What | Removed | Added |
---|---|---|
Flags | needinfo?(yan.huang@suse.com) |
Created attachment 853088 [details] mokutil --list-enrolled The current state of my system: > # mokutil --sb-state > SecureBoot enabled > # uname -r > 5.14.9-2.gd0ace7f-default > # dmesg | grep -i secure > [ 0.009083] Secure boot enabled > [ 1.461959] integrity: Loaded X.509 cert 'openSUSE Secure Boot CA: 6842600de22c4c477e95be23dfea9513e5971762' > [ 1.463127] integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey: 0332fa9cbf0d88bf21924b0de82a09a54d5defc8' > [ 6.485674] Bluetooth: hci0: Secure boot is enabled ~~~~~~~~~ The mentioned certificate 6A4E915C.crt has been available only since the kernel 5.14.10-2.1.g2878fd1: > # rpm -q --whatprovides /etc/uefi/certs/6A4E915C.crt > kernel-default-5.14.10-2.1.g2878fd1.x86_64 > kernel-default-5.14.11-1.1.g834dddd.x86_64 More information about 6A4E915C.crt: > # openssl x509 --inform DER --outform PEM --in /etc/uefi/certs/6A4E915C.crt > /tmp/6A4E915C.crt-pem > # openssl x509 -in /tmp/6A4E915C.crt-pem -text | grep -e Before -e After > Not Before: Oct 5 16:48:55 2021 GMT > Not After : Dec 14 16:48:55 2023 GMT ~~~~~~~~~ The previous, known-to-be-working kernel 5.14.9-2.1.gd0ace7f provided a different certificate 1AA60533.crt: # rpm -q --whatprovides /etc/uefi/certs/1AA60533.crt kernel-default-5.14.9-2.1.gd0ace7f.x86_64 More information about 1AA60533.crt: > # openssl x509 --inform DER --outform PEM --in /etc/uefi/certs/1AA60533.crt > /tmp/1AA60533.crt-pem > # openssl x509 -in /tmp/1AA60533.crt-pem -text | grep -e Before -e After > Not Before: Aug 11 16:46:49 2019 GMT > Not After : Oct 19 16:46:49 2021 GMT ~~~~~~~~~ I tried to enroll the new certificate 6A4E915C.crt: > # mokutil --import /etc/uefi/certs/6A4E915C.crt > Already in kernel trusted keyring. Skip /etc/uefi/certs/6A4E915C.crt However, 6A4E915C.crt is still not seen in "mokutil --list-enrolled" (judging by the certificates' validity) - I attached the output.