-09 01:53:43 UTC

Description Coiby 2023-08-02 11:12:46 UTC 
Description of problem:

mokutil --db outputs nothing when UEFI db is not empty (these certificates have been successfully added to the .platform keyring).


    [root@ampere-mtsnow-altramax-56 ~]# mokutil --db
    # only one MOK key
    [root@ampere-mtsnow-altramax-56 ~]# mokutil --list-enrolled
    [key 1]
    SHA1 Fingerprint: cf:92:30:e6:90:00:07:67:27:e5:b7:84:ec:87:1d:22:71:6d:c5:da
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                ad:8e:19:64:68:34:ff:5d
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN=Red Hat Secure Boot (CA key 1)/emailAddress=secalert
            Subject: CN=Red Hat Secure Boot (CA key 1)/emailAddress=secalert
    # Red Hat Secure Boot (CA key 1) is the VENDOR_CERT 
    # the rest certificates are from UEFI db
    [root@ampere-mtsnow-altramax-56 ~]# keyctl show %:.platform
    Keyring
     908170642 ---lswrv      0     0  keyring: .platform
     361514782 ---lswrv      0     0   \_ asymmetric: SUSE Linux Enterprise Secure Boot CA: 3d4d40cf938539024b1cfc5a12dedfe8b17e755f
     281841880 ---lswrv      0     0   \_ asymmetric: Red Hat Secure Boot (CA key 1): 4016841644ce3a810408050766e8f8a29c65f85c
     466944821 ---lswrv      0     0   \_ asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
     137624747 ---lswrv      0     0   \_ asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
     777544007 ---lswrv      0     0   \_ asymmetric: Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42
     797997726 ---lswrv      0     0   \_ asymmetric: Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63


Version-Release number of selected component (if applicable):


How reproducible:

Always

Steps to Reproduce:
1. Install RHEL9.3 on an UEFI machine e.g. ampere-mtsnow-altramax-56.khw4.lab.eng.bos.redhat.com which has non-empty factory default db 
2. mokutil --db

Actual results:

"mokutil --db" outputs nothing.

Expected results:

"mokutil --db" should list the certificates in UEFI db.

Additional info:

This can be reproduced on Fedora 38 and 39 as well.
Comment 1 Coiby 2023-08-09 01:52:33 UTC 
Note "mokutil --dbx" is empty as well while %:.blacklist is not,

    [root@ampere-mtsnow-altramax-04 ~]# mokutil --dbx
    [root@ampere-mtsnow-altramax-04 ~]# keyctl show %:.blacklist
    Keyring
     698261956 ---lswrv      0     0  keyring: .blacklist
      63779173 ---lswrv      0     0   \_ blacklist: bin:075eea060589548ba060b2feed10da3c20c7fe9b17cd026b94e8a683b8115238
     863401660 ---lswrv      0     0   \_ blacklist: bin:c83cb13922ad99f560744675dd37cc94dcad5a1fcba6472fee341171d939e884
     409547307 ---lswrv      0     0   \_ blacklist: bin:cb6b858b40d3a098765815b592c1514a49604fafd60819da88d7a76e9778fef7
    ...
Comment 2 RHEL Program Management 2023-09-16 19:43:20 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.
Comment 3 RHEL Program Management 2023-09-16 19:44:11 UTC 
This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.
Note You need to log in before you can comment on or make changes to this bug.