How do I remove Canonical’s Master Certificate Authority MOK?

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  
  •  

I have set up a machine (NUCi10FNK for the curious) for secure booting, created my own MOK, enrolled it, signed a kernel with it, works like charm.
Now, I want to remove all MOKs except for mine, so that only kernels signed by me can boot. I take the following steps:

mkdir m; cd m; mokutil –export
Go through the certs (for i in *; do openssl x509 -in $i -inform DER -text | less; done) and rm mine.
Run for i in MOK*; do sudo mokutil –delete $i; done on the remaining.
Reboot

Upon reboot, the MOK manager comes on, I go through the delete dance, and the machine reboots.
If I run mokutil –list-enrolled, the Canonical Master CA key is back on:
[key 2]
SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
b9:41:24:a0:18:2c:92:67
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
Validity
Not Before: Apr 12 11:12:51 2012 GMT
Not After : Apr 11 11:12:51 2042 GMT
Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority

Note that it is the second key, which means that it was intalled after my key, which means that something put it back.
What is that something, and how do I get rid of it?
What am I trying to accomplish: I want only kernels signed by me to be bootable on that machine; I keep disk encryption keys in the TPM. The machine can only boot from disk, but an adversary can still replace the boot disk with one freshly installed on another machine, with secure boot off, boot on the target machine, and extract the keys from the TPM.

X ITM Cloud News

Marisa

Leave a Reply

Next Post

How to set firewall iptables for intrnet ip and port to access internet destination ip address

Thu Sep 17 , 2020
Spread the love          I have two linux servers: serverONE and serverTWO. serverONE has Intranet address :10.1.200.2 serverTWO has two ip address: 10.1.0.12 and 172.8.2.16. And 10.1.0.12 is also Intranet address; 172.8.2.16 is internet address. I have a internet destination address:10.20.102.188. [[email protected] ~]$ ping 10.20.102.188 // is OK and serverONE connects serverTWO […]
X- ITM

Cloud Computing – Consultancy – Development – Hosting – APIs – Legacy Systems

X-ITM Technology helps our customers across the entire enterprise technology stack with differentiated industry solutions. We modernize IT, optimize data architectures, and make everything secure, scalable and orchestrated across public, private and hybrid clouds.

This image has an empty alt attribute; its file name is x-itmdc.jpg

The enterprise technology stack includes ITO; Cloud and Security Services; Applications and Industry IP; Data, Analytics and Engineering Services; and Advisory.

Watch an animation of  X-ITM‘s Enterprise Technology Stack

We combine years of experience running mission-critical systems with the latest digital innovations to deliver better business outcomes and new levels of performance, competitiveness and experiences for our customers and their stakeholders.

X-ITM invests in three key drivers of growth: People, Customers and Operational Execution.

The company’s global scale, talent and innovation platforms serve 6,000 private and public-sector clients in 70 countries.

X-ITM’s extensive partner network helps drive collaboration and leverage technology independence. The company has established more than 200 industry-leading global Partner Network relationships, including 15 strategic partners: Amazon Web Services, AT&T, Dell Technologies, Google Cloud, HCL, HP, HPE, IBM, Micro Focus, Microsoft, Oracle, PwC, SAP, ServiceNow and VMware

.

X ITM