Bug#1100015: In-kernel X.509 certificates fail to load since 6.13.6

[Bastian Blank <waldi@debian.org>]

On Mon, Mar 10, 2025 at 12:51:35PM +0200, Raul Tambre wrote:
> Starting with 6.13.6-1~exp1 the following error is logged during boot:
> 
>   Mar 10 12:11:53 laptop kernel: Loading compiled-in X.509 certificates
>   Mar 10 12:11:53 laptop kernel: Problem loading in-kernel X.509 certificate (-2)
> 
> I imagine this is likely caused by commit ca3d0e60f548ed18c360fa87c5a2966606862b05 ("Store build time signing key encrypted").

Yeah.  And the immediate reason:

| -Signature Algorithm: sha256WithRSAEncryption
| +Signature Algorithm: ecdsa-with-SHA256

The old kernel tried to configure with ecdsa, but failed, due to some
conflicts in the config, falling back to rsa.

And missing support for ecdsa, but for some reason built-in suport for
rsa.

| root@boot1:/usr/lib/debug/boot# grep CONFIG_CRYPTO_RSA /boot/config-6.1*
| /boot/config-6.12.17-cloud-amd64:CONFIG_CRYPTO_RSA=y
| /boot/config-6.13-cloud-amd64:CONFIG_CRYPTO_RSA=y
| root@boot1:/usr/lib/debug/boot# grep CONFIG_CRYPTO_ECDS /boot/config-6.1*
| /boot/config-6.12.17-cloud-amd64:# CONFIG_CRYPTO_ECDSA is not set
| /boot/config-6.13-cloud-amd64:# CONFIG_CRYPTO_ECDSA is not set

Bastian

-- 
Knowledge, sir, should be free to all!
		-- Harry Mudd, "I, Mudd", stardate 4513.3