Turns out Debian .config includes dyndbg, so I tried booting with dyndbg="+pfm; module iommu =_; module acpi =_" log_buf_len=4M and got A Result.
In both cases I broke as in the initrd (too late, it seems),
echo MARK > /dev/kmsg
modprobe zfs
echo MARK > /dev/kmsg
modprobe vfat
echo MARK > /dev/kmsg
then i turned off dyndbg.
dmesg and journalctl -b in resp. files
(all compressed now, sorry; dmesgs are 4M and journals 6M per).
dkms-$kver is /lib/modules/.../dkms (with the DKMSed .kos)
and I also added vfat.ko for reference,
but that's, naturally, from the package.
Interesting bits: /both/ logs have this exact fragment
(time is different, of course):
[ 0.756794] integrity: Loaded X.509 cert 'babtop.nabijaczleweli.xyz:
82b7fc21cc3f583ac4a7b05712d95377f41fbdd6'
[ 0.756794] integrity: Loading X.509 certificate: UEFI:db
[ 0.756795] asymmetric_keys:asymmetric_key_preparse: Trying parser 'x509'
[ 0.756834] x509_key_parser:x509_note_sig_algo: X.509: PubKey Algo: 15
[ 0.756955] x509_key_parser:x509_process_extension: X.509: Extension: 44
[ 0.756973] x509_key_parser:x509_process_extension: X.509: Extension: 71
[ 0.756987] x509_key_parser:x509_note_OID: X.509: Unknown OID: [551]
2.16.840.1.113730.1.1
[ 0.756995] x509_key_parser:x509_process_extension: X.509: Extension: 98
[ 0.757013] x509_key_parser:x509_process_extension: X.509: Extension: 72
[ 0.757033] x509_key_parser:x509_process_extension: X.509: Extension: 65
[ 0.757052] x509_key_parser:x509_process_extension: X.509: Extension: 68
[ 0.757071] x509_key_parser:x509_process_extension: X.509: Extension: 64
[ 0.757072] x509_key_parser:x509_process_extension: X.509: subjkeyid
6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1
[ 0.757087] x509_key_parser:x509_note_tbs_certificate: X.509:
x509_note_tbs_certificate(,4,04,8,646)!
[ 0.757106] x509_key_parser:x509_note_signature: X.509: Signature: alg=15,
size=257
[ 0.757117] x509_key_parser:x509_akid_note_kid: X.509: AKID: keyid:
6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1
[ 0.757118] x509_key_parser:x509_akid_note_kid: X.509: authkeyid
6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1
[ 0.757271] asymmetric_keys:asymmetric_key_preparse: Parser recognised the
format (ret 0)
[ 0.757274] integrity: Loaded X.509 cert 'Debian Secure Boot CA:
6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
[ 0.757687] integrity:load_uefi_certs: integrity: dbx variable wasn't found
[ 0.758064] integrity:load_uefi_certs: integrity: mokx variable wasn't found
[ 0.758435] integrity:load_moklist_certs: integrity: MokListRT variable
wasn't found
And when loading vfat, both have this
(uargs and the mokx digest are different, that's expected):
[ 37.135400] MARK
[ 40.188878] main:__do_sys_finit_module: finit_module: fd=3,
uargs=0000000061bb63d7, flags=0
[ 40.190252] pkcs7_message:pkcs7_find_key: PKCS7: Sig 1: Issuing X.509 cert
not found
(#32a0287f841a036fa393c1e065c43ae6b2422643311e301c0603550403131544656269616e2053656375
26081 726520426f6f74204341)
[ 40.190256] asymmetric_keys:find_asymmetric_key: Look up:
"ex:32a0287f841a036fa393c1e065c43ae6b2422643311e301c0603550403131544656269616e2053656375726520426f6f74204341"
[ 40.191459] signing:mod_is_hash_blacklisted: 188779 digest:
