systemd-sysext refuses to mount any extension if one is wrongly signed, even if its extension-release does not match os-release

[valentindavid]

systemd version the issue has been seen with

256~rc1

Used distribution

GNOME OS Nightly

Linux kernel version used

6.7.9

CPU architectures issue was seen on

x86_64

Component

systemd-sysext

Expected behaviour you didn't see

/var/lib/extensions contains multiple raw images with signed verity. Developers need to switch kernel, with different keyrings (locally built vs CI built). So the extension might be signed for one or the other kernel. The os-release of host matches extension-release of only images that are signed with the corresponding kernel.

When merging extensions, systemd-sysext should ignore extensions that are not matching.

Unexpected behaviour you saw

Unfortunately, to read the extension-release, systemd needs to mount the extension. If one image fails to mount, then no extension is merged.

crypt_activate_by_signed_key gives ENODEV. And this does not get handled properly.

Steps to reproduce the problem

Create 2 extensions in /var/lib/extensions, with signed verity. Make sure one of them is signed with a key that is not present in the kernel or in /etc/verity.d. Make sure this extension does not match the os-release. Merge the extensions. And make sure that the other image, is properly signed and matches the os-release.
Run systemd-sysext merge.

Additional program output to the terminal or log subsystem illustrating the issue

No response

[bluca]

The problem with ignoring broken ones is that you don't get any feedback when that happens, so not sure what's better. Maybe add a --graceful or so command line option?

[poettering]

I am pretty sure we should apply what we can, and skip but log about the ones that do not apply. If we fail completely this sounds less than ideal