Hey all, testing a bit the systemd-sysext with verity+signature, running a sample like this:
systemd-repart -S -s extension/ /run/extensions/k3sv1.30.0+k3s1.sysext.raw --private-key=db.key --certificate=db.pem This generates a nice sysextension with verity and signed! (Nice work there BTW, its dead simple!) But when trying to load it asks for a password, saying that the required key is not available root@localhost:~# systemd-sysext status HIERARCHY EXTENSIONS SINCE /opt none - /usr none - root@localhost:~# systemd-sysext refresh [ 658.620707] device-mapper: table: 252:2: verity: Root hash verification failed (-ENOKEY) [ 658.621192] device-mapper: ioctl: error adding target to table device-mapper: reload ioctl on 266b153bfd5592bf005a9ce9b15734f9293ecb3e095d1cb4b9f641f897ed7a22-verity (252:2) failed: Required key not available 🔐 Please enter image passphrase: (press TAB for no echo) Is this not supported? I can see some of my keys in the kernel keyring that match the keys in my FW: 3dcac152 I------ 1 perm 1f010000 0 0 asymmetri ITXAKA: 92b4fa443577dc2ccb116ca59f479a6652dc7b2d: X509.rsa 52dc7b2d [] But sysext claims that it cannot get it from the kernel keyring: Validation of dm-verity signature failed via the kernel, trying userspace validation instead: Required key not available The workaround is just to get the certificate and transform it into a nice x509 DER format under /run/verity.d/WHATEVER.crt But I was wondering if there was a way for the sysext to just check against the EFI FW directly, get the public certs and try to verify against that? Thanks!
