Also affects Ideapad 3 15AB7 Ryzen 5825. Kubuntu 23.10 for all Kernels up to linux-next.
In all cases, secure boot on or off, MoK enabled or not and fTPM on/off give the same result. fTPM reading is abnormal. $ sudo dmesg | grep fTPM [ 0.341408] tpm tpm0: AMD fTPM version 0x3004e00020005 causes system stutter; hwrng disabled $ mokutil --sb SecureBoot enabled SecureBoot validation is disabled in shim mokutil --sb SecureBoot disabled sudo dmesg | grep fTPM no reading Here's the x.509 error: $ journalctl -b -1 ...cut here... -X.509 Boot/restart/all Kernels/all cases 23:51:34 mm systemd[1]: Stopped user-runtime-dir@1000.service - User Runtime Directory /run/user/1000. May 03 23:51:34 mm systemd[1]: Removed slice user-1000.slice - User Slice of UID 1000. May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v1): a8d54bbb3825cfb94fa13c9f8a594a195c107b8d' May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v2): 4cf046892d6fd3c9a5b03f98d845f90851dc6a8c' May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v3): 100437bb6de6e469b581e61cd66bce3ef4ed53af' May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019): c1d57b8f6b743f23ee41f4f7ee292f06eecadfb9' May 03 23:51:19 mm kernel: zswap: loaded using pool lzo/zbud May 03 23:51:19 mm kernel: Key type .fscrypt registered May 03 23:51:19 mm kernel: Key type fscrypt-provisioning registered May 03 23:51:19 mm kernel: Key type trusted registered May 03 23:51:19 mm kernel: Key type encrypted registered May 03 23:51:19 mm kernel: AppArmor: AppArmor sha1 policy hashing enabled May 03 23:51:19 mm kernel: integrity: Loading X.509 certificate: UEFI:db May 03 23:51:19 mm kernel: integrity: Loaded X.509 cert 'Lenovo UEFI CA 2014: 4b91a68732eaefdd2c8ffffc6b027ec3449e9c8f' May 03 23:51:19 mm kernel: integrity: Loading X.509 certificate: UEFI:db May 03 23:51:19 mm kernel: integrity: Problem loading X.509 certificate -65 May 03 23:51:19 mm kernel: fbcon: Taking over console May 03 23:51:19 mm kernel: integrity: Error adding keys to platform keyring UEFI:db May 03 23:51:19 mm kernel: integrity: Loading X.509 certificate: UEFI:db May 03 23:51:19 mm kernel: Console: switching to colour frame buffer device 240x67 May 03 23:51:19 mm kernel: integrity: Loaded X.509 cert ': 8129c1e0865297b1435ad4a47e4f424e' May 03 23:51:19 mm kernel: integrity: Loading X.509 certificate: UEFI:db May 03 23:51:19 mm kernel: blacklist: Loading compiled-in revocation X.509 certificates May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0' May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2017): 242ade75ac4a15e50d50c84b0d45ff3eae707a03' May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (ESM 2018): 365188c1d374d6b07c3c8f240f8ef722433d6a8b' May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2019): c0746fd6c5da3ae827864651ad66ae47fe24b3e8' May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v1): a8d54bbb3825cfb94fa13c9f8a594a195c107b8d' May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v2): 4cf046892d6fd3c9a5b03f98d845f90851dc6a8c' May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v3): 100437bb6de6e469b581e61cd66bce3ef4ed53af' May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019): c1d57b8f6b743f23ee41f4f7ee292f06eecadfb9' May 03 23:51:19 mm kernel: zswap: loaded using pool lzo/zbud May 03 23:51:19 mm kernel: Key type .fscrypt registered May 03 23:51:19 mm kernel: Key type fscrypt-provisioning registered May 03 23:51:19 mm kernel: Key type trusted registered May 03 23:51:19 mm kernel: Key type encrypted registered May 03 23:51:19 mm kernel: AppArmor: AppArmor sha1 policy hashing enabled May 03 23:51:19 mm kernel: integrity: Loading X.509 certificate: UEFI:db May 03 23:51:19 mm kernel: integrity: Loaded X.509 cert 'Lenovo UEFI CA 2014: 4b91a68732eaefdd2c8ffffc6b027ec3449e9c8f' May 03 23:51:19 mm kernel: integrity: Loading X.509 certificate: UEFI:db May 03 23:51:19 mm kernel: integrity: Problem loading X.509 certificate -65 May 03 23:51:19 mm kernel: fbcon: Taking over console May 03 23:51:19 mm kernel: integrity: Error adding keys to platform keyring UEFI:db May 03 23:51:19 mm kernel: integrity: Loading X.509 certificate: UEFI:db May 03 23:51:19 mm kernel: Console: switching to colour frame buffer device 240x67 May 03 23:51:19 mm kernel: Loading compiled-in X.509 certificates May 03 23:51:19 mm kernel: Loaded X.509 cert 'Build time autogenerated kernel key: 1fc0e865c21818e2f5cce3868a567b58070b6c0d' May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Live Patch Signing: 