Naturally, by
but the kernel says it doesn't have a matching signature.
I meant
but the kernel says it doesn't have a matching certificate.
In both the 6.1 and 6.0 dmesg I see, for /cert/:
[ 0.737895] Loading compiled-in X.509 certificates
[ 0.751773] Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
[ 0.751784] Loaded X.509 cert 'Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f'
[ 0.756673] integrity: Loading X.509 certificate: UEFI:db
[ 0.757146] integrity: Loaded X.509 cert '
babtop.nabijaczleweli.xyz: 82b7fc21cc3f583ac4a7b05712d95377f41fbdd6'
[ 0.757147] integrity: Loading X.509 certificate: UEFI:db
[ 0.757296] integrity: Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
[ 0.758493] ima: No TPM chip found, activating TPM-bypass!
[ 0.758497] ima: Allocated hash algorithm: sha256
(but 6.0 also says "ima: No architecture policies found").
Attaching a full 6.0 dmesg for comparison since i forgor 💀 and it was 6am.
For your convenience, here's also a trimmed-down (time and stochastic
assignment effects removed) diff:
-- >8 --
--- dmesg-6.0-notime 2023-02-01 14:44:19.263754069 +0100
+++ dmesg-6.1-notime 2023-02-01 14:44:24.591989769 +0100
@@ -1,6 +1,6 @@
microcode: microcode updated early to revision 0xf4, date = 2022-07-31
-Linux version 6.0.0-5-amd64 (
debian...@lists.debian.org) (gcc-12 (Debian 12.2.0-9) 12.2.0, GNU ld (GNU Binutils for Debian) 2.39) #1 SMP PREEMPT_DYNAMIC Debian 6.0.10-1 (2022-11-26)
-Command line: initrd=\klapki\731b69f0dac147efadfed92f12712736\6.0.0-5-amd64\initrd.img-6.0.0-5-amd64 root=zfs:AUTO fbcon=rotate:3 intel_iommu=on zfs.zfs_arc_max=12884901888 quiet module.sig_enforce=1
+Linux version 6.1.0-3-amd64 (
debian...@lists.debian.org) (gcc-12 (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #1 SMP PREEMPT_DYNAMIC Debian 6.1.8-1 (2023-01-29)
+Command line: initrd=\klapki\731b69f0dac147efadfed92f12712736\6.1.0-3-amd64\initrd.img-6.1.0-3-amd64 root=zfs:AUTO fbcon=rotate:3 intel_iommu=on zfs.zfs_arc_max=12884901888 quiet module.sig_enforce=1
x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers'
x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
@@ -37,8 +37,7 @@ BIOS-e820: [mem 0x00000000ff000000-0x00000000ffffffff] reserved
BIOS-e820: [mem 0x0000000100000000-0x000000046effffff] usable
NX (Execute Disable) protection: active
efi: EFI v2.70 by American Megatrends
-efi: ACPI 2.0=0x8c8c7000 ACPI=0x8c8c7000 SMBIOS=0x8ce15000 SMBIOS 3.0=0x8ce14000 MEMATTR=0x885fd018 ESRT=0x88627f98 RNG=0x8c8c6018
-efi: seeding entropy pool
+efi: ACPI 2.0=0x8c8c7000 ACPI=0x8c8c7000 SMBIOS=0x8ce15000 SMBIOS 3.0=0x8ce14000 MEMATTR=0x88602018 ESRT=0x88626d98 INITRD=0x8510df18 RNG=0x8c8c6018
random: crng init done
Kernel is locked down from EFI Secure Boot; see man kernel_lockdown.7
secureboot: Secure boot enabled
@@ -51,10 +50,10 @@ e820: remove [mem 0x000a0000-0x000fffff] usable
last_pfn = 0x46f000 max_arch_pfn = 0x400000000
x86/PAT: Configuration [0-7]: WB WC UC- UC WB WP UC- WT
last_pfn = 0x8d000 max_arch_pfn = 0x400000000
-esrt: Reserving ESRT space from 0x0000000088627f98 to 0x0000000088627fd0.
-e820: update [mem 0x88627000-0x88627fff] usable ==> reserved
+esrt: Reserving ESRT space from 0x0000000088626d98 to 0x0000000088626dd0.
