http://bugzilla.suse.com/show_bug.cgi?id=925479
--- Comment #9 from Joey Lee ---
The error -19 is ENODEV. It caused by asymmetric key type didn't build in to
openSUSE kernel, but system keyring codes in kernel found a embedded key and
try to using asymmetric key type to parse it, so no key type fail!
This issue exposed a couple of things need to think:
- First: Looks SYSTEM_TRUSTED_KEYRING kernel config should select
ASYMMETRIC_KEY_TYPE. I will send patch to upstream to add the changes in
init/Kconfig
- Second: the SYSTEM_TRUSTED_KEYRING a.k.a. system kerying is used by:
MODULE_SIG, IMA, PKCS7(new), KEXEC_BZIMAGE_VERIFY_SIG(new),
none of above functions enabled on openSUSE 13.2. So, we should think may
disable SYSTEM_TRUSTED_KEYRING from openSUSE kernel.
- Third: Per dmesg, looks load_system_certificate_list() codes found a
embedded key in kernel binary then tried to parser it. If we don't need kernel
module sign or IMA. Maybe we can remove the embedded key in kernel.
I will disable SYSTEM_TRUSTED_KEYRING in openSUSE 13.2 and openSUSE Factory
until we enable IMA or kexec binary verification in future openSUSE version.
--
You are receiving this mail because:
You are on the CC list for the bug.