Bug 2239331
Summary: | Integrity: Problem loading X.509 certificate -126 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | itrymybest80 |
Component: | kernel | Assignee: | Coiby <coxu> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 38 | CC: | 1012310163, acaringi, adscvr, agurenko, airlied, alciregi, amessina, apsantos, bskeggs, coxu, exnihilo, fedora, g_narendran142, gnwiii, hdegoede, hpa, jarod, jforbes, josef, kernel-maint, leonfauster, lgoncalv, linville, masami256, mchehab, mihai, ptalbert, Rob.Tetour, sbonazzo, steved |
Target Milestone: | --- | Keywords: | Regression |
Target Release: | --- | Flags: | coxu:
needinfo?
(itrymybest80) |
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2024-03-13 01:52:14 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
itrymybest80
2023-09-17 15:01:03 UTC
removing the security tag, that is reserved for the CVE process. I just upgraded to 6.5.5 on F38 and have noticed the same issue. Laptop is Dell XPS13 9315, booting in UEFI mode, secure boot, encrypted / and encrypted /boot. It was not there for previous kernels. Filtering messages for X.509 on the last boot: Oct 06 09:56:53 XXX kernel: Loading compiled-in X.509 certificates Oct 06 09:56:53 XXX kernel: Loaded X.509 cert 'Fedora kernel signing key: XXX' Oct 06 09:56:53 XXX kernel: integrity: Loading X.509 certificate: UEFI:db Oct 06 09:56:53 XXX kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios DB Key: XXX' Oct 06 09:56:53 XXX kernel: integrity: Loading X.509 certificate: UEFI:db Oct 06 09:56:53 XXX kernel: integrity: Loaded X.509 cert 'Dell Inc.: Dell Bios FW Aux Authority 2018: XXX' Oct 06 09:56:53 XXX kernel: integrity: Loading X.509 certificate: UEFI:db Oct 06 09:56:53 XXX kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: XXX' Oct 06 09:56:53 XXX kernel: integrity: Loading X.509 certificate: UEFI:db Oct 06 09:56:53 XXX kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: XXX' Oct 06 09:56:53 XXX kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) Oct 06 09:56:53 XXX kernel: integrity: Problem loading X.509 certificate -126 Oct 06 09:56:53 XXX kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) Oct 06 09:56:53 XXX kernel: integrity: Loaded X.509 cert 'Fedora Secure Boot CA: XXX' Oct 06 09:56:53 XXX kernel: Loading compiled-in module X.509 certificates Oct 06 09:56:53 XXX kernel: Loaded X.509 cert 'Fedora kernel signing key: XXX' Oct 06 09:57:26 XXX kernel: cfg80211: Loading compiled-in X.509 certificates for regulatory database Oct 06 09:57:26 XXX kernel: Loaded X.509 cert 'sforshee: XXX' Still present for me on Fedora 39 and latest kernel 6.5.11-300.fc39.x86_64. I can confirm this was not happening few kernel versions back. 6.5 was probably the breaking point for me too, can't really test it now. Fresh install of f39 on a Dell system has similar messages with 6.6.2-201.fc39.x86_64. The system started with F36 and was updated to 37 and 38. Marking as regression as previous releases didn't show this message Hi, Thank you for filing the bug report! I've sent a patch [1] to address this issue. I wonder if I can have your first name and family name as one review feedback requests it to be included in the "Reported-by" field. [1] https://lore.kernel.org/lkml/39e5612eb2d4dea2759310ccce39c1ad40b5388f.camel@linux.ibm.com/T/ Coiby did the fix land in mainstream? Is it already included in Fedora rawhide? Hi, same problem in RHEL9.3, kernel-5.14.0-362.18.1.el9_3.x86_64 (In reply to Sandro Bonazzola from comment #7) > Coiby did the fix land in mainstream? Is it already included in Fedora > rawhide? It did not, it has not landed in linux-next yet. Once it does, I can backport it to stable Fedora. i Im not good at english, but i know how to solve this problem. At use Ima/Evm, I get this problem In \linux-4.14.98\security\integrity\Kconfig, I read this: config INTEGRITY_TRUSTED_KEYRING bool "Require all keys on the integrity keyrings be signed" depends on SYSTEM_TRUSTED_KEYRING depends on INTEGRITY_ASYMMETRIC_KEYS default y help This option requires that all keys added to the .ima and .evm keyrings be signed by a key on the system trusted keyring. In linux-4.14.98\certs\Kconfig, I read this: config SYSTEM_TRUSTED_KEYRING bool "Provide system-wide ring of trusted keys" depends on KEYS depends on ASYMMETRIC_KEY_TYPE help Provide a system keyring to which trusted keys can be added. Keys in the keyring are considered to be trusted. Keys may be added at will by the kernel from compiled-in data and from hardware key stores, but userspace may only add extra keys if those keys can be verified by keys already in the keyring. Keys in this keyring are used by module signature checking. config SYSTEM_TRUSTED_KEYS string "Additional X.509 keys for default system keyring" depends on SYSTEM_TRUSTED_KEYRING help If set, this option should be the filename of a PEM-formatted file containing trusted X.509 certificates to be included in the default system keyring. Any certificate used for module signing is implicitly also trusted. NOTE: If you previously provided keys for the system keyring in the form of DER-encoded *.x509 files in the top-level build directory, those are no longer used. You will need to set this option instead. So, I recompile My kernel, Add SYSTEM_TRUSTED_KEYS(Additional X.509 keys for default system keyring),It is depend on asymmetric key pares, In compile(not run). Then use trused.crt sign x509_ima.der(/etc/x509_ima.der). [ 3.610235] Loaded X.509 cert 'Test modsign key: fdf65914e66cdecee66a7370fd8f0f6b4919eb9f'(trusted.crt) [ 3.765478] integrity: Loaded X.509 cert 'Test modsign key: b543dd61c701894d8692b78f1e0eabc7c6fa1f52': /etc/keys/x509_ima.der (In reply to Sandro Bonazzola from comment #7) > Coiby did the fix land in mainstream? Is it already included in Fedora > rawhide? No, v2 [2] is still waiting for the maintainer to pick it up. [2] https://lore.kernel.org/lkml/39e5612eb2d4dea2759310ccce39c1ad40b5388f.camel@linux.ibm.com/T/#md1bddae1dd79f41b3a2460467f1aea774956fb9d (In reply to xzk from comment #11) > Im not good at english, but i know how to solve this problem. At use > Ima/Evm, I get this problem > In \linux-4.14.98\security\integrity\Kconfig, I read this: > ... > config SYSTEM_TRUSTED_KEYS > string "Additional X.509 keys for default system keyring" > depends on SYSTEM_TRUSTED_KEYRING > help > If set, this option should be the filename of a PEM-formatted file > containing trusted X.509 certificates to be included in the default > system keyring. Any certificate used for module signing is implicitly > also trusted. > > NOTE: If you previously provided keys for the system keyring in the > form of DER-encoded *.x509 files in the top-level build directory, > those are no longer used. You will need to set this option instead. > > So, I recompile My kernel, Add SYSTEM_TRUSTED_KEYS(Additional X.509 keys for > default system keyring),It is depend on asymmetric key pares, In compile(not > run). Then use trused.crt sign x509_ima.der(/etc/x509_ima.der). > [ 3.610235] Loaded X.509 cert 'Test modsign key: > fdf65914e66cdecee66a7370fd8f0f6b4919eb9f'(trusted.crt) > [ 3.765478] integrity: Loaded X.509 cert 'Test modsign key: > b543dd61c701894d8692b78f1e0eabc7c6fa1f52': /etc/keys/x509_ima.der Thanks for sharing your thought! Using the SYSTEM_TRUSTED_KEYS config option is one way to load IMA certs but it's unrelated to this bug. I can confirm this issue has been revolved with the release of 6.8.0-63.fc41.x86_64. Will this be backported to RHEL? (In reply to Leon Fauster from comment #15) > Will this be backported to RHEL? Yes, it will. |