ba2fe77f90be3c8ca26422359c20213f9dd0f68c9b9bbd1f54f47e77e6e124cf
[ 40.191470] main:layout_sections: Core section allocation order:
[ 40.191472] main:layout_sections: .text
[ 40.191473] main:layout_sections: .text.unlikely
[ 40.191474] main:layout_sections: .exit.text
But when searching for 7e7595e2f222646de0dcfee034bd181ed37844b7
(to get the first instance of a DKMSed module being loaded;
that bit also matches the cert serial, apparently),
6.0.0-5-amd64 says this:
[ 1.757036] main:__do_sys_finit_module: finit_module: fd=3,
uargs=00000000160ad9df, flags=0
[ 1.758562] pkcs7_message:pkcs7_find_key: PKCS7: Sig 1: Issuing X.509 cert
not found
(#7e7595e2f222646de0dcfee034bd181ed37844b7310b300906035504061302504c310b3009060355040b0c024442310f300d06035504070c064b72616b6f7731)
[ 1.758566] asymmetric_keys:find_asymmetric_key: Look up:
"ex:7e7595e2f222646de0dcfee034bd181ed37844b7310b300906035504061302504c310b3009060355040b0c024442310f300d06035504070c064b72616b6f773122302006035504030c19626162746f702e6e6162696a61637a6c6577656c692e78797a"
[ 1.758572] asymmetric_keys:find_asymmetric_key: Request for key
'ex:7e7595e2f222646de0dcfee034bd181ed37844b7310b300906035504061302504c310b3009060355040b0c024442310f300d06035504070c064b72616b6f773122302006035504030c19626162746f702e6e6162696a61637a6c6577656c692e78797a'
err -11
[ 1.759871] pkcs7_message:pkcs7_find_key: PKCS7: Sig 1: Issuing X.509 cert
not found
(#7e7595e2f222646de0dcfee034bd181ed37844b7310b300906035504061302504c310b3009060355040b0c024442310f300d06035504070c064b72616b6f7731)
[ 1.759872] asymmetric_keys:find_asymmetric_key: Look up:
"ex:7e7595e2f222646de0dcfee034bd181ed37844b7310b300906035504061302504c310b3009060355040b0c024442310f300d06035504070c064b72616b6f773122302006035504030c19626162746f702e6e6162696a61637a6c6577656c692e78797a"
[ 1.761421] signing:mod_is_hash_blacklisted: 233242 digest:
f4bef7055edd1138e68926ab010f9925dd88680732d7f47042b879a7fd9ef66a
[ 1.761434] spl: loading out-of-tree module taints kernel.
[ 1.761443] main:layout_sections: Core section allocation order:
[ 1.761444] main:layout_sections: .text
[ 1.761445] main:layout_sections: .text.unlikely
But 6.1.0-3-amd64 says this:
[ 1.733680] main:__do_sys_finit_module: finit_module: fd=3,
uargs=00000000822587e4, flags=0
[ 1.736878] pkcs7_message:pkcs7_find_key: PKCS7: Sig 1: Issuing X.509 cert
not found
(#7e7595e2f222646de0dcfee034bd181ed37844b7310b300906035504061302504c310b3009060355040b
27399 0c024442310f300d06035504070c064b72616b6f7731)
[ 1.736881] asymmetric_keys:find_asymmetric_key: Look up:
"ex:7e7595e2f222646de0dcfee034bd181ed37844b7310b300906035504061302504c310b3009060355040b0c024442310f300d060355040
27400
70c064b72616b6f773122302006035504030c19626162746f702e6e6162696a61637a6c6577656c692e78797a"
[ 1.736887] asymmetric_keys:find_asymmetric_key: Request for key
'ex:7e7595e2f222646de0dcfee034bd181ed37844b7310b300906035504061302504c310b3009060355040b0c024442310f300d06
27401
035504070c064b72616b6f773122302006035504030c19626162746f702e6e6162696a61637a6c6577656c692e78797a'
err -11
[ 1.736890] Loading of module with unavailable key is rejected
What this means is unclear to me, but it's odd.
наб
signature.asc
Description: PGP signature
