[systemd-devel] Hello problem with sealing and verify

Tue Mar 29 15:00:30 UTC 2016

Hello,

I’m new to this list and maybe it’s not the correct one, but I have not found which one. So please redirect me if needed.

I’m running systtemd
#systemctl --version
systemd 215
+PAM +AUDIT +SELINUX +IMA +SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ -SECCOMP -APPARMOR

I’m trying to setup sealing on journald and I have some wondering.
- I have setup Seal=yes and Storage=peristent on the configuration file.
- I have setup a key and the file /var/log/journal/<machine-id>/fss is created I have put a small intervall to see changes.
- I have done a daemon-reload and restart systemd-journald.

What is happening is :
If I run journalctl —verify  I have the following result :

PASS: /run/log/journal/5300f6966bfb452da9d2c63ebc6bed4e/system at ed7996ee15d1483f807dd9681125583e-000000000008a71f-00052f2a193c935a.journal
PASS: /run/log/journal/5300f6966bfb452da9d2c63ebc6bed4e/system at ed7996ee15d1483f807dd9681125583e-0000000000082381-00052f09d08eeee4.journal
PASS: /run/log/journal/5300f6966bfb452da9d2c63ebc6bed4e/system at ed7996ee15d1483f807dd9681125583e-000000000007a1ec-00052eeba607f5be.journal
PASS: /run/log/journal/5300f6966bfb452da9d2c63ebc6bed4e/system at ed7996ee15d1483f807dd9681125583e-00000000000720ca-00052ece5488ab03.journal
PASS: /run/log/journal/5300f6966bfb452da9d2c63ebc6bed4e/system at ed7996ee15d1483f807dd9681125583e-000000000006a0e2-00052eb32a7f1db0.journal
PASS: /run/log/journal/5300f6966bfb452da9d2c63ebc6bed4e/system at ed7996ee15d1483f807dd9681125583e-0000000000062101-00052e994ab669e5.journal
PASS: /run/log/journal/5300f6966bfb452da9d2c63ebc6bed4e/system at ed7996ee15d1483f807dd9681125583e-000000000005a200-00052e7f53534ac9.journal
PASS: /run/log/journal/5300f6966bfb452da9d2c63ebc6bed4e/system at ed7996ee15d1483f807dd9681125583e-00000000000522d1-00052e6521583fef.journal
PASS: /run/log/journal/5300f6966bfb452da9d2c63ebc6bed4e/system at ed7996ee15d1483f807dd9681125583e-000000000004a43b-00052e4b93651e16.journal
PASS: /run/log/journal/5300f6966bfb452da9d2c63ebc6bed4e/system at ed7996ee15d1483f807dd9681125583e-00000000000424e7-00052e31cbadb8e0.journal
Journal file /var/log/journal/5300f6966bfb452da9d2c63ebc6bed4e/system.journal has sealing enabled but verification key has not been passed using --verify-key=.
FAIL: /var/log/journal/5300f6966bfb452da9d2c63ebc6bed4e/system.journal (Clé requise non disponible)
PASS: /var/log/journal/5300f6966bfb452da9d2c63ebc6bed4e/system at 00052f2c94dd360c-40e5fcbd9cfe0521.journal~
PASS: /var/log/journal/5300f6966bfb452da9d2c63ebc6bed4e/system at 00052f30d894c902-a7dbf2e43ebf48e2.journal~
PASS: /var/log/journal/5300f6966bfb452da9d2c63ebc6bed4e/system at 90cc32f84ce54286a58677b3b34a9e03-0000000000000001-00052e31cbadb8e0.journal
PASS: /var/log/journal/5300f6966bfb452da9d2c63ebc6bed4e/user-1000.journal

That’s seem ok.
But if I run journalctl —verify —verify-key=<mykey> I have the folliwing result for the system.journal file (the other one pass)

Tag/entry realtime timestamp out of synchronization at 390e60
File corruption detected at /var/log/journal/5300f6966bfb452da9d2c63ebc6bed4e/system.journal:390e60 (of 8388608 bytes, 44%).
FAIL: /var/log/journal/5300f6966bfb452da9d2c63ebc6bed4e/system.journal (Message invalide)

But… if i rune journal —verify —verify-key=111111-222222-333333-444444/555555-666666 
I have exactly the same result.

So what is the deal with the key ? Any value does the job ? I’m missing some point ?

f.g.