You are not logged in.
This morning I updated my kernel and I get this error after every reboot.
Aug 14 16:08:48 rocinante-v3 kernel: blacklist: Problem blacklisting hash (-13)
Aug 14 16:08:48 rocinante-v3 kernel: blacklist: Problem blacklisting hash (-13)
Aug 14 16:08:48 rocinante-v3 kernel: blacklist: Problem blacklisting hash (-13)
Aug 14 16:08:48 rocinante-v3 kernel: blacklist: Problem blacklisting hash (-13)
Aug 14 16:08:48 rocinante-v3 kernel: blacklist: Problem blacklisting hash (-13)
Aug 14 16:08:48 rocinante-v3 kernel: blacklist: Problem blacklisting hash (-13)
Does anyone know what does this error mean?
System info:
inxi -Fxxc0z
System:
Kernel: 5.19.1-arch2-1 arch: x86_64 bits: 64 compiler: gcc v: 12.1.1
Desktop: KDE Plasma v: 5.25.4 tk: Qt v: 5.15.5 wm: kwin_x11 dm: SDDM
Distro: Arch Linux
Machine:
Type: Desktop Mobo: Micro-Star model: B450 TOMAHAWK MAX (MS-7C02) v: 1.0
serial: <superuser required> UEFI: American Megatrends LLC. v: 3.C3
date: 09/27/2021
CPU:
Info: 6-core model: AMD Ryzen 5 3600 bits: 64 type: MT MCP arch: Zen 2
rev: 0 cache: L1: 384 KiB L2: 3 MiB L3: 32 MiB
Speed (MHz): avg: 2199 high: 2200 min/max: 2200/4208 boost: enabled
cores: 1: 2200 2: 2196 3: 2200 4: 2199 5: 2200 6: 2200 7: 2200 8: 2200
9: 2199 10: 2200 11: 2200 12: 2200 bogomips: 86439
Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm
Graphics:
Device-1: AMD Navi 23 [Radeon RX 6600/6600 XT/6600M] vendor: ASUSTeK
driver: amdgpu v: kernel arch: RDNA-2 pcie: speed: 16 GT/s lanes: 16 ports:
active: DP-1 empty: DP-2,DP-3,HDMI-A-1 bus-ID: 28:00.0 chip-ID: 1002:73ff
Display: x11 server: X.Org v: 21.1.4 compositor: kwin_x11 driver: X:
loaded: amdgpu unloaded: modesetting alternate: fbdev,vesa gpu: amdgpu
display-ID: :0 screens: 1
Screen-1: 0 s-res: 2560x1440 s-dpi: 96
Monitor-1: DP-1 mapped: DisplayPort-0 model: AOC Q3279WG5B res: 2560x1440
dpi: 90 diag: 842mm (33.1")
OpenGL: renderer: AMD Radeon RX 6600 (dimgrey_cavefish LLVM 14.0.6 DRM
3.47 5.19.1-arch2-1) v: 4.6 Mesa 22.1.6 direct render: Yes
Audio:
Device-1: AMD Navi 21/23 HDMI/DP Audio driver: snd_hda_intel v: kernel
bus-ID: 3-1:2 pcie: speed: 16 GT/s chip-ID: 0951:1723 lanes: 16
bus-ID: 28:00.1 chip-ID: 1002:ab28
Device-2: AMD Starship/Matisse HD Audio vendor: Micro-Star MSI
driver: snd_hda_intel v: kernel pcie: speed: 16 GT/s lanes: 16
bus-ID: 2a:00.4 chip-ID: 1022:1487
Device-3: Kingston HyperX Cloud Flight Wireless type: USB
driver: hid-generic,snd-usb-audio,usbhid
Sound Server-1: ALSA v: k5.19.1-arch2-1 running: yes
Sound Server-2: PulseAudio v: 16.1 running: no
Sound Server-3: PipeWire v: 0.3.56 running: yes
Network:
Device-1: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet
vendor: Micro-Star MSI driver: r8169 v: kernel pcie: speed: 2.5 GT/s
lanes: 1 port: f000 bus-ID: 22:00.0 chip-ID: 10ec:8168
IF: enp34s0 state: up speed: 1000 Mbps duplex: full mac: <filter>
IF-ID-1: virbr0 state: down mac: <filter>
Drives:
Local Storage: total: 1.42 TiB used: 295.82 GiB (20.3%)
ID-1: /dev/nvme0n1 vendor: Western Digital model: WDS500G3X0C-00SJG0
size: 465.76 GiB speed: 31.6 Gb/s lanes: 4 serial: <filter> temp: 40.9 C
ID-2: /dev/sda vendor: Western Digital model: WDS100T2B0A-00SM50
size: 931.51 GiB speed: 6.0 Gb/s serial: <filter>
ID-3: /dev/sdb type: USB vendor: Kingston model: DataTraveler 3.0
size: 57.62 GiB serial: <filter>
Partition:
ID-1: / size: 456.89 GiB used: 31.57 GiB (6.9%) fs: ext4
dev: /dev/nvme0n1p2
ID-2: /boot/efi size: 511 MiB used: 160 KiB (0.0%) fs: vfat
dev: /dev/nvme0n1p1
Swap:
ID-1: swap-1 type: file size: 8 GiB used: 0 KiB (0.0%) priority: -2
file: /swapfile
Sensors:
System Temperatures: cpu: 31.0 C mobo: 31.0 C gpu: amdgpu temp: 37.0 C
mem: 34.0 C
Fan Speeds (RPM): fan-1: 0 fan-2: 728 fan-3: 0 fan-4: 0 fan-5: 699
fan-6: 719 gpu: amdgpu fan: 911
Info:
Processes: 326 Uptime: 2h 20m Memory: 31.27 GiB used: 5.15 GiB (16.5%)
Init: systemd v: 251 default: graphical Compilers: gcc: 12.1.1 Packages:
pacman: 1150 Shell: Zsh v: 5.9 running-in: konsole inxi: 3.3.20
Last edited by bitterhalt (2022-08-14 15:31:10)
Offline
Why do you have hash blacklisted?
Offline
Why do you have hash blacklisted?
I haven't blacklisted anything. This error started after kernel update.
edit: It seems to have something to do with the latest kernel because error goes away if I choose LTS-kernel on boot.
Last edited by bitterhalt (2022-08-14 16:31:14)
Offline
I also am reporting the same errors on boot after updating to 5.19.1
Offline
https://github.com/torvalds/linux/blob/ … ist.c#L195 is the error message, the related feature is explained in https://github.com/torvalds/linux/commi … 01d87b6d06 the new output might possibly caused by https://github.com/torvalds/linux/commi … 7d1c421ce0
Offline
I'm seeing this as well, unfortunately from the links above I'm not seeing much that would explain why it's failing? In my dmesg I see a couple of lines referencing some MS and generic UEFI certs, just before the blacklist errors.
[ 0.503212] integrity: Loading X.509 certificate: UEFI:db
[ 0.503223] integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
[ 0.503224] integrity: Loading X.509 certificate: UEFI:db
[ 0.503231] integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
[ 0.503401] blacklist: Problem blacklisting hash (-13)
[ 0.503404] fbcon: Taking over console
[ 0.503429] Console: switching to colour frame buffer device 215x45
[ 0.503528] blacklist: Problem blacklisting hash (-13)
[ 0.503560] blacklist: Problem blacklisting hash (-13)
[ 0.503584] blacklist: Problem blacklisting hash (-13)
[ 0.503619] blacklist: Problem blacklisting hash (-13)
[ 0.503637] blacklist: Problem blacklisting hash (-13)
There's no mention of these certs from my previous boot on 5.18
Offline
At a guess the kernel parsing of hashs (including hashes of blacklisted UEFI certificates / blobs) has either been changed or is being used for the first time and some of the hashes supplied by the system's firmware are being rejected.
Last edited by loqs (2022-08-14 20:42:04)
Offline
I also have this issue after upgrade, following this topic for now.
Offline
Similar problems after updating to linux-5.19.1 I was unable to boot the system. Just froze at the point where GRUB tries to load a kernel image, had to rollback to previous version.
Offline
Similar problems after updating to linux-5.19.1 I was unable to boot the system. Just froze at the point where GRUB tries to load a kernel image, had to rollback to previous version.
