On Thu, 2015-12-10 at 14:37 -0500, Mimi Zohar wrote: > On Thu, 2015-12-10 at 10:39 -0800, Tadeusz Struk wrote: > > Hi Mimi, > > On 12/10/2015 10:25 AM, Mimi Zohar wrote: > > >> This patch set converts the module verification and digital signature > > >> > code to the new akcipher API. > > >> > RSA implementation has been removed from crypto/asymmetric_keys and the > > >> > new API is used for cryptographic primitives. > > >> > There is no need for MPI above the akcipher API anymore. > > >> > Modules can be verified with software as well as HW RSA implementations. > > > With these two patches my system doesn't even boot. Digging deeper... > > > > > > > It needs RSA implementation built-in. > > Could you check if you have CONFIG_CRYPTO_RSA=y > > The diff between this config and the previous one: > < CONFIG_CRYPTO_AKCIPHER=y > < CONFIG_CRYPTO_RSA=y > --- > > # CONFIG_CRYPTO_RSA is not set FYI, dracut loaded the keys on the IMA keyring properly. When we try to pivot root, real root /sbin/init fails appraisal. The audit subsystem is showing "invalid-signature". There's no additional debugging information with the boot command line options rd.debug or systemd.log_level=debug. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html