The original bug report does not say how the MOK has been generated.
If it is generated using the maintainer script integrations in shim-
signed (the update-secureboot-policy command), note that the openssl
config in /usr/lib/shim/mok/openssl.cnf generates a key which is
specifically annotated as only being allowed for signing modules, NOT
kernels. It is invalid to use this dkms key for signing kernels, you
would need to generate another key (as shown in various comments in this
bug report) that does not have the EKU set to say it's only for modules.
It is possible that an earlier version of shim was not enforcing this
constraint and that's why it worked for you before upgrade.
** Changed in: shim (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1939565
Title:
kernel signed by mok failed to boot if secure boot is on
To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1939565/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
