Re: sysext verity+signed with EFI FW keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ooh I see.

Thanks for the heads up, I'll have a look to see which upstream kernels have this enabled as we are using upstream kernels directly.

On the meantime it's trivial to extract the certs ourselves so it still works as expected :)

Thanks Luca! I'll write an extra thread now with some more systemd-sysext questions!

El mié, 5 jun 2024, 17:52, Luca Boccassi <luca.boccassi@xxxxxxxxx> escribió:
On Wed, 5 Jun 2024 at 15:15, Itxaka Serrano Garcia
<itxaka.garcia@xxxxxxxxxxxxxxxx> wrote:
>
> Hey all,
>
> testing a bit the systemd-sysext with verity+signature, running a sample like this:
>
> systemd-repart -S -s extension/ /run/extensions/k3sv1.30.0+k3s1.sysext.raw --private-key=db.key --certificate=db.pem
>
> This generates a nice sysextension with verity and signed! (Nice work there BTW, its dead simple!)
>
> But when trying to load it asks for a password, saying that the required key is not available
>
> root@localhost:~# systemd-sysext status
> HIERARCHY EXTENSIONS SINCE
> /opt      none       -
> /usr      none       -
> root@localhost:~# systemd-sysext refresh
> [  658.620707] device-mapper: table: 252:2: verity: Root hash verification failed (-ENOKEY)
> [  658.621192] device-mapper: ioctl: error adding target to table
> device-mapper: reload ioctl on 266b153bfd5592bf005a9ce9b15734f9293ecb3e095d1cb4b9f641f897ed7a22-verity (252:2) failed: Required key not available
> 🔐 Please enter image passphrase: (press TAB for no echo)
>
> Is this not supported? I can see some of my keys in the kernel keyring that match the keys in my FW:
> 3dcac152 I------     1 perm 1f010000     0     0 asymmetri ITXAKA: 92b4fa443577dc2ccb116ca59f479a6652dc7b2d: X509.rsa 52dc7b2d []
>
> But sysext claims that it cannot get it from the kernel keyring:
>
> Validation of dm-verity signature failed via the kernel, trying userspace validation instead: Required key not available
>
>
> The workaround is just to get the certificate and transform it into a nice x509 DER format under /run/verity.d/WHATEVER.crt
>
> But I was wondering if there was a way for the sysext to just check against the EFI FW directly, get the public certs and try to verify against that?

The kernel needs to be built with some non-default kconfigs, so if
it's a custom build or distro check that those are all enabled, they
are listed here:

https://github.com/systemd/systemd/blob/main/README#L131

[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux