Bug#928300: secure boot via removable media path unavailable

To: 928300@bugs.debian.org
Subject: Bug#928300: secure boot via removable media path unavailable
From: "Chris Nospam" <chris21k@gmx.de>
Date: Mon, 1 Jul 2019 19:59:26 +0200
Message-id: <[🔎] trinity-30a44d14-a67c-482f-aad5-764785280e18-1562003966264@3c-app-gmx-bs54>
Reply-to: "Chris Nospam" <chris21k@gmx.de>, 928300@bugs.debian.org
References: <155672235570.3178.18157550707493556338.reportbug@betty.q3x.local>
Dear Steve,

> It's odd that you have files in /boot/efi but on a separate filesystem
> (the rootfs?), not within the ESP.

yep, on the rootfs on /dev/sda2. Must have been done by the deb-installer. Now I removed the files from the root partition as ESP is mounted over them. As expected, no change.

>> The exact error message during booting with SB on is:
>> Image Autorization Fail.
> *Exactly* that, including the missing "h" in Authorization ? Or is
> that a typo on your part?

Defintively, I made the typo, since no cut&paste on the boot screen...

> So, I'm curious what keys your system claims to recognise then. The
> mokutil tool can dump the public keys in each of the key lists on your
> system, as listed in the man page:

# mokutil --pk
[key 1]
SHA1 Fingerprint: 77:a8:28:ba:0c:72:b4:49:79:5c:c0:5a:47:10:cf:a7:29:1c:0f:79
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c3:1d:39:ca:ef:3d:8b:dd
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Intel(R) Desktop Boards
        Validity
            Not Before: Feb  2 00:09:49 2013 GMT
            Not After : Jan 31 00:09:49 2023 GMT
        Subject: CN=Intel(R) Desktop Boards
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:e0:32:77:4d:a5:f3:31:41:5f:9f:36:39:d1:93:
                    ce:b2:16:f8:45:7f:4e:65:c1:42:2c:65:d5:96:5e:
                    99:22:5d:8a:16:2d:89:52:e3:e6:15:23:c7:7d:b8:
                    1e:55:84:7b:ca:2a:27:5d:ee:a4:33:6a:52:ff:39:
                    a9:d4:81:21:8f:c2:f5:b8:f8:3c:85:43:60:61:68:
                    23:72:f1:82:b1:6d:68:ad:69:0b:fb:d1:5a:ed:d2:
                    cd:c1:c4:81:d3:d2:ba:6f:ce:6f:ad:58:25:6f:39:
                    32:c5:06:ff:57:80:52:d6:8b:63:90:ec:a7:4b:cf:
                    2a:b0:2e:f7:13:2e:fc:a7:5b:6c:79:86:0d:d2:b3:
                    04:13:75:18:6d:8b:7a:35:b8:9c:71:00:1c:19:72:
                    a4:8c:24:d4:0d:d5:e9:ca:d0:3b:a0:36:c6:55:4b:
                    58:b3:f3:7d:58:2d:7b:92:f0:38:e3:3f:06:8d:aa:
                    79:32:2e:6e:50:dc:8c:1d:e1:f7:db:0f:4b:af:61:
                    bc:bd:d2:ba:d6:5f:ec:8f:79:3e:b8:c8:37:dc:a9:
                    5a:4d:80:ec:5b:ce:eb:6c:54:68:74:2a:5c:aa:bc:
                    25:d2:69:e1:c1:51:5b:35:c5:fb:cf:a6:58:a9:6c:
                    f8:73:33:c6:f5:a8:d2:0a:ef:eb:e2:1f:ec:f3:aa:
                    84:0b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                D2:EE:76:04:80:00:C1:E6:56:D2:FE:D7:EF:8B:5A:D8:0C:3C:B1:39
            X509v3 Authority Key Identifier:
                keyid:D2:EE:76:04:80:00:C1:E6:56:D2:FE:D7:EF:8B:5A:D8:0C:3C:B1:39

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         38:e7:c3:21:94:97:9a:0c:96:5b:2d:0e:8a:77:1d:91:da:95:
         7f:c6:d2:bc:84:cc:9d:ec:84:7c:8c:09:36:27:2c:08:d2:90:
         8a:32:39:3e:4e:46:d9:42:ec:2d:90:94:38:34:24:e6:10:d9:
         2e:a5:f2:ce:b2:8e:c0:51:7f:1e:b0:79:17:8b:40:1e:2c:d5:
         8d:cb:70:89:ea:f9:2e:63:b1:23:80:c9:41:49:de:d0:5f:5a:
         bf:86:30:33:c4:57:c6:4e:2f:1a:b3:e9:63:5d:69:90:0d:b9:
         00:f6:b4:3e:89:d7:97:0f:d3:ee:2c:6e:ca:a8:cb:ba:d8:4a:
         38:46:de:01:6f:e1:8d:2e:6d:fe:ed:e2:55:f8:1a:6f:c7:7a:
         b8:7d:db:db:34:7f:3e:9e:9e:37:f7:3b:81:0e:52:ef:45:ac:
         d4:0b:ce:8c:f8:3d:36:ff:2f:9b:f4:e5:bc:9f:5f:d7:6b:8d:
         8b:fd:63:d4:b1:69:43:cb:ae:04:07:a1:1a:e8:ed:69:09:3a:
         09:3d:d2:b0:e8:b2:b7:6f:25:2c:9c:3e:24:a5:8a:5e:b6:0d:
         c5:1a:10:90:3f:8b:83:33:7d:d3:37:42:80:cb:6e:23:f8:09:
         dd:57:16:59:df:e3:8b:b4:fa:f7:82:42:90:d8:b1:71:c6:fe:
         16:79:1b:87

# mokutil --kek
[key 1]
SHA1 Fingerprint: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            61:0a:d1:88:00:00:00:00:00:03
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
        Validity
            Not Before: Jun 24 20:41:29 2011 GMT
            Not After : Jun 24 20:51:29 2026 GMT
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation KEK CA 2011
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:c4:e8:b5:8a:bf:ad:57:26:b0:26:c3:ea:e7:fb:
                    57:7a:44:02:5d:07:0d:da:4a:e5:74:2a:e6:b0:0f:
                    ec:6d:eb:ec:7f:b9:e3:5a:63:32:7c:11:17:4f:0e:
                    e3:0b:a7:38:15:93:8e:c6:f5:e0:84:b1:9a:9b:2c:
                    e7:f5:b7:91:d6:09:e1:e2:c0:04:a8:ac:30:1c:df:
                    48:f3:06:50:9a:64:a7:51:7f:c8:85:4f:8f:20:86:
                    ce:fe:2f:e1:9f:ff:82:c0:ed:e9:cd:ce:f4:53:6a:
                    62:3a:0b:43:b9:e2:25:fd:fe:05:f9:d4:c4:14:ab:
                    11:e2:23:89:8d:70:b7:a4:1d:4d:ec:ae:e5:9c:fa:
                    16:c2:d7:c1:cb:d4:e8:c4:2f:e5:99:ee:24:8b:03:
                    ec:8d:f2:8b:ea:c3:4a:fb:43:11:12:0b:7e:b5:47:
                    92:6c:dc:e6:04:89:eb:f5:33:04:eb:10:01:2a:71:
                    e5:f9:83:13:3c:ff:25:09:2f:68:76:46:ff:ba:4f:
                    be:dc:ad:71:2a:58:aa:fb:0e:d2:79:3d:e4:9b:65:
                    3b:cc:29:2a:9f:fc:72:59:a2:eb:ae:92:ef:f6:35:
                    13:80:c6:02:ec:e4:5f:cc:9d:76:cd:ef:63:92:c1:
                    af:79:40:84:79:87:7f:e3:52:a8:e8:9d:7b:07:69:
                    8f:15
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.21.1:
                ...
            X509v3 Subject Key Identifier:
                62:FC:43:CD:A0:3E:A4:CB:67:12:D2:5B:D9:55:AC:7B:CC:B6:8A:5F
            1.3.6.1.4.1.311.20.2:
                .
.S.u.b.C.A
            X509v3 Key Usage:
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Authority Key Identifier:
                keyid:45:66:52:43:E1:7E:58:11:BF:D6:4E:9E:23:55:08:3B:3A:22:6A:A8

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.microsoft.com/pki/crl/products/MicCorThiParMarRoo_2010-10-05.crl

            Authority Information Access:
                CA Issuers - URI:http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt

    Signature Algorithm: sha256WithRSAEncryption
         d4:84:88:f5:14:94:18:02:ca:2a:3c:fb:2a:92:1c:0c:d7:a0:
         d1:f1:e8:52:66:a8:ee:a2:b5:75:7a:90:00:aa:2d:a4:76:5a:
         ea:79:b7:b9:37:6a:51:7b:10:64:f6:e1:64:f2:02:67:be:f7:
         a8:1b:78:bd:ba:ce:88:58:64:0c:d6:57:c8:19:a3:5f:05:d6:
         db:c6:d0:69:ce:48:4b:32:b7:eb:5d:d2:30:f5:c0:f5:b8:ba:
         78:07:a3:2b:fe:9b:db:34:56:84:ec:82:ca:ae:41:25:70:9c:
         6b:e9:fe:90:0f:d7:96:1f:e5:e7:94:1f:b2:2a:0c:8d:4b:ff:
         28:29:10:7b:f7:d7:7c:a5:d1:76:b9:05:c8:79:ed:0f:90:92:
         9c:c2:fe:df:6f:7e:6c:0f:7b:d4:c1:45:dd:34:51:96:39:0f:
         e5:5e:56:d8:18:05:96:f4:07:a6:42:b3:a0:77:fd:08:19:f2:
         71:56:cc:9f:86:23:a4:87:cb:a6:fd:58:7e:d4:69:67:15:91:
         7e:81:f2:7f:13:e5:0d:8b:8a:3c:87:84:eb:e3:ce:bd:43:e5:
         ad:2d:84:93:8e:6a:2b:5a:7c:44:fa:52:aa:81:c8:2d:1c:bb:
         e0:52:df:00:11:f8:9a:3d:c1:60:b0:e1:33:b5:a3:88:d1:65:
         19:0a:1a:e7:ac:7c:a4:c1:82:87:4e:38:b1:2f:0d:c5:14:87:
         6f:fd:8d:2e:bc:39:b6:e7:e6:c3:e0:e4:cd:27:84:ef:94:42:
         ef:29:8b:90:46:41:3b:81:1b:67:d8:f9:43:59:65:cb:0d:bc:
         fd:00:92:4f:f4:75:3b:a7:a9:24:fc:50:41:40:79:e0:2d:4f:
         0a:6a:27:76:6e:52:ed:96:69:7b:af:0f:f7:87:05:d0:45:c2:
         ad:53:14:81:1f:fb:30:04:aa:37:36:61:da:4a:69:1b:34:d8:
         68:ed:d6:02:cf:6c:94:0c:d3:cf:6c:22:79:ad:b1:f0:bc:03:
         a2:46:60:a9:c4:07:c2:21:82:f1:fd:f2:e8:79:32:60:bf:d8:
         ac:a5:22:14:4b:ca:c1:d8:4b:eb:7d:3f:57:35:b2:e6:4f:75:
         b4:b0:60:03:22:53:ae:91:79:1d:d6:9b:41:1f:15:86:54:70:
         b2:de:0d:35:0f:7c:b0:34:72:ba:97:60:3b:f0:79:eb:a2:b2:
         1c:5d:a2:16:b8:87:c5:e9:1b:f6:b5:97:25:6f:38:9f:e3:91:
         fa:8a:79:98:c3:69:0e:b7:a3:1c:20:05:97:f8:ca:14:ae:00:
         d7:c4:f3:c0:14:10:75:6b:34:a0:1b:b5:99:60:f3:5c:b0:c5:
         57:4e:36:d2:32:84:bf:9e

