Comment 36 for bug 1708245

Yes, and it all goes well in the secure-boot VM.

As this covers the testing in bug description, changing verification tags to done.

Thanks.

Procedure
=========

Generate x509 certificate:
---

# openssl genrsa -out key.pem 4096
# openssl req -new -sha256 -key key.pem -out csr.csr
# openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out cert.pem
# openssl x509 -in cert.pem -outform der -out cert.der

Key Enrollment:
---

# mokutil --import cert.der
# reboot
< MOK management menu, enroll key, reboot >
# cat /proc/keys # that key is listed

Toggling Validation (Secure Boot State)
---

1) Disable

# ls /sys/firmware/efi/efivars/MokSBStateRT-*
ls: cannot access /sys/firmware/efi/efivars/MokSBStateRT-*: Invalid argument

# mokutil --disable-validation

# reboot
< MOK management menu, change secure boot state to disabled, reboot >

# cat /proc/keys # does not list secure-boot related keys anymore

# ls /sys/firmware/efi/efivars/MokSBStateRT-*
/sys/firmware/efi/efivars/MokSBStateRT-605dab50-e046-4300-abb6-3dd810dd8b23

# hexdump -Cv /sys/firmware/efi/efivars/MokSBStateRT-* # the last byte is 1
00000000 06 00 00 00 01 |.....|

2) Enable

# mokutil --enable-validation

# reboot
< MOK management menu, change secure boot state to enabled, reboot >

# cat /proc/keys # lists secure-boot related keys and cert.der

# ls /sys/firmware/efi/efivars/MokSBStateRT-*
ls: cannot access /sys/firmware/efi/efivars/MokSBStateRT-*: Invalid argument

Toggling Validation and Enrolling
---

# mokutil --disable-validation

# reboot
< MOK management menu, change secure boot state to disabled, reboot >

# ... generate another x509 certificate (see above)

# mokutil --import cert.der
# mokutil --enable-validation

# reboot
< MOK management menu, enroll key, change secure boot state to enabled, reboot >

# cat /proc/keys # the new key is listed

# ls /sys/firmware/efi/efivars/MokSBStateRT-*
ls: cannot access /sys/firmware/efi/efivars/MokSBStateRT-*: Invalid argument