+e820: update [mem 0x88626000-0x88626fff] usable ==> reserved
Using GB pages for direct mapping
-RAMDISK: [mem 0x7edb1000-0x7fffffff]
+RAMDISK: [mem 0x7ed5a000-0x7fffffff]
ACPI: Early table checksum verification disabled
ACPI: RSDP 0x000000008C8C7000 000024 (v02 ALASKA)
ACPI: XSDT 0x000000008C8C70C0 000104 (v01 ALASKA A M I 01072009 AMI 00010013)
@@ -167,7 +166,7 @@ PM: hibernation: Registered nosave memory: [mem 0x0009e000-0x000fffff]
PM: hibernation: Registered nosave memory: [mem 0x40000000-0x403fffff]
PM: hibernation: Registered nosave memory: [mem 0x84ff1000-0x84ff1fff]
PM: hibernation: Registered nosave memory: [mem 0x84ff2000-0x84ff2fff]
-PM: hibernation: Registered nosave memory: [mem 0x88627000-0x88627fff]
+PM: hibernation: Registered nosave memory: [mem 0x88626000-0x88626fff]
PM: hibernation: Registered nosave memory: [mem 0x8bc67000-0x8c8b5fff]
PM: hibernation: Registered nosave memory: [mem 0x8c8b6000-0x8c90bfff]
PM: hibernation: Registered nosave memory: [mem 0x8c90c000-0x8c96bfff]
@@ -195,16 +194,16 @@ pcpu-alloc: [0] 0 1 2 3 4 5 6 7
Fallback order for Node 0: 0
Built 1 zonelists, mobility grouping on. Total pages: 4106436
Policy zone: Normal
-Kernel command line: initrd=\klapki\731b69f0dac147efadfed92f12712736\6.0.0-5-amd64\initrd.img-6.0.0-5-amd64 root=zfs:AUTO fbcon=rotate:3 intel_iommu=on zfs.zfs_arc_max=12884901888 quiet module.sig_enforce=1
+Kernel command line: initrd=\klapki\731b69f0dac147efadfed92f12712736\6.1.0-3-amd64\initrd.img-6.1.0-3-amd64 root=zfs:AUTO fbcon=rotate:3 intel_iommu=on zfs.zfs_arc_max=12884901888 quiet module.sig_enforce=1
DMAR: IOMMU enabled
Dentry cache hash table entries: 2097152 (order: 12, 16777216 bytes, linear)
Inode-cache hash table entries: 1048576 (order: 11, 8388608 bytes, linear)
mem auto-init: stack:all(zero), heap alloc:on, heap free:off
software IO TLB: area num 8.
-Memory: 2251624K/16687112K available (12294K kernel code, 2264K rwdata, 8860K rodata, 2732K init, 5404K bss, 493420K reserved, 0K cma-reserved)
+Memory: 2206152K/16687112K available (14342K kernel code, 2300K rwdata, 13348K rodata, 2760K init, 5216K bss, 499928K reserved, 0K cma-reserved)
SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=8, Nodes=1
-ftrace: allocating 39267 entries in 154 pages
-ftrace: allocated 154 pages with 4 groups
+ftrace: allocating 39944 entries in 157 pages
+ftrace: allocated 157 pages with 5 groups
Dynamic Preempt: voluntary
rcu: Preemptible hierarchical RCU implementation.
rcu: RCU restricting CPUs from NR_CPUS=8192 to nr_cpu_ids=8.
@@ -244,6 +243,7 @@ TOMOYO Linux initialized
LSM support for eBPF active
Mount-cache hash table entries: 32768 (order: 6, 262144 bytes, linear)
Mountpoint-cache hash table entries: 32768 (order: 6, 262144 bytes, linear)
+x86/cpu: SGX disabled by BIOS.
CPU0: Thermal monitoring enabled (TM1)
process: using mwait in idle threads
Last level iTLB entries: 4KB 64, 2MB 8, 4MB 8
@@ -257,7 +257,7 @@ Spectre V2 : mitigation: Enabling conditional Indirect Branch Prediction Barrier
Speculative Store Bypass: Mitigation: Speculative Store Bypass disabled via prctl
MMIO Stale Data: Mitigation: Clear CPU buffers
SRBDS: Mitigation: Microcode
-Freeing SMP alternatives memory: 32K
+Freeing SMP alternatives memory: 36K
smpboot: CPU0: Intel(R) Core(TM) i5-10210Y CPU @ 1.00GHz (family: 0x6, model: 0x8e, stepping: 0xc)
cblist_init_generic: Setting adjustable number of callback queues.
cblist_init_generic: Setting shift to 3 and lim to 1.