# mokutil --db
[key 1]
SHA1 Fingerprint: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            61:07:76:56:00:00:00:00:00:08
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
        Validity
            Not Before: Oct 19 18:41:42 2011 GMT
            Not After : Oct 19 18:51:42 2026 GMT
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:dd:0c:bb:a2:e4:2e:09:e3:e7:c5:f7:96:69:bc:
                    00:21:bd:69:33:33:ef:ad:04:cb:54:80:ee:06:83:
                    bb:c5:20:84:d9:f7:d2:8b:f3:38:b0:ab:a4:ad:2d:
                    7c:62:79:05:ff:e3:4a:3f:04:35:20:70:e3:c4:e7:
                    6b:e0:9c:c0:36:75:e9:8a:31:dd:8d:70:e5:dc:37:
                    b5:74:46:96:28:5b:87:60:23:2c:bf:dc:47:a5:67:
                    f7:51:27:9e:72:eb:07:a6:c9:b9:1e:3b:53:35:7c:
                    e5:d3:ec:27:b9:87:1c:fe:b9:c9:23:09:6f:a8:46:
                    91:c1:6e:96:3c:41:d3:cb:a3:3f:5d:02:6a:4d:ec:
                    69:1f:25:28:5c:36:ff:fd:43:15:0a:94:e0:19:b4:
                    cf:df:c2:12:e2:c2:5b:27:ee:27:78:30:8b:5b:2a:
                    09:6b:22:89:53:60:16:2c:c0:68:1d:53:ba:ec:49:
                    f3:9d:61:8c:85:68:09:73:44:5d:7d:a2:54:2b:dd:
                    79:f7:15:cf:35:5d:6c:1c:2b:5c:ce:bc:9c:23:8b:
                    6f:6e:b5:26:d9:36:13:c3:4f:d6:27:ae:b9:32:3b:
                    41:92:2c:e1:c7:cd:77:e8:aa:54:4e:f7:5c:0b:04:
                    87:65:b4:43:18:a8:b2:e0:6d:19:77:ec:5a:24:fa:
                    48:03
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.21.1:
                ...
            X509v3 Subject Key Identifier:
                A9:29:02:39:8E:16:C4:97:78:CD:90:F9:9E:4F:9A:E1:7C:55:AF:53
            1.3.6.1.4.1.311.20.2:
                .
.S.u.b.C.A
            X509v3 Key Usage:
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Authority Key Identifier:
                keyid:D5:F6:56:CB:8F:E8:A2:5C:62:68:D1:3D:94:90:5B:D7:CE:9A:18:C4

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl

            Authority Information Access:
                CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt

    Signature Algorithm: sha256WithRSAEncryption
         14:fc:7c:71:51:a5:79:c2:6e:b2:ef:39:3e:bc:3c:52:0f:6e:
         2b:3f:10:13:73:fe:a8:68:d0:48:a6:34:4d:8a:96:05:26:ee:
         31:46:90:61:79:d6:ff:38:2e:45:6b:f4:c0:e5:28:b8:da:1d:
         8f:8a:db:09:d7:1a:c7:4c:0a:36:66:6a:8c:ec:1b:d7:04:90:
         a8:18:17:a4:9b:b9:e2:40:32:36:76:c4:c1:5a:c6:bf:e4:04:
         c0:ea:16:d3:ac:c3:68:ef:62:ac:dd:54:6c:50:30:58:a6:eb:
         7c:fe:94:a7:4e:8e:f4:ec:7c:86:73:57:c2:52:21:73:34:5a:
         f3:a3:8a:56:c8:04:da:07:09:ed:f8:8b:e3:ce:f4:7e:8e:ae:
         f0:f6:0b:8a:08:fb:3f:c9:1d:72:7f:53:b8:eb:be:63:e0:e3:
         3d:31:65:b0:81:e5:f2:ac:cd:16:a4:9f:3d:a8:b1:9b:c2:42:
         d0:90:84:5f:54:1d:ff:89:ea:ba:1d:47:90:6f:b0:73:4e:41:
         9f:40:9f:5f:e5:a1:2a:b2:11:91:73:8a:21:28:f0:ce:de:73:
         39:5f:3e:ab:5c:60:ec:df:03:10:a8:d3:09:e9:f4:f6:96:85:
         b6:7f:51:88:66:47:19:8d:a2:b0:12:3d:81:2a:68:05:77:bb:
         91:4c:62:7b:b6:c1:07:c7:ba:7a:87:34:03:0e:4b:62:7a:99:
         e9:ca:fc:ce:4a:37:c9:2d:a4:57:7c:1c:fe:3d:dc:b8:0f:5a:
         fa:d6:c4:b3:02:85:02:3a:ea:b3:d9:6e:e4:69:21:37:de:81:
         d1:f6:75:19:05:67:d3:93:57:5e:29:1b:39:c8:ee:2d:e1:cd:
         e4:45:73:5b:d0:d2:ce:7a:ab:16:19:82:46:58:d0:5e:9d:81:
         b3:67:af:6c:35:f2:bc:e5:3f:24:e2:35:a2:0a:75:06:f6:18:
         56:99:d4:78:2c:d1:05:1b:eb:d0:88:01:9d:aa:10:f1:05:df:
         ba:7e:2c:63:b7:06:9b:23:21:c4:f9:78:6c:e2:58:17:06:36:
         2b:91:12:03:cc:a4:d9:f2:2d:ba:f9:94:9d:40:ed:18:45:f1:
         ce:8a:5c:6b:3e:ab:03:d3:70:18:2a:0a:6a:e0:5f:47:d1:d5:
         63:0a:32:f2:af:d7:36:1f:2a:70:5a:e5:42:59:08:71:4b:57:
         ba:7e:83:81:f0:21:3c:f4:1c:c1:c5:b9:90:93:0e:88:45:93:
         86:e9:b1:20:99:be:98:cb:c5:95:a4:5d:62:d6:a0:63:08:20:
         bd:75:10:77:7d:3d:f3:45:b9:9f:97:9f:cb:57:80:6f:33:a9:
         04:cf:77:a4:62:1c:59:7e

