[Bug 1129471] New: kernel 5.0.1-1-default: Problem loading X.509 certificate -65
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471 Bug ID: 1129471 Summary: kernel 5.0.1-1-default: Problem loading X.509 certificate -65 Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel Assignee: kernel-maintainers@forge.provo.novell.com Reporter: hendrikw@arcor.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Sins Tumbleweed 20190314, with kernel 5.0.1-1-default (x86_64) I get the following message during boot: integrity: Problem loading X.509 certificate -65 Log snippet: [ 2.985576] sched_clock: Marking stable (2989021511, -3468039)->(2994215803, -8662331) [ 2.986009] registered taskstats version 1 [ 2.986012] Loading compiled-in X.509 certificates [ 2.986062] Loaded X.509 cert 'openSUSE Secure Boot Signkey: 0332fa9cbf0d88bf21924b0de82a09a54d5defc8' [ 2.986093] zswap: loaded using pool lzo/zbud [ 2.998908] Key type big_key registered [ 3.005600] Key type encrypted registered [ 3.005606] AppArmor: AppArmor sha1 policy hashing enabled [ 3.008353] integrity: Loading X.509 certificate: UEFI:db [ 3.008414] integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' [ 3.008415] integrity: Loading X.509 certificate: UEFI:db [ 3.008452] integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' [ 3.008453] integrity: Loading X.509 certificate: UEFI:db [ 3.008476] integrity: Loaded X.509 cert 'Acer Database: 84f00f5841571abd2cc11a8c26d5c9c8d2b6b0b5' [ 3.008477] integrity: Loading X.509 certificate: UEFI:db [ 3.008482] integrity: Problem loading X.509 certificate -65 [ 3.008494] fbcon: Taking over console [ 3.008496] Error adding keys to platform keyring UEFI:db [ 3.008497] integrity: Loading X.509 certificate: UEFI:db [ 3.008501] integrity: Problem loading X.509 certificate -65 [ 3.008505] Error adding keys to platform keyring UEFI:db [ 3.008596] Console: switching to colour frame buffer device 240x67 [ 3.009680] integrity: Loading X.509 certificate: UEFI:MokListRT [ 3.009739] integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey: 0332fa9cbf0d88bf21924b0de82a09a54d5defc8' [ 3.009740] integrity: Loading X.509 certificate: UEFI:MokListRT [ 3.012608] integrity: Loaded X.509 cert 'openSUSE Secure Boot CA: 6842600de22c4c477e95be23dfea9513e5971762' [ 3.014923] ima: Allocated hash algorithm: sha256 [ 3.052885] evm: Initialising EVM extended attributes: hardware: Laptop Acer Aspire A517-51-5832, one year old -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471#c3
--- Comment #3 from Hendrik Woltersdorf
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471#c4
Karl Mistelberger
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471
Neil Rickert
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471
Joey Lee
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471#c5
Andrei Borzenkov
Yes, I think, it is a regression.
Kernel 5.0 is the first upstream kernel to import UEFI certificates for module integrity check, so it is hardly can be called a regression unless SUSE included those patches before. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471#c6
--- Comment #6 from Karl Mistelberger
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471#c7
--- Comment #7 from Joey Lee
Sins Tumbleweed 20190314, with kernel 5.0.1-1-default (x86_64) I get the following message during boot: integrity: Problem loading X.509 certificate -65
Log snippet: [ 2.985576] sched_clock: Marking stable (2989021511, -3468039)->(2994215803, -8662331) [ 2.986009] registered taskstats version 1 [ 2.986012] Loading compiled-in X.509 certificates [ 2.986062] Loaded X.509 cert 'openSUSE Secure Boot Signkey: 0332fa9cbf0d88bf21924b0de82a09a54d5defc8' [ 2.986093] zswap: loaded using pool lzo/zbud [ 2.998908] Key type big_key registered [ 3.005600] Key type encrypted registered [ 3.005606] AppArmor: AppArmor sha1 policy hashing enabled [ 3.008353] integrity: Loading X.509 certificate: UEFI:db [ 3.008414] integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' [ 3.008415] integrity: Loading X.509 certificate: UEFI:db [ 3.008452] integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' [ 3.008453] integrity: Loading X.509 certificate: UEFI:db [ 3.008476] integrity: Loaded X.509 cert 'Acer Database: 84f00f5841571abd2cc11a8c26d5c9c8d2b6b0b5' [ 3.008477] integrity: Loading X.509 certificate: UEFI:db [ 3.008482] integrity: Problem loading X.509 certificate -65 [ 3.008494] fbcon: Taking over console [ 3.008496] Error adding keys to platform keyring UEFI:db [ 3.008497] integrity: Loading X.509 certificate: UEFI:db [ 3.008501] integrity: Problem loading X.509 certificate -65 [ 3.008505] Error adding keys to platform keyring UEFI:db [ 3.008596] Console: switching to colour frame buffer device 240x67 [ 3.009680] integrity: Loading X.509 certificate: UEFI:MokListRT [ 3.009739] integrity: Loaded X.509 cert 'openSUSE Secure Boot Signkey: 0332fa9cbf0d88bf21924b0de82a09a54d5defc8' [ 3.009740] integrity: Loading X.509 certificate: UEFI:MokListRT [ 3.012608] integrity: Loaded X.509 cert 'openSUSE Secure Boot CA: 6842600de22c4c477e95be23dfea9513e5971762' [ 3.014923] ima: Allocated hash algorithm: sha256 [ 3.052885] evm: Initialising EVM extended attributes:
hardware: Laptop Acer Aspire A517-51-5832, one year old
Base on this log, there have two unkown certificates can not be parsed. Other certificates are parsed success. MS Windows, Acer (in db), and openSUSE (in MOK) are no problem. Please help to attach the result of "mokutil --db". Thanks -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471
Joey Lee
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471#c8
--- Comment #8 from Joey Lee
(In reply to Hendrik Woltersdorf from comment #2)
Yes, I think, it is a regression.
Kernel 5.0 is the first upstream kernel to import UEFI certificates for module integrity check, so it is hardly can be called a regression unless SUSE included those patches before.
It's a good news for mainline kernel really supports MOK now. Finally... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471#c9
--- Comment #9 from Joey Lee
The following occurs with secure boot off:
Mar 19 18:20:32 erlangen kernel: integrity: Loading X.509 certificate: UEFI:db Mar 19 18:20:32 erlangen kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' Mar 19 18:20:32 erlangen kernel: integrity: Loading X.509 certificate: UEFI:db Mar 19 18:20:32 erlangen kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' Mar 19 18:20:32 erlangen kernel: Couldn't get size: 0x800000000000000e Mar 19 18:20:32 erlangen kernel: fbcon: Taking over console Mar 19 18:20:32 erlangen kernel: Couldn't get UEFI MokListRT
The 0x800000000000000e is EFI_NOT_FOUND. It's harmless. I will send my efi_status_to_str() patch to mainline to improve EFI log. The 0x800000000000000e is not about this issue. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471#c10
--- Comment #10 from Joey Lee
(In reply to Hendrik Woltersdorf from comment #0)
Sins Tumbleweed 20190314, with kernel 5.0.1-1-default (x86_64) I get the following message during boot: integrity: Problem loading X.509 certificate -65
[...snip]
[ 3.008477] integrity: Loading X.509 certificate: UEFI:db [ 3.008482] integrity: Problem loading X.509 certificate -65 [ 3.008494] fbcon: Taking over console [ 3.008496] Error adding keys to platform keyring UEFI:db [ 3.008497] integrity: Loading X.509 certificate: UEFI:db [ 3.008501] integrity: Problem loading X.509 certificate -65 [...snip]
hardware: Laptop Acer Aspire A517-51-5832, one year old
Base on this log, there have two unkown certificates can not be parsed. Other certificates are parsed success. MS Windows, Acer (in db), and openSUSE (in MOK) are no problem.
Please help to attach the result of "mokutil --db".
Please also help to attach db on bugzilla: /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f Please copy the above db-* file and attach here. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471#c11
--- Comment #11 from Hendrik Woltersdorf
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471#c12
Hendrik Woltersdorf
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471#c13
--- Comment #13 from Joey Lee
Created attachment 800740 [details] output of mokutil --db
There have two self sign certificates in db: CN=DisablePW and CN=ABO Base on dmesg log, I think that two certificates can not be parsed. I am extracting those two certificates from db for reproducing issue. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471#c14
Joey Lee
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471#c15
Joey Lee
The DisablePW and ABO used a obsolete OID for Authority Key Identifier. It's already obsoleted before 1997:
X509v3 extensions: 2.5.29.1:
0<..P...)....d..c.X...0.1.0...U....DisablePW......B...Ib&..7..
More information here: http://www.oid-info.com/get/2.5.29.1
Now the OID of Authority Key Identifier is 2.5.29.35 which is supported by kernel now.
I will looking at that if we want print a warning message in kernel when I have time.
Set this issue to WONTFIX.
I have re-opened this issue because I didn't see "Extension:" log in dmesg after I enabled dynamic debugging log of x509_cert_parser. Using obsolete OID is bad. But it's may not the root cause of -65. In case that I missed any other problem. I re-opened this issue and tracing more detail. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471#c16
Joey Lee
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471#c17
--- Comment #17 from Joey Lee
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471#c18
c zg
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471
http://bugzilla.opensuse.org/show_bug.cgi?id=1129471#c19
--- Comment #19 from c zg
participants (2)
-
bugzilla_noreply@novell.com
-
bugzilla_noreply@suse.com