You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
/var/lib/extensions contains multiple raw images with signed verity. Developers need to switch kernel, with different keyrings (locally built vs CI built). So the extension might be signed for one or the other kernel. The os-release of host matches extension-release of only images that are signed with the corresponding kernel.
When merging extensions, systemd-sysext should ignore extensions that are not matching.
Unexpected behaviour you saw
Unfortunately, to read the extension-release, systemd needs to mount the extension. If one image fails to mount, then no extension is merged.
crypt_activate_by_signed_key gives ENODEV. And this does not get handled properly.
Steps to reproduce the problem
Create 2 extensions in /var/lib/extensions, with signed verity. Make sure one of them is signed with a key that is not present in the kernel or in /etc/verity.d. Make sure this extension does not match the os-release. Merge the extensions. And make sure that the other image, is properly signed and matches the os-release.
Run systemd-sysext merge.
Additional program output to the terminal or log subsystem illustrating the issue
No response
The text was updated successfully, but these errors were encountered:
The problem with ignoring broken ones is that you don't get any feedback when that happens, so not sure what's better. Maybe add a --graceful or so command line option?
systemd version the issue has been seen with
256~rc1
Used distribution
GNOME OS Nightly
Linux kernel version used
6.7.9
CPU architectures issue was seen on
x86_64
Component
systemd-sysext
Expected behaviour you didn't see
/var/lib/extensions
contains multiple raw images with signed verity. Developers need to switch kernel, with different keyrings (locally built vs CI built). So the extension might be signed for one or the other kernel. The os-release of host matches extension-release of only images that are signed with the corresponding kernel.When merging extensions, systemd-sysext should ignore extensions that are not matching.
Unexpected behaviour you saw
Unfortunately, to read the extension-release, systemd needs to mount the extension. If one image fails to mount, then no extension is merged.
crypt_activate_by_signed_key
givesENODEV
. And this does not get handled properly.Steps to reproduce the problem
Create 2 extensions in
/var/lib/extensions
, with signed verity. Make sure one of them is signed with a key that is not present in the kernel or in/etc/verity.d
. Make sure this extension does not match the os-release. Merge the extensions. And make sure that the other image, is properly signed and matches the os-release.Run
systemd-sysext merge
.Additional program output to the terminal or log subsystem illustrating the issue
No response
The text was updated successfully, but these errors were encountered: