linux-oem-22.04a不加载MOK证书。
linux-oem-22.04a不加载MOK证书。
提问于 2022-05-25 04:04:09
我开始在ubuntu22.04jammy上测试oem内核。这样做,我想知道为什么我的所有dkms模块没有加载时,安全引导是活动的,尽管它们是正确的签名。经过很长一段时间的研究后,我发现在引导期间没有加载MOK证书。这来自带有hwe内核(当前为5.15.0-33泛型)的日志-k,其中所有内容都很好:
Mai 25 00:14:56 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Mai 25 00:14:56 silvershadow kernel: blacklist: Loading compiled-in revocation X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Mai 25 00:14:56 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 25 00:14:56 silvershadow kernel: Key type ._fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type .fscrypt registered
Mai 25 00:14:56 silvershadow kernel: Key type fscrypt-provisioning registered
Mai 25 00:14:56 silvershadow kernel: Key type trusted registered
Mai 25 00:14:56 silvershadow kernel: Key type encrypted registered
Mai 25 00:14:56 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing enabled
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
Mai 25 00:14:56 silvershadow kernel: integrity: Revoking X.509 certificate: UEFI:dbx
Mai 25 00:14:56 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b66>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'silvershadow Secure Boot Module Signature key: d0f162f7b494c7188637ff51f>
Mai 25 00:14:56 silvershadow kernel: Loading compiled-in module X.509 certificates
Mai 25 00:14:56 silvershadow kernel: Loaded X.509 cert 'Build time autogenerated kernel key: cee583cd7127fcb5e727bd8fee80ccf9b6c19422'
Mai 25 00:14:56 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 25 00:14:56 silvershadow kernel: ima: No architecture policies found这是来自带有oem内核的journalctl -k (当前为5.17.0-1006-oem),其中未加载MOK证书:
Mai 24 23:53:20 silvershadow kernel: Loading compiled-in X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Live Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969'
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Kernel Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19'
Mai 24 23:53:20 silvershadow kernel: blacklist: Loading compiled-in revocation X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
Mai 24 23:53:20 silvershadow kernel: zswap: loaded using pool lzo/zbud
Mai 24 23:53:20 silvershadow kernel: Key type ._fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type .fscrypt registered
Mai 24 23:53:20 silvershadow kernel: Key type fscrypt-provisioning registered
Mai 24 23:53:20 silvershadow kernel: Key type trusted registered
Mai 24 23:53:20 silvershadow kernel: Key type encrypted registered
Mai 24 23:53:20 silvershadow kernel: AppArmor: AppArmor sha1 policy hashing enabled
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios DB Key: 637fa7a9f74471b406de0511557071fd41dd5487'
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios FW Aux Authority 2018: dd4df7c3f5ce7e5a77847915abc3>
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17>
Mai 24 23:53:20 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:db
Mai 24 23:53:20 silvershadow kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a>
Mai 24 23:53:20 silvershadow kernel: integrity: Revoking X.509 certificate: UEFI:dbx
Mai 24 23:53:20 silvershadow kernel: blacklist: Revoked X.509 cert 'Microsoft Windows PCA 2010: d14fa98a0708cef4241898e500fff3d6791d37bc'
Mai 24 23:53:20 silvershadow kernel: Loading compiled-in module X.509 certificates
Mai 24 23:53:20 silvershadow kernel: Loaded X.509 cert 'Build time autogenerated kernel key: f588ef5f31df3af9af115966e412ed048604418c'
Mai 24 23:53:20 silvershadow kernel: ima: Allocated hash algorithm: sha1
Mai 24 23:53:20 silvershadow kernel: ima: No architecture policies found加载MOK证书的部分(5.15.0-33-泛型):
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b66>
Mai 25 00:14:56 silvershadow kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Mai 25 00:14:56 silvershadow kernel: integrity: Loaded X.509 cert 'silvershadow Secure Boot Module Signature key: d0f162f7b494c7188637ff51f>在启动5.17.0-1006-oem时丢失。
这怎么可能?
这是在戴尔的XPS-17 9710,最新的BIOS更新(1.81),最新的干扰更新。silvershadow是主机名;)
如果您需要更多的信息,请告诉我。
回答 1
Ask Ubuntu用户
发布于 2023-04-13 09:46:35
我正在linux-image-5.17.0-1003-oem (ubuntu22.04)上进行测试,我相信这个提交很重要:https://github.com/torvalds/linux/commit/92ad19559ea9a8ec6f158480934ae26ebfe2c14f
根据arch_ima_get_secureboot跳过加载mok列表,这依赖于配置CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT。
但是在linux-image-5.17.0-1003中,CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT是未设置的,因此内核总是跳过laod列表.
页面原文内容由Ask Ubuntu提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://askubuntu.com/questions/1410460
复制相关文章
相似问题
腾讯云开发者
