UEFI SecureBoot: integrity: Problem loading X.509 certificate -74

Issues related to applications and software problems and general support
Post Reply
durchd8.de
Posts: 20
Joined: 2015/01/09 14:58:55

UEFI SecureBoot: integrity: Problem loading X.509 certificate -74

Post by durchd8.de » 2020/12/17 14:51:49

Holla,

I am not entirely sure if it is a Hardware problem, a kernel problem or a security issue. Hence posting here:

OS: CentOS Linux release 8.3.2011
kernel: 4.18.0-240.1.1.el8_3.x86_64
installation: fresh minimal installation from USB via standard ISO (downloaded several times fromvarious centOS mirrors)

Hardware:
- Supermicro MB1 M11SDV-4CT-LN4F (AMD EPYC 3101)
- 8 GB RAM
- Avago Megaraid MR9341-4i with 4 WD HDD
- NvME: Samsung SSD 970 EVO Plus 1TB

Problem:
Whatever I do upon a new installation I receive the error:

integrity: Problem loading X.509 certificate -74
in dmesg and log.

Overall the system "feels" fine on anything else were it not for that error message. Also this message pops up upon secureboot enabled or disabled. Supermicro support wasnt able to reproduce the error with the hardware, CMOS flush didnt help either, but the hardware is ok.

Reinstalled the system a myriad of times and I plain have no clue whats going on... What did I do wrong or where does the error come from? Attached the last log entries:

Dec 17 15:02:00 dehhkps1 kernel: Loading compiled-in X.509 certificates
Dec 17 15:02:00 dehhkps1 kernel: Loaded X.509 cert 'CentOS kernel signing key: 8128ba996c6a4fae9ab40fd1b62650e68a203e54'
Dec 17 15:02:00 dehhkps1 kernel: Loaded X.509 cert 'CentOS Linux Driver update signing key: 29bd4c0d06d2e9911044b5dc973309139b51d6d5'
Dec 17 15:02:00 dehhkps1 kernel: Loaded X.509 cert 'CentOS Linux kpatch signing key: b49f086205909dc4da2cfa99376fb191d2f09e78'
Dec 17 15:02:00 dehhkps1 kernel: zswap: loaded using pool lzo/zbud
Dec 17 15:02:00 dehhkps1 kernel: page_owner is disabled
Dec 17 15:02:00 dehhkps1 kernel: Key type big_key registered
Dec 17 15:02:00 dehhkps1 kernel: Key type encrypted registered
Dec 17 15:02:00 dehhkps1 kernel: integrity: Loading X.509 certificate: UEFI:db
Dec 17 15:02:00 dehhkps1 kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
Dec 17 15:02:00 dehhkps1 kernel: integrity: Loading X.509 certificate: UEFI:db
Dec 17 15:02:00 dehhkps1 kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
Dec 17 15:02:00 dehhkps1 kernel: integrity: Loading X.509 certificate: UEFI:db
Dec 17 15:02:00 dehhkps1 kernel: integrity: Problem loading X.509 certificate -74
Dec 17 15:02:00 dehhkps1 kernel: Error adding keys to platform keyring UEFI:db
Dec 17 15:02:00 dehhkps1 kernel: integrity: Loading X.509 certificate: UEFI:db
Dec 17 15:02:00 dehhkps1 kernel: alg: No test for pkcs1pad(rsa,sha1) (pkcs1pad(rsa-generic,sha1))
Dec 17 15:02:00 dehhkps1 kernel: integrity: Loaded X.509 cert 'AddTrust External CA Root: adbd987a34b426f7fac42654ef03bde024cb541a'
Dec 17 15:02:00 dehhkps1 kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Dec 17 15:02:00 dehhkps1 kernel: integrity: Loaded X.509 cert 'CentOS Secure Boot CA 2: 70007f99209c126be14774eaec7b6d9631f34dca'

DMESG output:
[ 0.761801] Loading compiled-in X.509 certificates
[ 0.791026] Loaded X.509 cert 'CentOS kernel signing key: 8722700eaf478598cea8937c54c436d1addc428d'
[ 0.791045] Loaded X.509 cert 'CentOS Linux Driver update signing key: 29bd4c0d06d2e9911044b5dc973309139b51d6d5'
[ 0.791054] Loaded X.509 cert 'CentOS Linux kpatch signing key: b49f086205909dc4da2cfa99376fb191d2f09e78'
[ 0.791076] zswap: loaded using pool lzo/zbud
[ 0.791132] page_owner is disabled
[ 0.795876] Key type big_key registered
[ 0.798221] Key type encrypted registered
[ 0.798987] integrity: Loading X.509 certificate: UEFI:db
[ 0.799011] integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
[ 0.799012] integrity: Loading X.509 certificate: UEFI:db
[ 0.799028] integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
[ 0.799028] integrity: Loading X.509 certificate: UEFI:db
[ 0.799032] integrity: Problem loading X.509 certificate -74
[ 0.799124] Error adding keys to platform keyring UEFI:db
[ 0.799124] integrity: Loading X.509 certificate: UEFI:db
[ 0.800654] alg: No test for pkcs1pad(rsa,sha1) (pkcs1pad(rsa-generic,sha1))
[ 0.801564] integrity: Loaded X.509 cert 'AddTrust External CA Root: adbd987a34b426f7fac42654ef03bde024cb541a'
[ 0.802325] integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
[ 0.802490] integrity: Loaded X.509 cert 'CentOS Secure Boot CA 2: 70007f99209c126be14774eaec7b6d9631f34dca'

durchd8.de
Posts: 20
Joined: 2015/01/09 14:58:55

Re: UEFI SecureBoot: integrity: Problem loading X.509 certificate -74

Post by durchd8.de » 2020/12/17 15:30:42

Adding to it, I used a slightly older image via USB: CentOS-8.2.2004-x86_64-minimal.iso

Same X509 error even on ISO startup (like all others).

durchd8.de
Posts: 20
Joined: 2015/01/09 14:58:55

Re: UEFI SecureBoot: integrity: Problem loading X.509 certificate -74

Post by durchd8.de » 2020/12/22 17:16:22

anyone got an idea on it?


fulong
Posts: 2
Joined: 2021/04/16 08:51:03

Re: UEFI SecureBoot: integrity: Problem loading X.509 certificate -74

Post by fulong » 2021/04/16 09:15:18

Hi durchd8.de,

Did you solve this problem?
Seems I encountered this same issue when booting rhel 8.3 on Lenovo x3850 X6 server.



Regards
FuLong

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: UEFI SecureBoot: integrity: Problem loading X.509 certificate -74

Post by TrevorH » 2021/04/16 09:32:42

There is a Fedora bug entry for the message that is issued that says it's a problem in the RH patches they add to the kernel. I suspect they've helpfully backported the same bug to the RHEL kernels.

Since RH have basically abandoned CentOS Linux 8, I would suggest that you test using CentOS Stream and if that has the same problem then raise a bug on bugzilla.redhat.com under RHEL with the version set to CentOS Stream.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

fulong
Posts: 2
Joined: 2021/04/16 08:51:03

Re: UEFI SecureBoot: integrity: Problem loading X.509 certificate -74

Post by fulong » 2021/04/19 05:32:46

TrevorH,

Thanks for the information!

I'd like to have a try when i get a spare machine.
For now, i can only go back to rhel 8.2 for a urgent project engagement.


Regards
FuLong

Post Reply