Comment # 24 on bug 1173115 from 
(In reply to Gary Ching-Pang Lin from comment #23)
> One possible solution would be to make mokutil read keys from kernel
> keyring, so it can avoid enrolling the key built in kernel. Have to do some
> research on the kernel keyring.

The following command can be used to print the kernel embedded key:

# keyctl list %:.builtin_trusted_keys
1 key in keyring:
 73874993: ---lswrv     0     0 asymmetric: SUSE Linux Enterprise Secure Boot
Signkey: 4ab0c697c91073276c27deff3c220fb007e1de61

The above fingerprint is from "X509v3 Subject Key Identifier" in x509
certificate:

X509v3 extensions:
    X509v3 Basic Constraints: critical
        CA:FALSE
    X509v3 Subject Key Identifier: 
        4A:B0:C6:97:C9:10:73:27:6C:27:DE:FF:3C:22:0F:B0:07:E1:DE:61

Using openssl with sed command can extract Subject Key Identifier
e.g.
https://stackoverflow.com/questions/53896785/how-to-extract-subject-key-identifier-from-x509-certificate-through-openssl

The above "Subject Key Identifier" can be used to compare with the result of
"keyctl list", then mokutil can avoid the kernel embedded key.

You are receiving this mail because: