From: Vitor Soares <ivitro@gmail.com>
To: linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: horia.geanta@nxp.com, pankaj.gupta@nxp.com, gaurav.jain@nxp.com,
herbert@gondor.apana.org.au, john.ernberg@actia.se,
meenakshi.aggarwal@nxp.com
Subject: CAAM RSA breaks cfg80211 certificate verification on iMX8QXP
Date: Mon, 24 Nov 2025 19:03:38 +0000 [thread overview]
Message-ID: <b017b6260075f7ba11c52e71bcc5cebe427e020f.camel@gmail.com> (raw)
I’m currently investigating an issue on our Colibri iMX8QXP SoM running kernel
6.18-rc6 (also reproducible on v6.17), where cfg80211 fails to load the
compiled-in X.509 certificates used to verify the regulatory database signature.
During boot, I consistently see the following messages:
cfg80211: Loading compiled-in X.509 certificates for regulatory database
Problem loading in-kernel X.509 certificate (-22)
Problem loading in-kernel X.509 certificate (-22)
cfg80211: loaded regulatory.db is malformed or signature is missing/invalid
As part of the debugging process, I removed the CAAM crypto drivers and manually
reloaded cfg80211. In this configuration, the certificates load correctly and
the regulatory database is validated with no errors.
With additional debugging enabled, I traced the failure to crypto_sig_verify(),
which returns -22 (EINVAL).
At this stage, I’m trying to determine whether:
- This is a known issue involving cfg80211 certificate validation when the CAAM
hardware crypto engine is enabled on i.MX SoCs, or
- CAAM may be returning unexpected values to the X.509 verification logic.
If anyone has encountered similar behavior or can suggest areas to
investigate—particularly around CAAM—I would greatly appreciate your guidance.
Thanks in advance for any insights,
Vítor Soares
next reply other threads:[~2025-11-24 19:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-24 19:03 Vitor Soares [this message]
2025-11-26 10:55 ` CAAM RSA breaks cfg80211 certificate verification on iMX8QXP Vitor Soares
2025-11-26 12:59 ` Ahmad Fatoum
2025-11-26 18:35 ` Vitor Soares
2025-11-28 10:36 ` Ahmad Fatoum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b017b6260075f7ba11c52e71bcc5cebe427e020f.camel@gmail.com \
--to=ivitro@gmail.com \
--cc=gaurav.jain@nxp.com \
--cc=herbert@gondor.apana.org.au \
--cc=horia.geanta@nxp.com \
--cc=john.ernberg@actia.se \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=meenakshi.aggarwal@nxp.com \
--cc=pankaj.gupta@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).