Comment # 8
on bug 1198167
from Kenneth Aaker
I've been digging around to try to figure out something that works for my
situation. So far, I've learned that MOK stands for "Machine Owner Key(s)",
and that when the system was working previously, it was probably booting
through an old BIOS boot, so secure boot wasn't an issue. I also realized that
I have a functional system in a very similar state (with an older ASUS
motherboard) that is probably booting in the old BIOS mode. Anyway, I'd like
to add some more information. Here's the "mokutil --list-enrolled" output.
The interesting bit might be that the last certificate "SHA1 fingerprint:
bd:d3...." seems to be the certificate that is associated with the OpenSUSE
build system.
Thing is, from the "failure" message, I can't tell anything about the key(s)
that are supposed to be in use.
[key 1]
SHA1 Fingerprint: bc:a4:e3:8e:d1:84:2b:c8:6f:f7:6d:4d:a7:49:51:f1:62:88:59:f8
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg,
O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
Validity
Not Before: Apr 18 14:33:41 2013 GMT
Not After : Mar 14 14:33:41 2035 GMT
Subject: CN=SUSE Linux Enterprise Secure Boot CA, C=DE, L=Nuremberg,
O=SUSE Linux Products GmbH, OU=Build Team/emailAddress=build@suse.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:cd:fd:ab:d7:2a:84:f8:81:c3:36:35:50:35:2c:
c7:ec:04:f1:f4:d6:cc:60:4b:c8:13:b3:74:9b:bd:
f6:c4:3f:63:3e:66:51:f2:7e:3f:6e:7c:76:7b:71:
9d:69:21:2a:15:9b:aa:a5:e5:56:c8:79:98:12:35:
cd:7b:63:8c:b8:37:29:ee:77:50:bc:b7:64:8f:fe:
26:4a:e5:83:18:1c:6c:5d:b4:87:ef:d7:33:c4:f8:
1a:3f:29:9a:84:5a:01:e0:d9:81:6d:31:77:62:29:
f5:c1:65:14:df:4a:1d:fb:b7:4a:46:3b:f3:90:8b:
a2:b8:26:2a:0a:c3:9e:54:b5:03:60:81:e3:d9:58:
35:ed:b0:0b:e2:4f:6b:ef:69:ba:8b:47:df:a4:c5:
da:d0:d2:25:aa:85:63:3e:2f:05:db:4c:69:02:a6:
0e:35:b3:c2:ae:70:b0:ff:25:80:31:c7:0d:39:74:
a3:c0:a4:50:cd:9f:3f:85:b7:62:fb:7b:92:6d:c8:
1e:12:d2:ee:0f:96:f4:01:30:d1:ed:e2:10:ec:d2:
b2:b8:a1:e1:c5:2d:b3:b1:1e:f8:c5:fa:79:68:9d:
e5:a1:92:0f:5e:4f:45:42:7e:90:18:55:8c:fe:c2:
13:31:b8:21:de:ac:30:9d:99:e1:6b:44:61:0c:43:
3d:75
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
EC:AB:0D:42:C4:56:CF:77:04:36:B9:73:99:38:62:96:5E:87:26:2F
X509v3 Authority Key Identifier:
keyid:EC:AB:0D:42:C4:56:CF:77:04:36:B9:73:99:38:62:96:5E:87:26:2F
DirName:/CN=SUSE Linux Enterprise Secure Boot
CA/C=DE/L=Nuremberg/O=SUSE Linux Products GmbH/OU=Build
Team/emailAddress=build@suse.de
serial:01
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
Signature Algorithm: sha256WithRSAEncryption
12:be:2c:85:85:5a:94:59:cd:49:51:08:17:c1:d9:63:27:29:
d3:9e:9d:3f:15:03:99:24:14:9e:ed:77:41:18:f9:b2:f7:5f:
b7:21:3a:ab:5e:0c:aa:a3:fd:b5:f0:a2:12:89:09:79:dd:09:
70:a6:af:9c:22:21:91:02:26:b5:0f:ba:7b:c1:b8:3b:c2:c8:
3e:4e:bb:74:cd:91:57:7a:cd:f4:c1:f6:2a:e6:98:df:59:a7:
44:04:08:0d:09:f7:e4:07:3d:74:4d:28:cb:8d:0a:d5:c1:6e:
4d:fb:25:09:32:8a:be:af:ce:37:4f:35:79:e8:7b:b2:e8:b0:
