Investigation: PCR14 behavior under empty MokLists #11
Description
At the moment we are running the tests on fcos42 systems that are booted through shim/grub/... We can't investigate how the empty MOK list edge case would affect PCR14 any further. This is caused due to shim injecting the fedoraca MOK key every time the system boots, so we can't remove the key successfully to test that specific case.
However, once UKI is a valid choice to boot fcos/rhcos iamges, this could be a case worth studying.
To do so,
- Make sure the system you are booting has secureboot disabled. (If you're using qemu, choose the right OVMF vars template).
- Boot the system and delete any mok keys you find:
mokutil -export- Check which were enrolled and remove them by
mokutil --delete ${keypath} - Reboot the system. (If running fcos you will probably need to reboot the system "from the outside" e.g.
virsh reboot ${VMNAME}). - Follow the prompts to completely remove the keys.
Once you run the experiment, let the system boot, and check what you get under /sys/firmware/efi/mok-variables. Do the MokListRT, MokListXRT, MokListTrustedRT and MokListXRT files exist? How do they look like (i.e. are the files empty)?
Based on the results, you might need to change the logic behind lib/src/mok.rs. Now it assumes those files must exist.