[systemd-devel] sysext verity+signed with EFI FW keys
Itxaka Serrano Garcia
itxaka.garcia at spectrocloud.com
Wed Jun 5 16:20:39 UTC 2024
Ooh I see.
Thanks for the heads up, I'll have a look to see which upstream kernels
have this enabled as we are using upstream kernels directly.
On the meantime it's trivial to extract the certs ourselves so it still
works as expected :)
Thanks Luca! I'll write an extra thread now with some more systemd-sysext
questions!
El mié, 5 jun 2024, 17:52, Luca Boccassi <luca.boccassi at gmail.com> escribió:
> On Wed, 5 Jun 2024 at 15:15, Itxaka Serrano Garcia
> <itxaka.garcia at spectrocloud.com> wrote:
> >
> > Hey all,
> >
> > testing a bit the systemd-sysext with verity+signature, running a sample
> like this:
> >
> > systemd-repart -S -s extension/
> /run/extensions/k3sv1.30.0+k3s1.sysext.raw --private-key=db.key
> --certificate=db.pem
> >
> > This generates a nice sysextension with verity and signed! (Nice work
> there BTW, its dead simple!)
> >
> > But when trying to load it asks for a password, saying that the required
> key is not available
> >
> > root at localhost:~# systemd-sysext status
> > HIERARCHY EXTENSIONS SINCE
> > /opt none -
> > /usr none -
> > root at localhost:~# systemd-sysext refresh
> > [ 658.620707] device-mapper: table: 252:2: verity: Root hash
> verification failed (-ENOKEY)
> > [ 658.621192] device-mapper: ioctl: error adding target to table
> > device-mapper: reload ioctl on
> 266b153bfd5592bf005a9ce9b15734f9293ecb3e095d1cb4b9f641f897ed7a22-verity
> (252:2) failed: Required key not available
> > 🔐 Please enter image passphrase: (press TAB for no echo)
> >
> > Is this not supported? I can see some of my keys in the kernel keyring
> that match the keys in my FW:
> > 3dcac152 I------ 1 perm 1f010000 0 0 asymmetri ITXAKA:
> 92b4fa443577dc2ccb116ca59f479a6652dc7b2d: X509.rsa 52dc7b2d []
> >
> > But sysext claims that it cannot get it from the kernel keyring:
> >
> > Validation of dm-verity signature failed via the kernel, trying
> userspace validation instead: Required key not available
> >
> >
> > The workaround is just to get the certificate and transform it into a
> nice x509 DER format under /run/verity.d/WHATEVER.crt
> >
> > But I was wondering if there was a way for the sysext to just check
> against the EFI FW directly, get the public certs and try to verify against
> that?
>
> The kernel needs to be built with some non-default kconfigs, so if
> it's a custom build or distro check that those are all enabled, they
> are listed here:
>
> https://github.com/systemd/systemd/blob/main/README#L131
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20240605/b66878c2/attachment.htm>
More information about the systemd-devel
mailing list