XPost: linux.debian.bugs.dist
From: cliffjkilby@gmail.com
There does appear to be a complication for this change. keyctl can add
trusted, but not read encrypted keys
# keyctl add encrypted evm-key "new trusted:kmk-trusted 32" @u
# keyctl pipe `keyctl search @u encrypted evm-key`
keyctl_read_alloc: Operation not supported
# keyctl search @u encrypted evm-key
58969095
The key exists but cannot be read. This appears to be due to
https://bugzilla.kernel.org/show_bug.cgi?id=202577
If trusted is a module, and encrypted is builtin, encrypted cannot open a
trusted key because the masterkey_trusted.o types are not exported out of
the encrypted-keys namespace?
(mind you, I am not a kernel developer, and this c is ... waaaaay out of my
league.)
In summary:
CONFIG_TRUSTED_KEYS=n && CONFIG_ENCRYPTED_KEYS=y == keyctl add trusted
fails.
CONFIG_TRUSTED_KEYS=m && CONFIG_ENCRYPTED_KEYS=y == keyctl read encrypted
from a trusted key fails.
In order to have both, both have to be modules (to export the types), or
both have to be builtin (to use the shared type lookups?).
CONFIG_TRUSTED_KEYS=y
I built the kernel again with the change above and :
# uname -a
Linux debian 6.12.43 #28 SMP PREEMPT_DYNAMIC Tue Sep 9 12:57:21 EDT 2025
x86_64 GNU/Linux
# dmesg | grep -P '(trusted|encrypted)'
[ 1.779375] Initialise system trusted keyrings
[ 4.969001] Key type trusted registered
[ 5.001211] Key type encrypted registered
[ 24.235628] trusted_key: encrypted_key: master key parameter '' is
invalid
# keyctl search @u trusted kmk-trusted
625450296
# keyctl add encrypted evm-key "new trusted:kmk-trusted 32" @u
234222391
# keyctl link @u @s
# keyctl pipe `keyctl search @u encrypted evm-key`
default trusted:kmk-trusted 32 <>
Success.
Given my original goal was to follow the instructions as provided, I change
my request to reconfigure the kernel build to CONFIG_TRUSTED_KEYS=y to fix
the keyctl for both trusted and encrypted types.
There does
appear to be a complication for this change. keyctl can add trusted, but not
read encrypted keys
# keyctl add encrypted evm-key "new
trusted:kmk-trusted 32&
quot; @u # keyctl pipe `keyctl search @u encrypted evm
key`
keyctl_read_alloc: Operation not supported # keyctl search
@u encrypted evm-key
58969095 <
iv>
If trusted is a module,
and
encrypted is builtin, encrypted cannot open a
trusted key because the masterkey_trusted.o types are not exported out of
the
encrypted-keys namespace? (mind you, I am not a kernel developer,
and this c is ... waaaaay out of my league.) In summary:
CONFIG_TRUSTED_KEYS=n &&
amp; CONFIG_ENCRYPTED_KEYS=y == keyctl add trusted fails. <
iv>CONFIG_TRUSTED_KEYS=m && CONFIG_ENCRYPTED_KEYS=y == keyctl read
encrypted from a trusted key fails. In order to have both, both
have
to be modules (to export the types),
or both have to be builtin (to use the shared type lookups?).
CONFIG_TRUSTED_KEYS=y
I built the kernel again with the change
above
and : # uname -a Linux debian 6.12.43 #
28 SMP PREEMPT_DYNAMIC Tue Sep €€9 12:57:21 EDT 2025 x86_64 GNU/
inux # dmesg | grep -P '(tr
usted|encrypted)'
[
€€ €€1.779375] Initialise system trusted keyrings
[ €€ €€4.969001] Key
type
trusted registered
[ €€ €€5.
001211] Key type encrypted registered
[ €€ 24.235628] trusted_key:
encrypted_key: master key parameter '' is invalid # keyctl search
@u trusted kmk-trusted 625450296 # keyctl add encrypted evm-key "new trusted:kmk-trusted
32"
@u
234222391 # keyctl link @u @s # keyctl pipe
`keyctl
search @u encrypted evm-key`
default trusted:kmk-trusted 32 &
t;<REDACTED KEY MATERIAL>&
gt;
Success.
Given
my original goal was to follow the instructions as provided, I change my
request to reconfigure the kernel build to CONFIG_TRUSTED_KEYS=y to fix the
keyctl for both trusted and
encrypted types.
|
