On Wed, 5 Jun 2024 at 15:15, Itxaka Serrano Garcia <itxaka.gar...@spectrocloud.com> wrote: > > Hey all, > > testing a bit the systemd-sysext with verity+signature, running a sample like > this: > > systemd-repart -S -s extension/ /run/extensions/k3sv1.30.0+k3s1.sysext.raw > --private-key=db.key --certificate=db.pem > > This generates a nice sysextension with verity and signed! (Nice work there > BTW, its dead simple!) > > But when trying to load it asks for a password, saying that the required key > is not available > > root@localhost:~# systemd-sysext status > HIERARCHY EXTENSIONS SINCE > /opt none - > /usr none - > root@localhost:~# systemd-sysext refresh > [ 658.620707] device-mapper: table: 252:2: verity: Root hash verification > failed (-ENOKEY) > [ 658.621192] device-mapper: ioctl: error adding target to table > device-mapper: reload ioctl on > 266b153bfd5592bf005a9ce9b15734f9293ecb3e095d1cb4b9f641f897ed7a22-verity > (252:2) failed: Required key not available > 🔐 Please enter image passphrase: (press TAB for no echo) > > Is this not supported? I can see some of my keys in the kernel keyring that > match the keys in my FW: > 3dcac152 I------ 1 perm 1f010000 0 0 asymmetri ITXAKA: > 92b4fa443577dc2ccb116ca59f479a6652dc7b2d: X509.rsa 52dc7b2d [] > > But sysext claims that it cannot get it from the kernel keyring: > > Validation of dm-verity signature failed via the kernel, trying userspace > validation instead: Required key not available > > > The workaround is just to get the certificate and transform it into a nice > x509 DER format under /run/verity.d/WHATEVER.crt > > But I was wondering if there was a way for the sysext to just check against > the EFI FW directly, get the public certs and try to verify against that?
The kernel needs to be built with some non-default kconfigs, so if it's a custom build or distro check that those are all enabled, they are listed here: https://github.com/systemd/systemd/blob/main/README#L131
