[systemd-devel] Sysext questions

[Itxaka Serrano Garcia]

Another extra question, trying a extension that is signed, if I dont
provide the signature in the verity.d dir, the service hangs because its
asking for a password. Is it possible to skip that somehow? I dont want it
to ask for a password, if there is not a key, just fial to load it.

Thanks!

On Wed, Jun 5, 2024 at 6:28 PM Itxaka Serrano Garcia <
itxaka.garcia at spectrocloud.com> wrote:

> Hello again!
>
> A few sysext questions that have arisen from our testing
>
>  - image policy is configurable but it's there a single config file where
> we can put that so it's used system wide? For example to only allow
> verity+signed? Service override?
>  - I can't see anything preventing a manual call to sysext refresh from
> overriding the default policy, i.e if we set it at the service level in an
> immutable system, nothing prevents someone from calling the sysext command
> manually and override the image policy no?
>  - I also don't see anything that can run against a single sysext and
> return a validity check, to check individual files conform to a given
> policy for example? Any idea if there is something like that? Sysext verify
> SYSEXT_FILE --image-policy=whatever
>  - I have also seen that having several extensions verity+signed, if there
> is just one that it's not either verity or signed, the whole merge stops?
> Is there any reasoning for that? Is that a bug? Should I open a bug for
> this? IMHO it makes no sense as they are individual files so if something
> does not match the policy it should just be skipped and the rest of the
> extensions loaded anyway. But of course I have low visibility onto this, so
> there may be good reasons for it.
>
>
>
>
> I think thats all, thanks for reading!
> Itxaka
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20240606/4239ea8f/attachment.htm>