[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1114737: linux-image-6.12.43+deb13-amd64: CONFIG_TRUSTED_KEYS is not set

Package: src:linux
Version: 6.12.43-1
Severity: normal
X-Debbugs-Cc:cliffjkilby@gmail.com

Dear Maintainer,

I attempted to follow the instructions at https://manpages.debian.org/trixie/ima-evm-utils/evmctl.1.en.html for TPM backed IMA/EVM setup
It includes the command
# keyctl add trusted kmk "new 32" @u
add_key: No such device

Based on https://cateee.net/lkddb/web-lkddb/TRUSTED_KEYS.html
"trusted" is not available unless CONFIG_TRUSTED_KEYS is at least "m" if not "y"
https://ima-doc.readthedocs.io/en/latest/ima-configuration.html#config-trusted-keys similarly mentions it for ima setup.
It appears that the required flags:
CONFIG_KEYS=y
CONFIG_ENCRYPTED_KEYS=y
(and older kernel/functionality)
CONFIG_TCG_TPM=y
CONFIG_TCG_TPM2_HMAC=y
are all set, so, this seems like a single config change to "m" enable module build of masterkey_trusted, trusted.

<<PCI DEVICE INFORMATION ELIDED BY SUBMITTER>>

-- System Information:
Debian Release: 13.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.43+deb13-amd64 (SMP w/24 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Enforcing - Policy name: default

Versions of packages linux-image-6.12.43+deb13-amd64 depends on:
ii  dracut [linux-initramfs-tool]  106-6
ii  kmod                           34.2-2
ii  linux-base                     4.12

Versions of packages linux-image-6.12.43+deb13-amd64 recommends:
pn  apparmor  <none>

Versions of packages linux-image-6.12.43+deb13-amd64 suggests:
pn  debian-kernel-handbook  <none>
pn  firmware-linux-free     <none>
ii  grub-efi-amd64          2.12-9
pn  linux-doc-6.12          <none>

Versions of packages linux-image-6.12.43+deb13-amd64 is related to:
pn  firmware-amd-graphics      <none>
pn  firmware-atheros           <none>
pn  firmware-bnx2              <none>
pn  firmware-bnx2x             <none>
pn  firmware-brcm80211         <none>
pn  firmware-cavium            <none>
pn  firmware-cirrus            <none>
pn  firmware-intel-graphics    <none>
pn  firmware-intel-misc        <none>
pn  firmware-intel-sound       <none>
pn  firmware-ipw2x00           <none>
pn  firmware-ivtv              <none>
ii  firmware-iwlwifi           20250410-2
pn  firmware-libertas          <none>
pn  firmware-marvell-prestera  <none>
pn  firmware-mediatek          <none>
pn  firmware-misc-nonfree      <none>
pn  firmware-myricom           <none>
pn  firmware-netronome         <none>
pn  firmware-netxen            <none>
pn  firmware-nvidia-graphics   <none>
pn  firmware-qcom-soc          <none>
pn  firmware-qlogic            <none>
ii  firmware-realtek           20250410-2
pn  firmware-samsung           <none>
pn  firmware-siano             <none>
pn  firmware-ti-connectivity   <none>
pn  xen-hypervisor             <none>

-- no debconf information
Reply to: