There does appear to be a complication for this change. keyctl can add trusted, but not read encrypted keys # keyctl add encrypted evm-key "new trusted:kmk-trusted 32" @u # keyctl pipe `keyctl search @u encrypted evm-key` keyctl_read_alloc: Operation not supported # keyctl search @u encrypted evm-key 58969095 The key exists but cannot be read. This appears to be due to https://bugzilla.kernel.org/show_bug.cgi?id=202577
If trusted is a module, and encrypted is builtin, encrypted cannot open a trusted key because the masterkey_trusted.o types are not exported out of the encrypted-keys namespace? (mind you, I am not a kernel developer, and this c is ... waaaaay out of my league.) In summary: CONFIG_TRUSTED_KEYS=n && CONFIG_ENCRYPTED_KEYS=y == keyctl add trusted fails. CONFIG_TRUSTED_KEYS=m && CONFIG_ENCRYPTED_KEYS=y == keyctl read encrypted from a trusted key fails. In order to have both, both have to be modules (to export the types), or both have to be builtin (to use the shared type lookups?). CONFIG_TRUSTED_KEYS=y I built the kernel again with the change above and : # uname -a Linux debian 6.12.43 #28 SMP PREEMPT_DYNAMIC Tue Sep 9 12:57:21 EDT 2025 x86_64 GNU/Linux # dmesg | grep -P '(trusted|encrypted)' [ 1.779375] Initialise system trusted keyrings [ 4.969001] Key type trusted registered [ 5.001211] Key type encrypted registered [ 24.235628] trusted_key: encrypted_key: master key parameter '' is invalid # keyctl search @u trusted kmk-trusted 625450296 # keyctl add encrypted evm-key "new trusted:kmk-trusted 32" @u 234222391 # keyctl link @u @s # keyctl pipe `keyctl search @u encrypted evm-key` default trusted:kmk-trusted 32 <<REDACTED KEY MATERIAL>> Success. Given my original goal was to follow the instructions as provided, I change my request to reconfigure the kernel build to CONFIG_TRUSTED_KEYS=y to fix the keyctl for both trusted and encrypted types.