14df34d1a87cf37625abec039ef2bf521249b969' May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Kernel Module Signing: 88f752e560a1e0737e31163a466ad7b70a850c19' May 03 23:51:19 mm kernel: blacklist: Loading compiled-in revocation X.509 certificates May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0' May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2017): 242ade75ac4a15e50d50c84b0d45ff3eae707a03' May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (ESM 2018): 365188c1d374d6b07c3c8f240f8ef722433d6a8b' May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2019): c0746fd6c5da3ae827864651ad66ae47fe24b3e8' May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v1): a8d54bbb3825cfb94fa13c9f8a594a195c107b8d' May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v2): 4cf046892d6fd3c9a5b03f98d845f90851dc6a8c' May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (2021 v3): 100437bb6de6e469b581e61cd66bce3ef4ed53af' May 03 23:51:19 mm kernel: Loaded X.509 cert 'Canonical Ltd. Secure Boot Signing (Ubuntu Core 2019): c1d57b8f6b743f23ee41f4f7ee292f06eecadfb9' May 03 23:51:19 mm kernel: zswap: loaded using pool lzo/zbud May 03 23:51:19 mm kernel: Key type .fscrypt registered May 03 23:51:19 mm kernel: Key type fscrypt-provisioning registered May 03 23:51:19 mm kernel: Key type trusted registered May 03 23:51:19 mm kernel: Key type encrypted registered May 03 23:51:19 mm kernel: AppArmor: AppArmor sha1 policy hashing enabled May 03 23:51:19 mm kernel: integrity: Loading X.509 certificate: UEFI:db May 03 23:51:19 mm kernel: integrity: Loaded X.509 cert 'Lenovo UEFI CA 2014: 4b91a68732eaefdd2c8ffffc6b027ec3449e9c8f' May 03 23:51:19 mm kernel: integrity: Loading X.509 certificate: UEFI:db May 03 23:51:19 mm kernel: integrity: Problem loading X.509 certificate -65 May 03 23:51:19 mm kernel: fbcon: Taking over console May 03 23:51:19 mm kernel: integrity: Error adding keys to platform keyring UEFI:db May 03 23:51:19 mm kernel: integrity: Loading X.509 certificate: UEFI:db May 03 23:51:19 mm kernel: integrity: Loading X.509 certificate: UEFI:db May 03 23:51:19 mm kernel: Console: switching to colour frame buffer device 240x67 May 03 23:51:19 mm kernel: integrity: Loaded X.509 cert ': 8129c1e0865297b1435ad4a47e4f424e' May 03 23:51:19 mm kernel: integrity: Loading X.509 certificate: UEFI:db May 03 23:51:19 mm kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' May 03 23:51:19 mm kernel: integrity: Loading X.509 certificate: UEFI:db May 03 23:51:19 mm kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' May 03 23:51:19 mm kernel: Loading compiled-in module X.509 certificates May 03 23:51:19 mm kernel: Loaded X.509 cert 'Build time autogenerated kernel key: 1fc0e865c21818e2f5cce3868a567b58070b6c0d' May 03 23:51:19 mm kernel: ima: Allocated hash algorithm: sha1 May 03 23:51:19 mm kernel: ima: No architecture policies found May 03 23:51:19 mm kernel: evm: Initialising EVM extended attributes: May 03 23:51:19 mm kernel: evm: security.selinux May 03 23:51:19 mm kernel: evm: security.SMACK64 May 03 23:51:19 mm kernel: evm: security.SMACK64EXEC May 03 23:51:19 mm kernel: evm: security.SMACK64TRANSMUTE May 03 23:51:19 mm kernel: evm: security.SMACK64MMAP May 03 23:51:19 mm kernel: evm: security.apparmor May 03 23:51:19 mm kernel: evm: security.ima May 03 23:51:19 mm kernel: evm: security.capability May 03 23:51:19 mm kernel: evm: HMAC attrs: 0x1 May 03 23:51:19 mm kernel: PM: Magic number: 7:946:865 May 03 23:51:19 mm kernel: memory_tiering: hash matches May 03 23:51:19 mm kernel: RAS: Correctable Errors collector initialized. May 03 23:51:19 mm kernel: Unstable clock detected, switching default tracing clock to "global" If you want to keep using the local clock, then add: "trace_clock=local" lines 730-756 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1930783 Title: integrity: Problem loading X.509 certificate Status in linux package in Ubuntu: Confirmed Bug description: Following error shows on Acer machines while booting when UEFI boot is enabled. integrity: Problem loading X.509 certificate -65 The issue is discussed at https://bugzilla.opensuse.org/show_bug.cgi?id=1129471 and a patch is available at https://lkml.org/lkml/2019/7/16/23. Seems like this patch is not included in Ubuntu as I'm still getting this error. I'm using Linux Mint 20, which is based on Ubuntu 20.04. This error comes while live booting Ubuntu 20.04 and Ubuntu 18.04 also. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1930783/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp