http://bugzilla.opensuse.org/show_bug.cgi?id=947816 http://bugzilla.opensuse.org/show_bug.cgi?id=947816#c30 Joey Lee <jlee@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(mgalbraith@suse.c | |om) --- Comment #30 from Joey Lee <jlee@suse.com> --- (In reply to Mike Galbraith from comment #25)
So the question is whether you still get this particular error even with the local kernels without CONFIG_KEXEC_VERIFY_SIG. Please clarify it: whether the same error "kexec_file_load failed: Key was rejected by service" appears even for kernels without that kconfig.
Yeah, it's SLE/SLERT kernels, and my mainline/stable/tip -rt trees, which I also configure with an enterprise derived config.
With maintenance lag time being what it is, if I want tools that can handle all of the kernels I work on, I'm gonna have to fix them up myself anyway, so it's not a big hairy deal, it just seems to that you should be able to use a stock suse workstation to work on any suse kernel, which you can't.
hm... I tried to build and install a self-signed SLE12-SP2 kernel on openSUSE 42.1. I found the result of loading kernel through kexec-file result that it doesn't like SLE12-SP2. On SLE12-SP2, the self-signed kernel works fine to load through kexec-file. But on openSUSE 42.1, it already returns "Key was rejected by service" then I found this log in dmesg: [ 3.392659] PKCS7: Sig 1: X.509 chain contains auth-skid nonmatch (1->1) The same kernel, the same signing process but it got different result on openSUSE with SLE12 SP2. I guess that it is about the pesign, mozilla-nss or openssl. Hi Mike, Did you see the same PKCS7 error message? If yes, then I prefer create another bug to reflect this situation. Thanks -- You are receiving this mail because: You are on the CC list for the bug.