On Wed, 5 Jun 2024 at 15:15, Itxaka Serrano Garcia <itxaka.garcia@xxxxxxxxxxxxxxxx> wrote: > > Hey all, > > testing a bit the systemd-sysext with verity+signature, running a sample like this: > > systemd-repart -S -s extension/ /run/extensions/k3sv1.30.0+k3s1.sysext.raw --private-key=db.key --certificate=db.pem > > This generates a nice sysextension with verity and signed! (Nice work there BTW, its dead simple!) > > But when trying to load it asks for a password, saying that the required key is not available > > root@localhost:~# systemd-sysext status > HIERARCHY EXTENSIONS SINCE > /opt none - > /usr none - > root@localhost:~# systemd-sysext refresh > [ 658.620707] device-mapper: table: 252:2: verity: Root hash verification failed (-ENOKEY) > [ 658.621192] device-mapper: ioctl: error adding target to table > device-mapper: reload ioctl on 266b153bfd5592bf005a9ce9b15734f9293ecb3e095d1cb4b9f641f897ed7a22-verity (252:2) failed: Required key not available > 🔐 Please enter image passphrase: (press TAB for no echo) > > Is this not supported? I can see some of my keys in the kernel keyring that match the keys in my FW: > 3dcac152 I------ 1 perm 1f010000 0 0 asymmetri ITXAKA: 92b4fa443577dc2ccb116ca59f479a6652dc7b2d: X509.rsa 52dc7b2d [] > > But sysext claims that it cannot get it from the kernel keyring: > > Validation of dm-verity signature failed via the kernel, trying userspace validation instead: Required key not available > > > The workaround is just to get the certificate and transform it into a nice x509 DER format under /run/verity.d/WHATEVER.crt > > But I was wondering if there was a way for the sysext to just check against the EFI FW directly, get the public certs and try to verify against that? The kernel needs to be built with some non-default kconfigs, so if it's a custom build or distro check that those are all enabled, they are listed here: https://github.com/systemd/systemd/blob/main/README#L131
Re: sysext verity+signed with EFI FW keys
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: sysext verity+signed with EFI FW keys
- From: Luca Boccassi <luca.boccassi@xxxxxxxxx>
- Date: Wed, 5 Jun 2024 16:51:55 +0100
- Cc: systemd-devel@xxxxxxxxxxxxxxxxxxxxx
- In-reply-to: <CAEPWXofCXC49=_vwxDHcSc7ojjYiW8Xp2DW_Hvg52k6wDr3Qjg@mail.gmail.com>
- References: <CAEPWXofCXC49=_vwxDHcSc7ojjYiW8Xp2DW_Hvg52k6wDr3Qjg@mail.gmail.com>
- Follow-Ups:
- Re: sysext verity+signed with EFI FW keys
- From: Nils Kattenbeck
- Re: sysext verity+signed with EFI FW keys
- From: Itxaka Serrano Garcia
- Re: sysext verity+signed with EFI FW keys
- References:
- sysext verity+signed with EFI FW keys
- From: Itxaka Serrano Garcia
- sysext verity+signed with EFI FW keys
- Prev by Date: Re: soft-reboot and service templates
- Next by Date: Re: sysext verity+signed with EFI FW keys
- Previous by thread: sysext verity+signed with EFI FW keys
- Next by thread: Re: sysext verity+signed with EFI FW keys
- Index(es):
 |