Actually, it'd appear that this is a red herring; it looks like, to me, that only the two compiled-in certificates do anything at all, and the ones loaded from DB don't participate? I've set up different certificate chain, and configured it much more similarly to the Debian CA, just to see. It behaves identically. What doesn't, though, is /proc/keys (raw sorted attached) $ grep -F ' .' keys-6.* keys-6.0:3468f2e4 I------ 1 perm 0f0b0000 0 0 keyring .blacklist: empty keys-6.0:2079af99 I------ 2 perm 1f0b0000 0 0 keyring .builtin_trusted_keys: 2 keys-6.0:3d365eb4 I------ 1 perm 1f0f0000 0 0 keyring .evm: empty keys-6.0:3a9a5e2e I------ 1 perm 082f0000 0 0 keyring .fs-verity: empty keys-6.0:3b8edf46 I------ 1 perm 1f0f0000 0 0 keyring .ima: empty keys-6.0:0b51c6e4 I------ 1 perm 1f0b0000 0 0 keyring .platform: 4 keys-6.0:19c0bfbd I------ 1 perm 1f0f0000 0 0 keyring .secondary_trusted_keys: 1 keys-6.0:32691f01 I--Q--- 1 perm 0c030000 0 65534 keyring .user_reg: 2 keys-6.1:2534edf3 I------ 1 perm 0f0b0000 0 0 keyring .blacklist: empty keys-6.1:0e8076a0 I------ 2 perm 1f0b0000 0 0 keyring .builtin_trusted_keys: 2 keys-6.1:0f2f8c31 I------ 1 perm 1f0f0000 0 0 keyring .evm: empty keys-6.1:15ccc13e I------ 1 perm 082f0000 0 0 keyring .fs-verity: empty keys-6.1:290de2e4 I------ 1 perm 1f0f0000 0 0 keyring .ima: empty keys-6.1:1eaf2c86 I------ 2 perm 1f0b0000 0 0 keyring .machine: empty keys-6.1:3aeb6f7c I------ 1 perm 1f0b0000 0 0 keyring .platform: 4 keys-6.1:29a13614 I------ 1 perm 1f0f0000 0 0 keyring .secondary_trusted_keys: 2 keys-6.1:0f6033db I--Q--- 1 perm 0c030000 0 65534 keyring .user_reg: 2 Note how there's somehow a second key in .secondary_trusted_keys. Whether this means something or is an accounting difference is unclear to me at this time. наб
Attachment:
pubkeys.tar.zst
Description: application/zstd
188da2e0 I------ 1 perm 1f010000 0 0 asymmetri babtop.nabijaczleweli.xyz: 82b7fc21cc3f583ac4a7b05712d95377f41fbdd6: X509.rsa f41fbdd6 [] 1b70a5da I------ 1 perm 1f010000 0 0 asymmetri babtop.nabijaczleweli.xyz SecureBoot CA: 00befa30fa: X509.rsa [] 1d29aca6 I------ 1 perm 1f010000 0 0 asymmetri babtop.nabijaczleweli.xyz SecureBoot DB 2023: 00befacaa0: X509.rsa [] 14eda8da I------ 1 perm 1f010000 0 0 asymmetri Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1: X509.rsa bb419ea1 [] 25ec54fd I------ 1 perm 1f030000 0 0 asymmetri Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1: X509.rsa bb419ea1 [] 202a1d87 I------ 1 perm 1f030000 0 0 asymmetri Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f: X509.rsa 0584b25f [] 3468f2e4 I------ 1 perm 0f0b0000 0 0 keyring .blacklist: empty 2079af99 I------ 2 perm 1f0b0000 0 0 keyring .builtin_trusted_keys: 2 3d365eb4 I------ 1 perm 1f0f0000 0 0 keyring .evm: empty 3a9a5e2e I------ 1 perm 082f0000 0 0 keyring .fs-verity: empty 3b8edf46 I------ 1 perm 1f0f0000 0 0 keyring .ima: empty 0b51c6e4 I------ 1 perm 1f0b0000 0 0 keyring .platform: 4 19c0bfbd I------ 1 perm 1f0f0000 0 0 keyring .secondary_trusted_keys: 1 1422fa3e I--Q--- 2 perm 3f030000 0 0 keyring _ses: 1 29edb096 I--Q--- 2 perm 3f030000 0 0 keyring _ses: 1 332577d4 I--Q--- 4 perm 3f030000 0 0 keyring _ses: 1 2ab495a2 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 2ab6a8c8 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 39a7efc8 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 2b3bcd48 I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid.0: empty 1b58cf94 I--Q--- 1 perm 1f3f0000 0 65534 keyring _uid_ses.0: 1 32691f01 I--Q--- 1 perm 0c030000 0 65534 keyring .user_reg: 2
286b6459 I------ 1 perm 1f010000 0 0 asymmetri babtop.nabijaczleweli.xyz: 82b7fc21cc3f583ac4a7b05712d95377f41fbdd6: X509.rsa f41fbdd6 [] 1814f801 I------ 1 perm 1f010000 0 0 asymmetri babtop.nabijaczleweli.xyz SecureBoot CA: 00befa30fa: X509.rsa [] 359ce7d1 I------ 1 perm 1f010000 0 0 asymmetri babtop.nabijaczleweli.xyz SecureBoot DB 2023: 00befacaa0: X509.rsa [] 1d2f6af8 I------ 1 perm 1f010000 0 0 asymmetri Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1: X509.rsa bb419ea1 [] 3650553a I------ 1 perm 1f030000 0 0 asymmetri Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1: X509.rsa bb419ea1 [] 0704dac1 I------ 1 perm 1f030000 0 0 asymmetri Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f: X509.rsa 0584b25f [] 2534edf3 I------ 1 perm 0f0b0000 0 0 keyring .blacklist: empty 0e8076a0 I------ 2 perm 1f0b0000 0 0 keyring .builtin_trusted_keys: 2 0f2f8c31 I------ 1 perm 1f0f0000 0 0 keyring .evm: empty 15ccc13e I------ 1 perm 082f0000 0 0 keyring .fs-verity: empty 290de2e4 I------ 1 perm 1f0f0000 0 0 keyring .ima: empty 1eaf2c86 I------ 2 perm 1f0b0000 0 0 keyring .machine: empty 3aeb6f7c I------ 1 perm 1f0b0000 0 0 keyring .platform: 4 29a13614 I------ 1 perm 1f0f0000 0 0 keyring .secondary_trusted_keys: 2 14a36645 I--Q--- 2 perm 3f030000 0 0 keyring _ses: 1 1c56b8fd I--Q--- 2 perm 3f030000 0 0 keyring _ses: 1 27507ba6 I--Q--- 4 perm 3f030000 0 0 keyring _ses: 1 0eb4701c I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 35e25bf2 I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 3d1688bf I--Q--- 1 perm 0b0b0000 0 0 user invocation_id: 16 2b3176ca I--Q--- 2 perm 1f3f0000 0 65534 keyring _uid.0: empty 06d4d576 I--Q--- 1 perm 1f3f0000 0 65534 keyring _uid_ses.0: 1 0f6033db I--Q--- 1 perm 0c030000 0 65534 keyring .user_reg: 2
Attachment:
signature.asc
Description: PGP signature