2228419 – mokutil --db gives empty result when UEFI db is not empty

Bug 2228419 - mokutil --db gives empty result when UEFI db is not empty

Summary: mokutil --db gives empty result when UEFI db is not empty

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	mokutil
Sub Component:
Version:	9.3
Hardware:	aarch64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Bootloader engineering team
QA Contact:	Oliver Gutiérrez
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-02 11:12 UTC by Coiby
Modified:	2023-08-09 01:53 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-164944	0	None	None	None	2023-08-09 01:53:43 UTC

Description Coiby 2023-08-02 11:12:46 UTC

Description of problem:

mokutil --db outputs nothing when UEFI db is not empty (these certificates have been successfully added to the .platform keyring).


    [root@ampere-mtsnow-altramax-56 ~]# mokutil --db
    # only one MOK key
    [root@ampere-mtsnow-altramax-56 ~]# mokutil --list-enrolled
    [key 1]
    SHA1 Fingerprint: cf:92:30:e6:90:00:07:67:27:e5:b7:84:ec:87:1d:22:71:6d:c5:da
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                ad:8e:19:64:68:34:ff:5d
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: CN=Red Hat Secure Boot (CA key 1)/emailAddress=secalert
            Subject: CN=Red Hat Secure Boot (CA key 1)/emailAddress=secalert
    # Red Hat Secure Boot (CA key 1) is the VENDOR_CERT 
    # the rest certificates are from UEFI db
    [root@ampere-mtsnow-altramax-56 ~]# keyctl show %:.platform
    Keyring
     908170642 ---lswrv      0     0  keyring: .platform
     361514782 ---lswrv      0     0   \_ asymmetric: SUSE Linux Enterprise Secure Boot CA: 3d4d40cf938539024b1cfc5a12dedfe8b17e755f
     281841880 ---lswrv      0     0   \_ asymmetric: Red Hat Secure Boot (CA key 1): 4016841644ce3a810408050766e8f8a29c65f85c
     466944821 ---lswrv      0     0   \_ asymmetric: Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4
     137624747 ---lswrv      0     0   \_ asymmetric: Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53
     777544007 ---lswrv      0     0   \_ asymmetric: Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42
     797997726 ---lswrv      0     0   \_ asymmetric: Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63


Version-Release number of selected component (if applicable):


How reproducible:

Always

Steps to Reproduce:
1. Install RHEL9.3 on an UEFI machine e.g. ampere-mtsnow-altramax-56.khw4.lab.eng.bos.redhat.com which has non-empty factory default db 
2. mokutil --db

Actual results:

"mokutil --db" outputs nothing.

Expected results:

"mokutil --db" should list the certificates in UEFI db.

Additional info:

This can be reproduced on Fedora 38 and 39 as well.

Comment 1 Coiby 2023-08-09 01:52:33 UTC

Note "mokutil --dbx" is empty as well while %:.blacklist is not,

    [root@ampere-mtsnow-altramax-04 ~]# mokutil --dbx
    [root@ampere-mtsnow-altramax-04 ~]# keyctl show %:.blacklist
    Keyring
     698261956 ---lswrv      0     0  keyring: .blacklist
      63779173 ---lswrv      0     0   \_ blacklist: bin:075eea060589548ba060b2feed10da3c20c7fe9b17cd026b94e8a683b8115238
     863401660 ---lswrv      0     0   \_ blacklist: bin:c83cb13922ad99f560744675dd37cc94dcad5a1fcba6472fee341171d939e884
     409547307 ---lswrv      0     0   \_ blacklist: bin:cb6b858b40d3a098765815b592c1514a49604fafd60819da88d7a76e9778fef7
    ...

Note You need to log in before you can comment on or make changes to this bug.