I am trying to use fs-verity (description of fs-verity: https://www.kernel.org/doc/html/next/filesystems/fsverity.html) with the kernel buildin signature feature.
But I always end up with the same error.
According to the documentation, I have to enable fs-verity for a file with signature as follows:
fsverity enable my_file --signature=my_file_signature
If I use strace to watch the ioctl call, I get the following error for the above statement:
ioctl(3, FS_IOC_ENABLE_VERITY, 0x7fff03333bc0) = -1 ENOKEY (Required key not available)
Next step: Trying to add my key for signature verification to the keyring for fs-verity
I have tried it by using keyctl. According to the documentation (https://manpages.ubuntu.com/manpages/trusty/man1/keyctl.1.html) I can use add or padd. I have tried both. For the latter there is also an example for android: https://android.googlesource.com/platform/external/fsverity-utils/+/1769fe3896c4aa523f3feaa2ff494cc1a83bdc4d/README.md
E.g. by using padd as the link above described:
keyctl padd asymmetric '' %keyring:.fs-verity < ceritficate.der
Error message:
request_key("keyring",".fs-verity", NULL, 0) = -1 ENOKEY (Required key not available)
Altough the config item CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y is true in my case (I checked it with cat /usr/src/linux-header***/.config) a keyring for fs-verity does not exist yet.
Next step: Creating a keyring for fs-verity
With keyctl, I can use newring to create a new keyring. So i tried keyctl newring fs-verity 77.
77 should be the id for the new keyring (type key_serial_t which is defined as int32_t).
Error message:
add_key("keyring","fs-verity", NULL, 0) = -1 ENOKEY (Required key not available)
Here I am a bit confused because the documentation of keyutils (https://man7.org/linux/man-pages/man2/add_key.2.html) says for using add_key() and keyrings as key_type: "Keyrings are special key types that may contain links to sequences of other keys of any type. If this interface is used to create a keyring, then payload should be NULL and plen should be zero."
Definition of add_key():
key_serial_t add_key(const char *type, const char *description,
const void payload[.plen], size_t plen,
key_serial_t keyring);
So if I use NULL as payload and plen=0, I should be able to create a new keyring with add_key(). The last parameter is an int32_t number which is used as id for the new keyring. I used 77.
Does anyone have an idea what the problem could be? Also, maybe someone knows another, easier way to create a keyring for fs-verity?
I am using ubuntu 22.04 LTS.
