[kernel-bugs] [Bug 1173115] kernel updates lead to showing mok screen on reboot
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1173115 http://bugzilla.opensuse.org/show_bug.cgi?id=1173115#c24 --- Comment #24 from Joey Lee <jlee@suse.com> --- (In reply to Gary Ching-Pang Lin from comment #23)
One possible solution would be to make mokutil read keys from kernel keyring, so it can avoid enrolling the key built in kernel. Have to do some research on the kernel keyring.
The following command can be used to print the kernel embedded key: # keyctl list %:.builtin_trusted_keys 1 key in keyring: 73874993: ---lswrv 0 0 asymmetric: SUSE Linux Enterprise Secure Boot Signkey: 4ab0c697c91073276c27deff3c220fb007e1de61 The above fingerprint is from "X509v3 Subject Key Identifier" in x509 certificate: X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: 4A:B0:C6:97:C9:10:73:27:6C:27:DE:FF:3C:22:0F:B0:07:E1:DE:61 Using openssl with sed command can extract Subject Key Identifier e.g. https://stackoverflow.com/questions/53896785/how-to-extract-subject-key-iden... The above "Subject Key Identifier" can be used to compare with the result of "keyctl list", then mokutil can avoid the kernel embedded key. -- You are receiving this mail because: You are the assignee for the bug.
participants (1)
-
bugzilla_noreply@suse.com