The 4.12 kernel does not seem to import UEFI keys to verify kernel modules anymore. In particular, the process described in [1] fails now, with the error
modprobe: ERROR: could not insert 'xxx': Required key not available
Looking at the output of keyctl, we see that only the kernel signing key has been added, but none of the UEFI ones:
# keyctl list %:.builtin_trusted_keys
1 key in keyring:
88834290: ---lswrv 0 0 asymmetric: Fedora kernel signing key: fbae8ddf4ffd384e990097e7b82ddf7bacf91b23
Also, in dmesg the message changed from
EFI: Loaded cert 'xxx' linked to '.builtin_trusted_keys'
in 4.11.x, to
Loaded UEFI:db cert 'xxx' linked to secondary sys keyring
Wayland graphics broken for QXL virtual video device: system hangs before reaching the graphical login screen. System boots correctly after adding "nomodeset" to the kernel boot options, likewise after removing kernel boot option "rhgb" and enabling "WaylandEnable=false" in configuration file /etc/gdm/custom.conf.
System boot successfully on real hardware with video device ATI Radeon HD 3470.
Not going to leave karma, because I see folks are having trouble. It boots for me on an Atom based server, T450s and a VM. I did see an i915 graphics related oops on the first reboot of T450s. This went away after cold boot. Also, both the laptop and the VM that are running gnome developed account manager related selinux denials.
Someone should download GENUINE kernel from Linus and compile it. I see gap between 4.11 and 4.12 because labbott was doing all previous 4.11s but skipped 4.12 out of the blue (why?) and is currently doing 4.13. jforebes- do we trust him? Besides as is was said here: "Had sudden boot fails on F26 with the i3 at early stage (also on 4.11), but went away when using a generic (not hardware tailored) initramfs.". I got it too, ie. some boot failures/restart failures/boot black screen on 4.11.11-300.fc26.x86_64. Not stable at all. For the reason of signing keys and SELinux failures if I was able to downvote I would say: -10 (minus ten). Not good. Not good at all.
You're joking, right? Otherwise do a little research about Fedora's kernel maintainers and kernel stabilization. A xx.yy.0...2 is hardly ever shipped (apart from rawhide).
And these boot failures in early stage are likely no kernel issue, but a dracut problem, as generic initramfs fixed it for me.
The QXL issue is #1462381. (It's not specific to Fedora, I've reproduced it with the upstream kernel, and someone else has reported it against Debian 9 too.)
I haven't encountered any issues on bare metal, but giving negative karma because virtualization is significant for one of my workflows.
"labbott was doing all previous 4.11s but skipped 4.12 out of the blue "
This is perfectly normal. kernel 4.10 was maintained by jforbes, and for a long time, he and labbott take charges of the alternative kernels. And, if you take my opinion, they are doing an excellent job.
[ 0.000000] ********
[ 0.000000] NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
[ 0.000000]
[ 0.000000] trace_printk() being used. Allocating extra memory.
[ 0.000000]
[ 0.000000] This means that this is a DEBUG kernel and it is
[ 0.000000] unsafe for production use.
[ 0.000000]
[ 0.000000] If you see this message and you are not debugging
[ 0.000000] the kernel, report this immediately to your vendor!
[ 0.000000]
[ 0.000000] NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE
[ 0.000000] ********
Changing feedback as I see the debug kernel warning too.
[ 0.000000] **********************************************************
[ 0.000000] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 0.000000] ** **
[ 0.000000] ** trace_printk() being used. Allocating extra memory. **
[ 0.000000] ** **
[ 0.000000] ** This means that this is a DEBUG kernel and it is **
[ 0.000000] ** unsafe for production use. **
[ 0.000000] ** **
[ 0.000000] ** If you see this message and you are not debugging **
[ 0.000000] ** the kernel, report this immediately to your vendor! **
[ 0.000000] ** **
[ 0.000000] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 0.000000] **********************************************************
Regressions since 4.11.11:
1. [i915] if external display is connected via HDMI, console output (esp. prompt for LUKS password) is no longer displayed on it (only on internal LCD).
2. [usb] keyboard and mouse input (connected via Logitech Unifying receiver, USB ID 046d:c52b) becomes erratic, hanging every few seconds and making the machine almost unusable until I disable USB autosuspend for the receiver USB device in powertop (I have powertop.service enabled).
This update has been submitted for testing by jforbes.
This update has been pushed to testing.
The 4.12 kernel does not seem to import UEFI keys to verify kernel modules anymore. In particular, the process described in [1] fails now, with the error
Looking at the output of keyctl, we see that only the kernel signing key has been added, but none of the UEFI ones:
Also, in dmesg the message changed from
in 4.11.x, to
Loaded UEFI:db cert 'xxx' linked to secondary sys keyring
in 4.12.
