http://bugzilla.opensuse.org/show_bug.cgi?id=1159531
http://bugzilla.opensuse.org/show_bug.cgi?id=1159531#c16
--- Comment #16 from Joey Lee
I installed 5.4.5-1.g47eef04-default on my desktop, so my kernel is now compiled with the signature verification.
I can reproduce the error easily. # wget http://download.opensuse.org/tumbleweed/repo/oss/boot/x86_64/loader/linux # echo 'file crypto/asymmetric_keys/pkcs7_verify.c +p' > /sys/kernel/debug/dynamic_debug/control # kexec -sl linux
Run: kexec -sl /boot/vmlinuz-5.4.5-1.g47eef04-default Success. Which means that the kernel RPM form kernel-stable repo has no problem.
This is the dmesg output: [ 1873.514846] PKCS7: verify openSUSE Secure Boot Signkey: 01 [ 1873.514850] PKCS7: - issuer openSUSE Secure Boot CA [ 1873.514851] PKCS7: - authkeyid.id 013120301e06035504030c176f70656e535553452053656375726520426f6f74204341310b300 90603550406130244453112301006035504070c094e7572656d [ 1873.514852] PKCS7: - authkeyid.skid 6842600de22c4c477e95be23dfea9513e5971762 [ 1873.514853] PKCS7: - want 013120301e06035504030c176f70656e535553452053656375726520426f6f74204341310b300 90603550406130244453112301006035504070c094e7572656d [ 1873.514855] PKCS7: - cmp [1] 013120301e06035504030c176f70656e535553452053656375726520426f6f74204341310b300 90603550406130244453112301006035504070c094e7572656d [ 1873.514856] PKCS7: Sig 1: X.509 chain contains auth-skid nonmatch (1->1) [ 1873.514864] kexec_file: kernel signature verification failed (-129).
I have tried kernel RPM from kernel-stable repo. And I also tried SLE15-SP1/SLE15-SP2 kernel. All of them can not reproduced issue. Only loading openSUSE kernel can reproduce issue. No matter which is the booting kernel. The PKCS#7 signature carries a certificate list that it can be used to verify signature before kernel finds appropriate certificate from keyring. Looks that only openSUSE kernel's certificate list in PKCS#7 signature can not pass the verification. I must extract the PKCS#7 package from kernel binary for parsing by openSSL. -- You are receiving this mail because: You are on the CC list for the bug.