4e:56:12:39:c9:3c:fb:5f:b8:b6:ad:22:58:7f:24:16:33:ca:
1e:1c:b8:fc:62:5e:4c:ac:e0:7d:83:24:ee:9b:10:78:98:e2:
e6:4a:ac:0a:cc:98:94:07:4a:69:18:fa:21:74:b5:12:48:42:
83:76:8e:8a:48:7f:c6:8d:1e:cc:ee:e0:62:73:09:f3:c0:90:
f7:49:57:d3:f6:7c:7d:1c:a1:76:9d:76:65:1e:fb:39:56:24:
10:ae:ed:ea:3f:5b:5c:ea:2d:1e:5c:49:cf:4d:85:b6:fb:39:
19:70:dd:1e:e6:21:f2:a3:31:19:1e:c3:b4:ae:f7:35:a7:a1:
b4:61:6b:4e
[key 2]
SHA1 Fingerprint: bd:d3:1a:9e:0f:7e:d3:12:76:84:65:e6:57:8e:0d:c0:00:64:46:16
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
fa:be:d8:bf:40:9a:5e:64
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=openSUSE Secure Boot CA, C=DE, L=Nuremberg, O=openSUSE
Project/emailAddress=build@opensuse.org
Validity
Not Before: Mar 2 13:01:54 2021 GMT
Not After : Jan 9 13:01:54 2031 GMT
Subject: CN=openSUSE Secure Boot Signkey, C=DE, L=Nuremberg, O=openSUSE
Project/emailAddress=build@opensuse.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:f2:c8:f4:01:12:b8:0d:1a:a9:72:e0:47:05:fb:
95:4d:6d:77:a1:e1:0b:73:a3:fa:4c:0a:24:9b:c5:
fe:4c:00:fb:5b:e2:5b:fd:5c:0b:8b:d2:f6:6b:a2:
80:51:de:dd:be:02:3f:06:7d:59:1c:5b:e5:6c:a2:
de:7c:4f:d5:f8:d8:c0:59:b2:80:19:ea:5a:fc:cc:
4f:11:99:04:5b:a1:71:04:29:48:f0:db:8d:63:84:
88:5b:29:55:96:ef:90:11:7b:b7:47:2e:d4:47:29:
29:a1:e5:fa:93:ea:55:d5:ab:87:5d:66:93:b6:d2:
8e:76:06:01:9d:01:14:74:37:6e:78:42:b8:7d:7e:
a7:83:c8:30:b0:05:64:84:50:f6:cb:96:f6:de:5c:
68:ea:07:2b:aa:62:7e:2b:0e:63:2f:96:47:76:bf:
d8:01:53:09:92:1d:64:8b:9e:56:9b:cf:1e:11:a0:
8c:40:e8:13:4c:27:a0:08:39:94:a0:e7:f9:20:14:
4b:b2:62:5b:2f:e1:75:3d:94:73:f3:a3:1f:5a:27:
5e:2f:7d:91:35:83:38:cc:10:03:e8:36:77:b2:40:
3e:d2:ee:7a:97:0a:a6:25:1b:15:a4:7e:ec:a2:58:
5a:19:1f:8a:de:96:63:3e:34:b0:2e:90:3c:c0:07:
22:3f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
9D:DF:43:D9:F1:A0:27:27:3F:52:C6:C0:77:59:08:EE:01:67:13:25
X509v3 Authority Key Identifier:
keyid:68:42:60:0D:E2:2C:4C:47:7E:95:BE:23:DF:EA:95:13:E5:97:17:62
DirName:/CN=openSUSE Secure Boot CA/C=DE/L=Nuremberg/O=openSUSE
Project/emailAddress=build@opensuse.org
serial:01
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
Code Signing
Signature Algorithm: sha256WithRSAEncryption
9e:32:bb:ac:bd:d3:fc:5b:b8:e3:71:10:48:1d:dc:57:65:7c:
e2:94:1c:39:c4:1f:dd:d0:92:c7:c5:53:d7:86:53:82:4a:75:
44:63:38:aa:be:15:f1:fa:00:ec:5c:ab:f5:41:3e:c7:6c:c4:
33:37:15:cb:67:99:d9:a8:a1:3b:fa:9a:43:f2:46:66:2f:1c:
a7:5a:63:ab:49:cd:31:44:23:81:71:74:60:6c:a7:41:a9:e3:
6f:fe:3c:57:97:8e:17:d6:75:87:fc:10:d0:72:12:4d:d9:30:
b2:f1:94:4b:49:5e:1d:3d:cb:8d:75:8d:44:bf:50:06:9d:50:
8b:90:39:20:4e:6d:f2:fa:57:3b:10:2f:1c:d4:ec:2a:cc:7a:
c7:6a:7c:47:7c:95:2d:7e:eb:63:ce:31:bc:12:42:a8:70:d8:
f6:d6:03:43:65:5b:55:7e:c2:13:0e:71:f4:57:df:a1:b6:29:
63:fb:35:94:25:7f:7e:13:93:86:6f:ea:fe:9f:4f:af:78:72:
77:12:8f:e0:fa:31:c7:00:6d:20:8f:e9:d3:32:53:31:61:04:
7c:eb:0a:ff:30:12:de:ff:0b:b6:5c:fc:de:04:e4:59:7f:b6:
a1:7a:63:fd:64:45:b1:85:88:11:74:cf:c0:49:b8:33:06:16:
c7:0e:6b:33