After applying Errata for Boot Hole vulnerability the MOK list is inaccessible

Solution Verified - Updated -

Issue

  • Third party kernel modules are not available after applying Errata updates for Boot Hole vulnerability

  • Following the update, the MOK list is inaccessible with Couldn't get UEFI MokListRT visible in the logs as well

    # journalctl -b | grep UEFI
    [...] kernel: EFI: Loaded cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' linked to '.system_keyring'
    [...] kernel: MODSIGN: Couldn't get UEFI MokListRT
    
  • mokutil --list-enrolled doesn't find any key

    # mokutil --list-enrolled
    MokListRT is empty
    

Environment

  • Red Hat Enterprise Linux 8

    • shim-x64-15-15.el8_2.x86_64
    • mokutil-0.3.0-9.el8.x86_64
  • Red Hat Enterprise Linux 7.8

    • shim-x64-15-8.el7_8.x86_64
    • mokutil-15-8.el7_8.x86_64

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In