[systemd-devel] sysext verity+signed with EFI FW keys

[Itxaka Serrano Garcia]

Hey all,

testing a bit the systemd-sysext with verity+signature, running a sample
like this:

systemd-repart -S -s extension/ /run/extensions/k3sv1.30.0+k3s1.sysext.raw
--private-key=db.key --certificate=db.pem

This generates a nice sysextension with verity and signed! (Nice work there
BTW, its dead simple!)

But when trying to load it asks for a password, saying that the required
key is not available

root at localhost:~# systemd-sysext status
HIERARCHY EXTENSIONS SINCE
/opt      none       -
/usr      none       -
root at localhost:~# systemd-sysext refresh
[  658.620707] device-mapper: table: 252:2: verity: Root hash verification
failed (-ENOKEY)
[  658.621192] device-mapper: ioctl: error adding target to table
device-mapper: reload ioctl on
266b153bfd5592bf005a9ce9b15734f9293ecb3e095d1cb4b9f641f897ed7a22-verity
(252:2) failed: Required key not available
🔐 Please enter image passphrase: (press TAB for no echo)

Is this not supported? I can see some of my keys in the kernel keyring that
match the keys in my FW:
3dcac152 I------     1 perm 1f010000     0     0 asymmetri ITXAKA:
92b4fa443577dc2ccb116ca59f479a6652dc7b2d: X509.rsa 52dc7b2d []

But sysext claims that it cannot get it from the kernel keyring:

Validation of dm-verity signature failed via the kernel, trying userspace
validation instead: Required key not available


The workaround is just to get the certificate and transform it into a nice
x509 DER format under /run/verity.d/WHATEVER.crt

But I was wondering if there was a way for the sysext to just check against
the EFI FW directly, get the public certs and try to verify against that?

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20240605/8970fe58/attachment.htm>