Bug#1030200: linux-image-6.1.0-3-amd64: "Loading of module with unavailable key is rejected", /proc/keys says key is loaded; system unbootable

To: 1030200@bugs.debian.org
Subject: Bug#1030200: linux-image-6.1.0-3-amd64: "Loading of module with unavailable key is rejected", /proc/keys says key is loaded; system unbootable
From: наб <nabijaczleweli@nabijaczleweli.xyz>
Date: Fri, 31 Mar 2023 01:45:06 +0200
Message-id: <[🔎] eq4dehs4hev2u4otpvthppeikd54ir4mvfdjhnaac3cpqbpv6d@mcjcevozc6gu>
Reply-to: наб <nabijaczleweli@nabijaczleweli.xyz>, 1030200@bugs.debian.org
In-reply-to: <[🔎] tu2lqsafbjdmunopfkyfc5lvtzx7scky6kl6xqhobvhj3bzkgp@gmgo4ctbxxqj>
References: <20230201044318.ukjdwtzvdhy7tnpg@babtop.nabijaczleweli.xyz> <20230201140145.vgozgzlm3i3ozeqp@tarta.nabijaczleweli.xyz> <20230203001054.o2nnzv3mfememomu@babtop.nabijaczleweli.xyz> <20230203040556.eomwv543ip6f5agp@babtop.nabijaczleweli.xyz> <20230203043415.nbyveqvp5jgp5eza@babtop.nabijaczleweli.xyz> <[🔎] juqrr6zwicr6ic2ozgru3ii4jldwuabblgffmg2zrjejb5jer4@m44sp75rjvjz> <[🔎] tu2lqsafbjdmunopfkyfc5lvtzx7scky6kl6xqhobvhj3bzkgp@gmgo4ctbxxqj> <20230201044318.ukjdwtzvdhy7tnpg@babtop.nabijaczleweli.xyz>

Actually, it'd appear that this is a red herring; it looks like,
to me, that only the two compiled-in certificates do anything at all,
and the ones loaded from DB don't participate?

I've set up different certificate chain, and configured it much more
similarly to the Debian CA, just to see. It behaves identically.

What doesn't, though, is /proc/keys (raw sorted attached)
  $ grep -F ' .' keys-6.*
  keys-6.0:3468f2e4 I------     1 perm 0f0b0000     0     0 keyring   .blacklist: empty
  keys-6.0:2079af99 I------     2 perm 1f0b0000     0     0 keyring   .builtin_trusted_keys: 2
  keys-6.0:3d365eb4 I------     1 perm 1f0f0000     0     0 keyring   .evm: empty
  keys-6.0:3a9a5e2e I------     1 perm 082f0000     0     0 keyring   .fs-verity: empty
  keys-6.0:3b8edf46 I------     1 perm 1f0f0000     0     0 keyring   .ima: empty
  keys-6.0:0b51c6e4 I------     1 perm 1f0b0000     0     0 keyring   .platform: 4
  keys-6.0:19c0bfbd I------     1 perm 1f0f0000     0     0 keyring   .secondary_trusted_keys: 1
  keys-6.0:32691f01 I--Q---     1 perm 0c030000     0 65534 keyring   .user_reg: 2

  keys-6.1:2534edf3 I------     1 perm 0f0b0000     0     0 keyring   .blacklist: empty
  keys-6.1:0e8076a0 I------     2 perm 1f0b0000     0     0 keyring   .builtin_trusted_keys: 2
  keys-6.1:0f2f8c31 I------     1 perm 1f0f0000     0     0 keyring   .evm: empty
  keys-6.1:15ccc13e I------     1 perm 082f0000     0     0 keyring   .fs-verity: empty
  keys-6.1:290de2e4 I------     1 perm 1f0f0000     0     0 keyring   .ima: empty
  keys-6.1:1eaf2c86 I------     2 perm 1f0b0000     0     0 keyring   .machine: empty
  keys-6.1:3aeb6f7c I------     1 perm 1f0b0000     0     0 keyring   .platform: 4
  keys-6.1:29a13614 I------     1 perm 1f0f0000     0     0 keyring   .secondary_trusted_keys: 2
  keys-6.1:0f6033db I--Q---     1 perm 0c030000     0 65534 keyring   .user_reg: 2

Note how there's somehow a second key in .secondary_trusted_keys.
Whether this means something or is an accounting difference
is unclear to me at this time.

наб

Attachment: pubkeys.tar.zst
Description: application/zstd

188da2e0 I------     1 perm 1f010000     0     0 asymmetri babtop.nabijaczleweli.xyz: 82b7fc21cc3f583ac4a7b05712d95377f41fbdd6: X509.rsa f41fbdd6 []
1b70a5da I------     1 perm 1f010000     0     0 asymmetri babtop.nabijaczleweli.xyz SecureBoot CA: 00befa30fa: X509.rsa []
1d29aca6 I------     1 perm 1f010000     0     0 asymmetri babtop.nabijaczleweli.xyz SecureBoot DB 2023: 00befacaa0: X509.rsa []
14eda8da I------     1 perm 1f010000     0     0 asymmetri Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1: X509.rsa bb419ea1 []
25ec54fd I------     1 perm 1f030000     0     0 asymmetri Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1: X509.rsa bb419ea1 []
202a1d87 I------     1 perm 1f030000     0     0 asymmetri Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f: X509.rsa 0584b25f []
3468f2e4 I------     1 perm 0f0b0000     0     0 keyring   .blacklist: empty
2079af99 I------     2 perm 1f0b0000     0     0 keyring   .builtin_trusted_keys: 2
3d365eb4 I------     1 perm 1f0f0000     0     0 keyring   .evm: empty
3a9a5e2e I------     1 perm 082f0000     0     0 keyring   .fs-verity: empty
3b8edf46 I------     1 perm 1f0f0000     0     0 keyring   .ima: empty
0b51c6e4 I------     1 perm 1f0b0000     0     0 keyring   .platform: 4
19c0bfbd I------     1 perm 1f0f0000     0     0 keyring   .secondary_trusted_keys: 1
1422fa3e I--Q---     2 perm 3f030000     0     0 keyring   _ses: 1
29edb096 I--Q---     2 perm 3f030000     0     0 keyring   _ses: 1
332577d4 I--Q---     4 perm 3f030000     0     0 keyring   _ses: 1
2ab495a2 I--Q---     1 perm 0b0b0000     0     0 user      invocation_id: 16
2ab6a8c8 I--Q---     1 perm 0b0b0000     0     0 user      invocation_id: 16
39a7efc8 I--Q---     1 perm 0b0b0000     0     0 user      invocation_id: 16
2b3bcd48 I--Q---     2 perm 1f3f0000     0 65534 keyring   _uid.0: empty
1b58cf94 I--Q---     1 perm 1f3f0000     0 65534 keyring   _uid_ses.0: 1
32691f01 I--Q---     1 perm 0c030000     0 65534 keyring   .user_reg: 2

286b6459 I------     1 perm 1f010000     0     0 asymmetri babtop.nabijaczleweli.xyz: 82b7fc21cc3f583ac4a7b05712d95377f41fbdd6: X509.rsa f41fbdd6 []
1814f801 I------     1 perm 1f010000     0     0 asymmetri babtop.nabijaczleweli.xyz SecureBoot CA: 00befa30fa: X509.rsa []
359ce7d1 I------     1 perm 1f010000     0     0 asymmetri babtop.nabijaczleweli.xyz SecureBoot DB 2023: 00befacaa0: X509.rsa []
1d2f6af8 I------     1 perm 1f010000     0     0 asymmetri Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1: X509.rsa bb419ea1 []
3650553a I------     1 perm 1f030000     0     0 asymmetri Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1: X509.rsa bb419ea1 []
0704dac1 I------     1 perm 1f030000     0     0 asymmetri Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f: X509.rsa 0584b25f []
2534edf3 I------     1 perm 0f0b0000     0     0 keyring   .blacklist: empty
0e8076a0 I------     2 perm 1f0b0000     0     0 keyring   .builtin_trusted_keys: 2
0f2f8c31 I------     1 perm 1f0f0000     0     0 keyring   .evm: empty
15ccc13e I------     1 perm 082f0000     0     0 keyring   .fs-verity: empty
290de2e4 I------     1 perm 1f0f0000     0     0 keyring   .ima: empty
1eaf2c86 I------     2 perm 1f0b0000     0     0 keyring   .machine: empty
3aeb6f7c I------     1 perm 1f0b0000     0     0 keyring   .platform: 4
29a13614 I------     1 perm 1f0f0000     0     0 keyring   .secondary_trusted_keys: 2
14a36645 I--Q---     2 perm 3f030000     0     0 keyring   _ses: 1
1c56b8fd I--Q---     2 perm 3f030000     0     0 keyring   _ses: 1
27507ba6 I--Q---     4 perm 3f030000     0     0 keyring   _ses: 1
0eb4701c I--Q---     1 perm 0b0b0000     0     0 user      invocation_id: 16
35e25bf2 I--Q---     1 perm 0b0b0000     0     0 user      invocation_id: 16
3d1688bf I--Q---     1 perm 0b0b0000     0     0 user      invocation_id: 16
2b3176ca I--Q---     2 perm 1f3f0000     0 65534 keyring   _uid.0: empty
06d4d576 I--Q---     1 perm 1f3f0000     0 65534 keyring   _uid_ses.0: 1
0f6033db I--Q---     1 perm 0c030000     0 65534 keyring   .user_reg: 2

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#1030200: linux-image-6.1.0-3-amd64: .platform keyring (EFI DB variable) no longer trusted to sign modules, regression against 6.0
  - From: наб <nabijaczleweli@nabijaczleweli.xyz>

References:
- Bug#1030200: linux-image-6.1.0-3-amd64: "Loading of module with unavailable key is rejected", /proc/keys says key is loaded; system unbootable
  - From: наб <nabijaczleweli@nabijaczleweli.xyz>
- Bug#1030200: linux-image-6.1.0-3-amd64: "Loading of module with unavailable key is rejected", /proc/keys says key is loaded; system unbootable
  - From: наб <nabijaczleweli@nabijaczleweli.xyz>

Prev by Date: Bug#992855: Same problem with Sandisk Corp WD Black SN750 / PC SN730 NVMe SSD
Next by Date: Processed: Re: Bug#1030200: linux-image-6.1.0-3-amd64: .platform keyring (EFI DB variable) no longer trusted to sign modules, regression against 6.0
Previous by thread: Bug#1030200: linux-image-6.1.0-3-amd64: "Loading of module with unavailable key is rejected", /proc/keys says key is loaded; system unbootable
Next by thread: Bug#1030200: linux-image-6.1.0-3-amd64: .platform keyring (EFI DB variable) no longer trusted to sign modules, regression against 6.0
Index(es):
- Date
- Thread