Bug#1019192: Pile of error messages from certs subsystem on boot

To: 1019192@bugs.debian.org
Subject: Bug#1019192: Pile of error messages from certs subsystem on boot
From: Klaus Kudielka <klaus.kudielka@gmail.com>
Date: Sat, 01 Oct 2022 11:09:16 +0200
Message-id: <[🔎] 1f97812062830c34a85eb405504cdeeebe4b9540.camel@gmail.com>
Reply-to: Klaus Kudielka <klaus.kudielka@gmail.com>, 1019192@bugs.debian.org
References: <166237070910.1619.3649605797885387163.reportbug@s>

For reference, I'm seeing the same error messages (but only 4 of them)
on an ASUS Z87-PRO (UEFI secure boot enabled) with current Debian
testing (starting with 5.19.6-1, but also with 5.19.11-1).

The best explanation I could find is a post in a Lenovo forum
https://forums.lenovo.com/topic/findpost/15028/5166897/5733178

So, it seems to happen if you have
(a) Duplicate entries in the efi dbx revocation list
(b) Linux kernel 5.19

I checked that out on my system:
[0]$ dbxtool -l | awk '{ print $4 }' | sort | wc -l
278
[0]$ dbxtool -l | awk '{ print $4 }' | sort | uniq | wc -l
274

Indeed, 4 duplicates in dbx, and therefore 4 error messages!

Personally, I think the error messages are a little bit "over the top"
in that particular case. A warning such as "You have ... duplicates in
the efi dbx revocation list" may be enough. I would not know, how to
repair this with a pre-historic BIOS, anyway.

Regards, Klaus

Reply to:

Prev by Date: Processed: limit source to linux, tagging 1016092
Next by Date: linux-signed-amd64_4.19.260+1_source.changes REJECTED
Previous by thread: Processed: limit source to linux, tagging 1016092
Next by thread: linux-signed-amd64_4.19.260+1_source.changes REJECTED
Index(es):
- Date
- Thread