As your system fails during boot it seems unlikely to be the same issue. Please start a new thread. Provide in it details of the affected system's hardware, and what kernel options you have tried. Please also link to your bugtracker report.
Offline
Hello,
Exactly same issue since I'm upgrade on kernel 5.19
[ 2.203800] integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
[ 2.203800] integrity: Loading X.509 certificate: UEFI:db
[ 2.203810] integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
[ 2.204562] blacklist: Problem blacklisting hash (-13)
[ 2.204618] blacklist: Problem blacklisting hash (-13)
[ 2.204652] blacklist: Problem blacklisting hash (-13)
[ 2.204684] blacklist: Problem blacklisting hash (-13)
[ 2.204716] blacklist: Problem blacklisting hash (-13)
[ 2.204747] blacklist: Problem blacklisting hash (-13)
[ 2.204779] blacklist: Problem blacklisting hash (-13)
[ 2.204810] blacklist: Problem blacklisting hash (-13)
Any idea would be great.
thanks in advance
Offline
-13 is -EACCES and from https://github.com/torvalds/linux/blob/ … key.c#L809
* Returns a pointer to the new key if successful, -ENODEV if the key type
* wasn't available, -ENOTDIR if the keyring wasn't a keyring, -EACCES if the
* caller isn't permitted to modify the keyring or the LSM did not permit
* creation of the key.
Caller does not have access or blocked by Linux Security Module.
Edit:
If you add the kernel parameter lsm= does that have any effect? Have you tried removing all keys from the system's firmware? (Please ensure the system does not use the keys before attempting this)
Last edited by loqs (2022-08-19 00:45:52)
Offline
-13 is -EACCES and from https://github.com/torvalds/linux/blob/ … key.c#L809
* Returns a pointer to the new key if successful, -ENODEV if the key type * wasn't available, -ENOTDIR if the keyring wasn't a keyring, -EACCES if the * caller isn't permitted to modify the keyring or the LSM did not permit * creation of the key.
Caller does not have access or blocked by Linux Security Module.
Edit:
If you add the kernel parameter lsm= does that have any effect? Have you tried removing all keys from the system's firmware? (Please ensure the system does not use the keys before attempting this)
i added "lsm=" and it did nothing for me. how do i remove keys? i don't have secure boot disabled** and tpm is disabled. also, if the system is working fine, is it an "actual problem that can cause harm?"
edit:
so i went digging in my secure boot settings (i have a msi b550 tomahawk) and even though i have secure boot disaled, apparently the keys don't disable. so i removed all the keys and now the error went away.
Last edited by orlfman (2022-08-19 03:54:58)
Offline
if the system is working fine, is it an "actual problem that can cause harm?"
Almost certainly not.
Offline
orlfman wrote:if the system is working fine, is it an "actual problem that can cause harm?"
Almost certainly not.
thanks! i edited my post above but i did figure out how to remove the keys from my bios and the error is gone completely now.
Offline
Cool, on my Lenovo thinkpad T14 was same problem with keys not being deleted...
In bios I had secure boot <disabled>, but I had not deleted all the <secure boot keys> I suppose.
I delete the keys and now the problem went away.
Thanks guys!
Offline
Well my MSI X570 Tomahawk BIOS doesn't seem to want to allow me to clear the keys
Offline
Well my MSI X570 Tomahawk BIOS doesn't seem to want to allow me to clear the keys
I have the same board. Is there even an option to do so? I could only find options to disable TPM and similar.
Offline
Maybe late to the party, but for MSI boards (mostly dealt w b450) there is an option to disable deafult keys filling after purge...
> Settings>Advanced>Windows OS Configuration>Secure Boot>Key Management> Provision Factory Default Key Management < set to disabled
Sorry if necroing, seemed relevant (to me )...
Last edited by lazarys (2022-10-18 15:46:17)
Offline
These kernel messages should be treated as warning, not error. You should not remove blacklisted hashes (i.e. do not clear secure boot keys), this is a security measure to protect against malicious signatures. These kernel messages now show because we hardened this security mechanism, and it now reveals issues with some firmwares. There is an ongoing kernel patch to update this error message: https://lore.kernel.org/lkml/3b997266-0 … gikod.net/
Last edited by mickael (2022-11-08 16:53:50)
Offline