[key 2]
SHA1 Fingerprint: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            61:08:d3:c4:00:00:00:00:00:04
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
        Validity
            Not Before: Jun 27 21:22:45 2011 GMT
            Not After : Jun 27 21:32:45 2026 GMT
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:a5:08:6c:4c:c7:45:09:6a:4b:0c:a4:c0:87:7f:
                    06:75:0c:43:01:54:64:e0:16:7f:07:ed:92:7d:0b:
                    b2:73:bf:0c:0a:c6:4a:45:61:a0:c5:16:2d:96:d3:
                    f5:2b:a0:fb:4d:49:9b:41:80:90:3c:b9:54:fd:e6:
                    bc:d1:9d:c4:a4:18:8a:7f:41:8a:5c:59:83:68:32:
                    bb:8c:47:c9:ee:71:bc:21:4f:9a:8a:7c:ff:44:3f:
                    8d:8f:32:b2:26:48:ae:75:b5:ee:c9:4c:1e:4a:19:
                    7e:e4:82:9a:1d:78:77:4d:0c:b0:bd:f6:0f:d3:16:
                    d3:bc:fa:2b:a5:51:38:5d:f5:fb:ba:db:78:02:db:
                    ff:ec:0a:1b:96:d5:83:b8:19:13:e9:b6:c0:7b:40:
                    7b:e1:1f:28:27:c9:fa:ef:56:5e:1c:e6:7e:94:7e:
                    c0:f0:44:b2:79:39:e5:da:b2:62:8b:4d:bf:38:70:
                    e2:68:24:14:c9:33:a4:08:37:d5:58:69:5e:d3:7c:
                    ed:c1:04:53:08:e7:4e:b0:2a:87:63:08:61:6f:63:
                    15:59:ea:b2:2b:79:d7:0c:61:67:8a:5b:fd:5e:ad:
                    87:7f:ba:86:67:4f:71:58:12:22:04:22:22:ce:8b:
                    ef:54:71:00:ce:50:35:58:76:95:08:ee:6a:b1:a2:
                    01:d5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.21.1:
                .....
            1.3.6.1.4.1.311.21.2:
                ....k..wSJ.%7.N.&{. p.
            X509v3 Subject Key Identifier:
                13:AD:BF:43:09:BD:82:70:9C:8C:D5:4F:31:6E:D5:22:98:8A:1B:D4
            1.3.6.1.4.1.311.20.2:
                .
.S.u.b.C.A
            X509v3 Key Usage:
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Authority Key Identifier:
                keyid:45:66:52:43:E1:7E:58:11:BF:D6:4E:9E:23:55:08:3B:3A:22:6A:A8

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://crl.microsoft.com/pki/crl/products/MicCorThiParMarRoo_2010-10-05.crl

            Authority Information Access:
                CA Issuers - URI:http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt

