Not to be fixed
Created: May 26, 2016
Updated: Mar 6, 2019
Resolved Date: Feb 19, 2019
Found In Version: 8.0
Severity: Standard
Applicable for: Wind River Linux 8
Component/s: Userspace
" mokutil --list-enrolled " can not show any information about Key, but " efi-readvar " can do.
If use " mokutil --import " to add one Key into system , " mokutil --list-enrolled " can show all the Keys .
At this status, use "mokutil --delete" to delete one Key, " mokutil --list-enrolled " can not show Keys again.
root@128:~# mokutil --list-enrolled
Failed to read MokListRT: No such file or directory root@128:~# root@128:~# efi-readvar Variable PK, length 885
PK: List 0, type X509
Signature 0, size 857, owner 1f7b9654-2107-4697-8f1c-0cbc38874588
Subject:
CN=Wind River Linux Sample PK Certificate for SCP
Issuer:
CN=Wind River Linux Sample PK Certificate for SCP Variable KEK, length 791
KEK: List 0, type X509
Signature 0, size 763, owner 1f7b9654-2107-4697-8f1c-0cbc38874588
Subject:
CN=Wind River Linux Sample KEK Certificate for SCP
Issuer:
CN=Wind River Linux Sample PK Certificate for SCP Variable db, length 791
db: List 0, type X509
Signature 0, size 763, owner 1f7b9654-2107-4697-8f1c-0cbc38874588
Subject:
CN=Wind River Linux Sample DB Certificate for SCP
Issuer:
CN=Wind River Linux Sample KEK Certificate for SCP Variable dbx, length 799
dbx: List 0, type X509
Signature 0, size 771, owner 1f7b9654-2107-4697-8f1c-0cbc38874588
Subject:
CN=DBX
Issuer:
CN=DBX
Variable MokList has no entries
root@128:~#
/net/pek-hostel-deb04/buildarea1/nightly/WRL8/product_install/wrlinux-8/wrlinux/configure --enable-board=intel-x86-64 --enable-kernel=secure --enable-rootfs=secure-core --enable-jobs=32 --enable-parallel-pkgbuilds=32 --enable-internet-download=yes --enable-reconfig=yes --with-template=feature/mok-secure-boot
Make
Target:
After enroll key by " lockdown.efi "
$ mokutil --list-enrolled ** can not show any thing
$ mokutil --import /mnt/EFI/BOOT/shim_cert.cer reboot
$ mokutil --list-enrolled ** show 2 Keys
$ mokutil --delete/mnt/EFI/BOOT/shim_cert.cer
reboot
$ mokutil --list-enrolled ** can not show any thing