[1] https://docs.fedoraproject.org/en-US/Fedora/26/html-single/System_Administrators_Guide/index.html#sect-signing-kernel-modules-for-secure-boot
As per the previous comment, correct feedback was -1 for the last two list items, of course.
QXL virt vga broken with Wayland
works for me
Works just fine on a T450s with Wayland session.
Not going to leave karma, because I see folks are having trouble. It boots for me on an Atom based server, T450s and a VM. I did see an i915 graphics related oops on the first reboot of T450s. This went away after cold boot. Also, both the laptop and the VM that are running gnome developed account manager related selinux denials.
UEFI Keys not imported : PKCS#7 signature not signed with a trusted key error
karma: -1
As previous comments (UEFI keys , Qxl) , -1 for the last items.
HP 850 G4. i5-7200U w/integrated GPU, Gnome with Xorg, ipsec VPN. Generally working, not adding karma as of problems others see.
Fine on two systems with BIOS boot and KDE (no wayland), Core i3 540 with AMD GPU and AMD E-450 APU.
Had sudden boot fails on F26 with the i3 at early stage (also on 4.11), but went away when using a generic (not hardware tailored) initramfs.
Works Fine on a E7470.
karma: +1
Works for me on a i686 installation. Using a Dell e6220. Gnome on Wayland is working.
karma: +1
Regression tests pass and boots fine, however I'm getting many selinux errors reported here:
https://bugzilla.redhat.com/show_bug.cgi?id=1476345
Someone should download GENUINE kernel from Linus and compile it. I see gap between 4.11 and 4.12 because labbott was doing all previous 4.11s but skipped 4.12 out of the blue (why?) and is currently doing 4.13. jforebes- do we trust him? Besides as is was said here: "Had sudden boot fails on F26 with the i3 at early stage (also on 4.11), but went away when using a generic (not hardware tailored) initramfs.". I got it too, ie. some boot failures/restart failures/boot black screen on 4.11.11-300.fc26.x86_64. Not stable at all. For the reason of signing keys and SELinux failures if I was able to downvote I would say: -10 (minus ten). Not good. Not good at all.
All is well for me. Headless Dell R520.
@anonymous
You're joking, right? Otherwise do a little research about Fedora's kernel maintainers and kernel stabilization. A xx.yy.0...2 is hardly ever shipped (apart from rawhide).
And these boot failures in early stage are likely no kernel issue, but a dracut problem, as generic initramfs fixed it for me.
[Vote repeated, as it's deleted otherwise]
The QXL issue is #1462381. (It's not specific to Fedora, I've reproduced it with the upstream kernel, and someone else has reported it against Debian 9 too.)
I haven't encountered any issues on bare metal, but giving negative karma because virtualization is significant for one of my workflows.
"labbott was doing all previous 4.11s but skipped 4.12 out of the blue " This is perfectly normal. kernel 4.10 was maintained by jforbes, and for a long time, he and labbott take charges of the alternative kernels. And, if you take my opinion, they are doing an excellent job.
no regressions noted with Xfce on my clevo i7
Warning on boot:
[ 0.000000] ******** [ 0.000000] NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE [ 0.000000] [ 0.000000] trace_printk() being used. Allocating extra memory. [ 0.000000] [ 0.000000] This means that this is a DEBUG kernel and it is [ 0.000000] unsafe for production use. [ 0.000000] [ 0.000000] If you see this message and you are not debugging [ 0.000000] the kernel, report this immediately to your vendor! [ 0.000000] [ 0.000000] NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE [ 0.000000] ********
wfm https://paste.fedoraproject.org/paste/ETZ4M67lh~YeVVPd7KFyfg/
Changing feedback as I see the debug kernel warning too.
Regressions since 4.11.11: 1. [i915] if external display is connected via HDMI, console output (esp. prompt for LUKS password) is no longer displayed on it (only on internal LCD). 2. [usb] keyboard and mouse input (connected via Logitech Unifying receiver, USB ID 046d:c52b) becomes erratic, hanging every few seconds and making the machine almost unusable until I disable USB autosuspend for the receiver USB device in powertop (I have powertop.service enabled).
Also, like @bojan, I see new SELinux alerts (https://bugzilla.redhat.com/show_bug.cgi?id=1476477 , https://bugzilla.redhat.com/show_bug.cgi?id=1468081 , https://bugzilla.redhat.com/show_bug.cgi?id=1474732 and https://bugzilla.redhat.com/show_bug.cgi?id=1474734)
Buggiest kernel in a while
Sorry, I'm used to giving postive karma, force of habit
This update has been obsoleted.
Debuggin enabled: https://bugzilla.redhat.com/show_bug.cgi?id=1461931
Maybe we could have 4.11.12 on F26 meanwhile to be on par with F25 at least?
Does not boot: error: nouveau 0000:00:12.0: DDC responded, but no EDID for DP-1
Touchpad resume issue fixed