Hey all,
testing a bit the systemd-sysext with verity+signature, running a sample like this:
systemd-repart -S -s extension/ /run/extensions/k3sv1.30.0+k3s1.sysext.raw --private-key=db.key --certificate=db.pem
This generates a nice sysextension with verity and signed! (Nice work there BTW, its dead simple!)
But when trying to load it asks for a password, saying that the required key is not available
root@localhost:~# systemd-sysext status
HIERARCHY EXTENSIONS SINCE
/opt none -
/usr none -
root@localhost:~# systemd-sysext refresh
[ 658.620707] device-mapper: table: 252:2: verity: Root hash verification failed (-ENOKEY)
[ 658.621192] device-mapper: ioctl: error adding target to table
device-mapper: reload ioctl on 266b153bfd5592bf005a9ce9b15734f9293ecb3e095d1cb4b9f641f897ed7a22-verity (252:2) failed: Required key not available
🔐 Please enter image passphrase: (press TAB for no echo)
HIERARCHY EXTENSIONS SINCE
/opt none -
/usr none -
root@localhost:~# systemd-sysext refresh
[ 658.620707] device-mapper: table: 252:2: verity: Root hash verification failed (-ENOKEY)
[ 658.621192] device-mapper: ioctl: error adding target to table
device-mapper: reload ioctl on 266b153bfd5592bf005a9ce9b15734f9293ecb3e095d1cb4b9f641f897ed7a22-verity (252:2) failed: Required key not available
🔐 Please enter image passphrase: (press TAB for no echo)
Is
this not supported? I can see some of my keys in the kernel keyring that match the keys in my FW:
3dcac152 I------ 1 perm 1f010000 0 0 asymmetri ITXAKA: 92b4fa443577dc2ccb116ca59f479a6652dc7b2d: X509.rsa 52dc7b2d []
But sysext claims that it cannot get it from the kernel keyring:
Validation of dm-verity signature failed via the kernel, trying userspace validation instead: Required key not available
The workaround is just to get the certificate and transform it into a nice x509 DER format under /run/verity.d/WHATEVER.crt
But I was wondering if there was a way for the sysext to just check against the EFI FW directly, get the public certs and try to verify against that?
Thanks!