    Signature Algorithm: sha256WithRSAEncryption
         35:08:42:ff:30:cc:ce:f7:76:0c:ad:10:68:58:35:29:46:32:
         76:27:7c:ef:12:41:27:42:1b:4a:aa:6d:81:38:48:59:13:55:
         f3:e9:58:34:a6:16:0b:82:aa:5d:ad:82:da:80:83:41:06:8f:
         b4:1d:f2:03:b9:f3:1a:5d:1b:f1:50:90:f9:b3:55:84:42:28:
         1c:20:bd:b2:ae:51:14:c5:c0:ac:97:95:21:1c:90:db:0f:fc:
         77:9e:95:73:91:88:ca:bd:bd:52:b9:05:50:0d:df:57:9e:a0:
         61:ed:0d:e5:6d:25:d9:40:0f:17:40:c8:ce:a3:4a:c2:4d:af:
         9a:12:1d:08:54:8f:bd:c7:bc:b9:2b:3d:49:2b:1f:32:fc:6a:
         21:69:4f:9b:c8:7e:42:34:fc:36:06:17:8b:8f:20:40:c0:b3:
         9a:25:75:27:cd:c9:03:a3:f6:5d:d1:e7:36:54:7a:b9:50:b5:
         d3:12:d1:07:bf:bb:74:df:dc:1e:8f:80:d5:ed:18:f4:2f:14:
         16:6b:2f:de:66:8c:b0:23:e5:c7:84:d8:ed:ea:c1:33:82:ad:
         56:4b:18:2d:f1:68:95:07:cd:cf:f0:72:f0:ae:bb:dd:86:85:
         98:2c:21:4c:33:2b:f0:0f:4a:f0:68:87:b5:92:55:32:75:a1:
         6a:82:6a:3c:a3:25:11:a4:ed:ad:d7:04:ae:cb:d8:40:59:a0:
         84:d1:95:4c:62:91:22:1a:74:1d:8c:3d:47:0e:44:a6:e4:b0:
         9b:34:35:b1:fa:b6:53:a8:2c:81:ec:a4:05:71:c8:9d:b8:ba:
         e8:1b:44:66:e4:47:54:0e:8e:56:7f:b3:9f:16:98:b2:86:d0:
         68:3e:90:23:b5:2f:5e:8f:50:85:8d:c6:8d:82:5f:41:a1:f4:
         2e:0d:e0:99:d2:6c:75:e4:b6:69:b5:21:86:fa:07:d1:f6:e2:
         4d:d1:da:ad:2c:77:53:1e:25:32:37:c7:6c:52:72:95:86:b0:
         f1:35:61:6a:19:f5:b2:3b:81:50:56:a6:32:2d:fe:a2:89:f9:
         42:86:27:18:55:a1:82:ca:5a:9b:f8:30:98:54:14:a6:47:96:
         25:2f:c8:26:e4:41:94:1a:5c:02:3f:e5:96:e3:85:5b:3c:3e:
         3f:bb:47:16:72:55:e2:25:22:b1:d9:7b:e7:03:06:2a:a3:f7:
         1e:90:46:c3:00:0d:d6:19:89:e3:0e:35:27:62:03:71:15:a6:
         ef:d0:27:a0:a0:59:37:60:f8:38:94:b8:e0:78:70:f8:ba:4c:
         86:87:94:f6:e0:ae:02:45:ee:65:c2:b6:a3:7e:69:16:75:07:
         92:9b:f5:a6:bc:59:83:58

# mokutil --dbx
[key 1]
  [SHA-256]
  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

[key 2]
  [SHA-256]
  80b4d96931bf0d02fd91a61e19d14f1da452e66db2408ca8604d411f92659f0a
  f52f83a3fa9cfbd6920f722824dbe4034534d25b8507246b3b957dac6e1bce7a
  c5d9d8a186e2c82d09afaa2a6f7f2e73870d3e64f72c4e08ef67796a840f0fbd
  363384d14d1f2e0b7815626484c459ad57a318ef4396266048d058c5a19bbf76
  1aec84b84b6c65a51220a9be7181965230210d62d6d33c48999c6b295a2b0a06
  e6ca68e94146629af03f69c2f86e6bef62f930b37c6fbcc878b78df98c0334e5
  c3a99a460da464a057c3586d83cef5f4ae08b7103979ed8932742df0ed530c66
  58fb941aef95a25943b3fb5f2510a0df3fe44c58c95e0ab80487297568ab9771
  5391c3a2fb112102a6aa1edc25ae77e19f5d6f09cd09eeb2509922bfcd5992ea

[key 3]
  [SHA-256]
  d626157e1d6a718bc124ab8da27cbb65072ca03a7b6b257dbdcbbd60f65ef3d1
  d063ec28f67eba53f1642dbf7dff33c6a32add869f6013fe162e2c32f1cbe56d
  29c6eb52b43c3aa18b2cd8ed6ea8607cef3cfae1bafe1165755cf2e614844a44
  90fbe70e69d633408d3e170c6832dbb2d209e0272527dfb63d49d29572a6f44c


> I'm wondering if your
> system has maybe had some keys removed or revoked.

Unfortunately, it is not one of the newest boards, but a reliable one. However, I never did add/change/remove any keys by hand.
Firmware is the latest Intel has released (some few years ago).

Chris
Reply to:
Prev by Date: Bug#928300: secure boot via removable media path unavailable
Next by Date: Bug#931794: fwupd doesn't work because of latest logitech firmware
Previous by thread: Bug#928300: secure boot via removable media path unavailable
Next by thread: Bug#931794: fwupd doesn't work because of latest logitech firmware
Index(es):
- Date
- Thread