@@ -318,21 +318,18 @@ ACPI: Added _OSI(Module Device)
ACPI: Added _OSI(Processor Device)
ACPI: Added _OSI(3.0 _SCP Extensions)
ACPI: Added _OSI(Processor Aggregator Device)
-ACPI: Added _OSI(Linux-Dell-Video)
-ACPI: Added _OSI(Linux-Lenovo-NV-HDMI-Audio)
-ACPI: Added _OSI(Linux-HPI-Hybrid-Graphics)
ACPI: 14 ACPI AML tables successfully acquired and loaded
ACPI: Dynamic OEM Table Load:
-ACPI: SSDT 0xFFFF9374C1827000 000441 (v02 PmRef Cpu0Ist 00003000 INTL 20160422)
+ACPI: SSDT 0xFFFF9DDE811D8000 000441 (v02 PmRef Cpu0Ist 00003000 INTL 20160422)
ACPI: \_PR_.PR00: _OSC native thermal LVT Acked
ACPI: Dynamic OEM Table Load:
-ACPI: SSDT 0xFFFF9374C182D000 0003FF (v02 PmRef Cpu0Cst 00003001 INTL 20160422)
+ACPI: SSDT 0xFFFF9DDE811BA800 0003FF (v02 PmRef Cpu0Cst 00003001 INTL 20160422)
ACPI: Dynamic OEM Table Load:
-ACPI: SSDT 0xFFFF9374C1837000 000D14 (v02 PmRef ApIst 00003000 INTL 20160422)
+ACPI: SSDT 0xFFFF9DDE81813000 000D14 (v02 PmRef ApIst 00003000 INTL 20160422)
ACPI: Dynamic OEM Table Load:
-ACPI: SSDT 0xFFFF9374C1829400 000317 (v02 PmRef ApHwp 00003000 INTL 20160422)
+ACPI: SSDT 0xFFFF9DDE811BA000 000317 (v02 PmRef ApHwp 00003000 INTL 20160422)
ACPI: Dynamic OEM Table Load:
-ACPI: SSDT 0xFFFF9374C1828800 00030A (v02 PmRef ApCst 00003000 INTL 20160422)
+ACPI: SSDT 0xFFFF9DDE811BA400 00030A (v02 PmRef ApCst 00003000 INTL 20160422)
ACPI: EC: EC started
ACPI: EC: interrupt blocked
ACPI: EC: EC_CMD/EC_SC=0x66, EC_DATA=0x62
@@ -454,7 +451,7 @@ PCI: pci_cache_line_size set to 64 bytes
e820: reserve RAM buffer [mem 0x00058000-0x0005ffff]
e820: reserve RAM buffer [mem 0x0009e000-0x0009ffff]
e820: reserve RAM buffer [mem 0x84ff1000-0x87ffffff]
-e820: reserve RAM buffer [mem 0x88627000-0x8bffffff]
+e820: reserve RAM buffer [mem 0x88626000-0x8bffffff]
e820: reserve RAM buffer [mem 0x8bc67000-0x8bffffff]
e820: reserve RAM buffer [mem 0x8d000000-0x8fffffff]
e820: reserve RAM buffer [mem 0x46f000000-0x46fffffff]
@@ -563,16 +560,17 @@ pci 0000:01:00.0: Adding to iommu group 12
pci 0000:02:00.0: Adding to iommu group 13
DMAR: Intel(R) Virtualization Technology for Directed I/O
PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
-software IO TLB: mapped [mem 0x000000007adb1000-0x000000007edb1000] (64MB)
+software IO TLB: mapped [mem 0x000000007ad5a000-0x000000007ed5a000] (64MB)
platform rtc_cmos: registered platform RTC device (no PNP device found)
Initialise system trusted keyrings
Key type blacklist registered
workingset: timestamp_bits=36 max_order=22 bucket_order=0
zbud: loaded
integrity: Platform Keyring initialized
+integrity: Machine keyring initialized
Key type asymmetric registered
Asymmetric key parser 'x509' registered
-Freeing initrd memory: 18748K
+Freeing initrd memory: 19096K
alg: self-tests for CTR-KDF (hmac(sha256)) passed
Block layer SCSI generic (bsg) driver version 0.4 loaded (major 250)
io scheduler mq-deadline registered
@@ -631,7 +629,6 @@ integrity: Loading X.509 certificate: UEFI:db
integrity: Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
ima: No TPM chip found, activating TPM-bypass!
ima: Allocated hash algorithm: sha256
-ima: No architecture policies found
evm: Initialising EVM extended attributes:
evm: security.selinux
evm: security.SMACK64 (disabled)
@@ -642,12 +639,14 @@ evm: security.apparmor
evm: security.ima
evm: security.capability
evm: HMAC attrs: 0x1
+audit: type=1807 audit(1675224608.559:2): action=measure func=KEXEC_KERNEL_CHECK res=1
+audit: type=1807 audit(1675224608.559:3): action=measure func=MODULE_CHECK res=1
Lockdown: swapper/0: hibernation is restricted; see man kernel_lockdown.7
Freeing unused decrypted memory: 2036K
-Freeing unused kernel image (initmem) memory: 2732K
-Write protecting the kernel read-only data: 24576k
+Freeing unused kernel image (initmem) memory: 2760K
+Write protecting the kernel read-only data: 30720k
Freeing unused kernel image (text/rodata gap) memory: 2040K
-Freeing unused kernel image (rodata/data gap) memory: 1380K
+Freeing unused kernel image (rodata/data gap) memory: 988K
x86/mm: Checked W+X mappings: passed, no W+X pages found.
Run /init as init process
with arguments:
-...
+Loading of module with unavailable key is rejected
-- >8 --
The only other thing that jumps out is maybe that "integrity: Machine
keyring initialized" is also seen? But that's only additive
(to support the MOK mechanism, from a quick glance at
security/integrity/platform_certs/machine_keyring.c),
and the other certs are already loaded from before.
Similarly, security/integrity/platform_certs/platform_keyring.c was last
touched in 2019, and the interesting parts of
security/integrity/platform_certs/load_uefi.c
security/integrity/platform_certs/efi_parser.c
are of about the same vintage.
It's very much unclear to me what's happened here.
Best,
наб