Closed jan-kiszka closed 1 year ago
Thanks for reporting the bug!
It seems that list_keys() had problem with the data from your /sys/firmware/efi/mok-variables/MokListRT
but it was fine with /sys/firmware/efi/efivars/MokListRT-*
. It's hard to tell what's wrong in mok-variables/MokListRT
but the return value of list_keys()
is indeed not handled properly.
On the other hand, those functions with the prefix "is_" are supposed to return only 0 and 1, and is_one_duplicate()
is not handled correctly in is_duplicate()
.
Ah, I got it. build_mok_list()
returned NULL
in your case, so is_one_duplicate()
has to return -1
. I should rename it to get rid of the "is_" prefix.
I had an apparently broken /sys/firmware/efi/mok-variables/MokListRT which prevented mokutil from list and deleting keys from the valid /sys/firmware/efi/vars/MokListRT-*. But shim was loading signed grub without issues, using certs from the efivar.
So I hacked on mokutil like this:
which allowed to run
mokutil -l
and then alsomokutil --delete ...
. After the latter was applied by shim, my /sys/firmware/efi/mok-variables/MokListRT is now fine, and I cannot reproduce the issue. The first variable was containing some data pointing to original certs by the Microsoft and/or the OEM. Unfortunately, I made no backup of it.What could have happened? And is that change possibly valid, provide my case is something that needs to be accounted for?