[Bug 1189841] New: Secure Boot certificate no longer queued for import into MOK
https://bugzilla.suse.com/show_bug.cgi?id=1189841 Bug ID: 1189841 Summary: Secure Boot certificate no longer queued for import into MOK Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: msuchanek@suse.com Reporter: jeffm@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Since kernel-source commit 18f65dfce6af8bef50878fb80ba29f6d8626a918, automatically queuing the secure boot certificate isn't happening. This is because the post.sh changes cause the scriptlet to exit unconditionally but the secure boot handling adds to the end of the script after the exit: [...] # check if something failed [ $wm2_rc != 0 ] && exit $wm2_rc exit $rc # vim: set sts=4 sw=4 ts=8 noet: if ! command -v mokutil >/dev/null; then exit 0 fi [...] This change has also been adopted in SLE. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1189841
Marcus Meissner
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c1
--- Comment #1 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c2
--- Comment #2 from Jeff Mahoney
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c3
--- Comment #3 from Jeff Mahoney
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c4
--- Comment #4 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c5
--- Comment #5 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c6
Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c7
Martin Wilck
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c8
--- Comment #8 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c9
--- Comment #9 from Jeff Mahoney
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c10
Martin Wilck
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c11
--- Comment #11 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c12
--- Comment #12 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c13
--- Comment #13 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c14
--- Comment #14 from Martin Wilck
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c15
--- Comment #15 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c16
Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c17
--- Comment #17 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c18
Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c19
--- Comment #19 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c20
--- Comment #20 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c21
--- Comment #21 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c22
--- Comment #22 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c23
--- Comment #23 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c24
Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c25
--- Comment #25 from Martin Wilck
Created attachment 852264 [details] WIP patch for s-m-t
I'd prefer to discuss the details on https://github.com/openSUSE/suse-module-tools/pull/33 (Hint: automated OBS builds in https://build.opensuse.org/package/show/home:mwilck:home:mwilck:suse-module-...) -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c26
--- Comment #26 from Martin Wilck
Created attachment 852319 [details] packaging: Outsource binary and KMP scriptlets to s-m-t
Add the tests for zfcpdump to the scripts in s-m-t, too? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c27
--- Comment #27 from Michal Suchanek
(In reply to Michal Suchanek from comment #23)
Created attachment 852319 [details] packaging: Outsource binary and KMP scriptlets to s-m-t
Add the tests for zfcpdump to the scripts in s-m-t, too?
Why? The s-m-t scripts are not called for zfcpdump kernel (it should probably not require them either but whatever). The decision to not call the scripts for zfcpdump kernels is then done in the kernel, and can be adjusted there to different flavors. The configuration that makes the zfcpdump kernel special is in the kernel-source tree so that's the place where the information to decide this is present. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c28
--- Comment #28 from Martin Wilck
The configuration that makes the zfcpdump kernel special is in the kernel-source tree so that's the place where the information to decide this is present.
OK, fine. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c29
--- Comment #29 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c30
--- Comment #30 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c31
--- Comment #31 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
Ludwig Nussel
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c34
--- Comment #34 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c37
--- Comment #37 from Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c40
--- Comment #40 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c46
--- Comment #46 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c47
--- Comment #47 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c48
--- Comment #48 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c49
--- Comment #49 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c52
--- Comment #52 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c53
--- Comment #53 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c54
--- Comment #54 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c55
Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c57
--- Comment #57 from Martin Wilck
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c58
--- Comment #58 from Martin Wilck
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c60
Martin Wilck
post name: kernel-default version: 5.3.18 release: 21.1.gafe7c6c kernelrelease: 5.3.18-21.gafe7c6c flavor: default variant: usrmerged: 0 image: vmlinuz certs: 1245A689 -- 2 Triggering purge-kernels wm2 --add-kernel 5.3.18-21.gafe7c6c-default cert post ca-check: 1 certs: 1245A689 -- 2 EFI variables are not supported on this system mokutil --import /etc/uefi/certs/1245A689.crt --root-pw EFI variables are not supported on this system Failed to import /etc/uefi/certs/1245A689.crt warning: %post(kernel-default-5.3.18-21.1.gafe7c6c.x86_64) scriptlet failed, exit status 1
I suggest adding something like this to cert-script:
if ! mokutil --sb-state 2>/dev/null; then exit 0 fi
mokutil --sb-state succeeds on uefi systems (with and without SB) whereas it fails on BIOS systems. Ok? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c61
--- Comment #61 from Martin Wilck
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c62
Michal Suchanek
Michal, your new scripts cause mokutil to be called not only for the -ueficert package, but also for oridnary kernel packages (rpm-script calls cert-script).
Yes, that's expected. The ueficert script was appended to the rpm script (when there were any signing certificates) but due to the error handling the rpm script would exit before the ueficert script so it would not get executed which is this bug.
I suggest adding something like this to cert-script:
if ! mokutil --sb-state 2>/dev/null; then exit 0 fi
mokutil --sb-state succeeds on uefi systems (with and without SB) whereas it fails on BIOS systems.
Ok?
This sounds OK. Maybe also separate bug should be filed to track this. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c63
--- Comment #63 from Martin Wilck
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c64
--- Comment #64 from Martin Wilck
https://bugzilla.suse.com/show_bug.cgi?id=1189841
Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c73
--- Comment #73 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c74
--- Comment #74 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c75
--- Comment #75 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c76
--- Comment #76 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
Yan Huang
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c77
--- Comment #77 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c78
--- Comment #78 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c79
--- Comment #79 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c80
--- Comment #80 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c81
--- Comment #81 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c82
--- Comment #82 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c83
--- Comment #83 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c84
--- Comment #84 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c85
--- Comment #85 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c86
--- Comment #86 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c87
--- Comment #87 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c88
--- Comment #88 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c92
--- Comment #92 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c93
--- Comment #93 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c94
--- Comment #94 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c95
--- Comment #95 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c96
--- Comment #96 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c100
--- Comment #100 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c101
--- Comment #101 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c102
--- Comment #102 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c104
--- Comment #104 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841 Bug 1189841 depends on bug 1191260, which changed state. Bug 1191260 Summary: kernel 5.14.8 post scriptlets failing https://bugzilla.suse.com/show_bug.cgi?id=1191260 What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1189841
Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841 Bug 1189841 depends on bug 1191480, which changed state. Bug 1191480 Summary: Kernel:stable kernel 5.14.10-2.1.g2878fd1 cannot boot due to "bad shim signature" https://bugzilla.suse.com/show_bug.cgi?id=1191480 What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c105
--- Comment #105 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c106
--- Comment #106 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c107
--- Comment #107 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c108
Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c109
Martin Wilck
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c112
--- Comment #112 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c113
--- Comment #113 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c114
--- Comment #114 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c115
--- Comment #115 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c116
Michal Suchanek
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c120
--- Comment #120 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c121
--- Comment #121 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c122
--- Comment #122 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c131
--- Comment #131 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c132
--- Comment #132 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c133
--- Comment #133 from Swamp Workflow Management
https://bugzilla.suse.com/show_bug.cgi?id=1189841
https://bugzilla.suse.com/show_bug.cgi?id=1189841#c134
--- Comment #134 from Swamp Workflow Management
participants (1)
-
bugzilla_noreply@suse.com