我正在尝试添加额外的键.secondary_trusted_keys。文件称,要做到这一点,附加密钥必须由已经驻留在任一密钥中的密钥签名.builtin_trusted_keys或者.secondary_trusted_keys。
脚步:
1.为Ubuntu 18.04重建内核4.15.8以获取签名密钥(证书/signing_key.pem)它内置于内核中。
prashant@pra-ubuntu-1804:~/bionic/certs$ openssl x509 -in signing_key.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
83:db:41:db:8e:32:42:ba
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN = Build time autogenerated kernel key
Validity
Not Before: Jan 17 17:49:27 2019 GMT
Not After : Dec 24 17:49:27 2118 GMT
Subject: CN = Build time autogenerated kernel key
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:b5:2a:d2:eb:f5:27:69:84:fa:37:39:38:b7:1f:
7b:a0:e3:28:c7:60:09:b2:0a:c4:f6:78:be:ce:66:
de:1f:a1:55:1d:48:fa:08:db:c4:16:fe:fb:33:d1:
70:40:88:18:b7:44:83:c1:f9:c2:90:40:06:97:4a:
dd:94:f1:70:e9:dd:8a:ee:75:f4:dd:d3:c6:56:bc:
dd:71:d2:ac:7b:d1:60:9f:bc:e4:19:70:96:65:b2:
11:da:64:d8:2f:d4:ea:b9:b2:73:3f:24:1b:bd:31:
bd:4b:21:b9:8d:ea:ea:ba:88:2e:a3:6c:5a:12:72:
46:36:e0:a3:0b:2a:95:13:1a:a3:32:a0:bb:e2:83:
37:98:c2:00:c8:dd:1a:99:f6:b4:03:cd:21:9e:42:
f5:9f:a4:c8:50:c1:61:10:28:fb:2e:16:8b:f5:f4:
09:f6:72:e7:5a:e4:9d:61:7f:b3:71:59:63:b4:70:
76:bd:50:e5:77:aa:ba:d4:53:a5:06:50:1e:6d:0c:
9c:17:09:34:c7:60:13:0a:10:5a:06:ff:17:08:6e:
45:07:06:e5:26:87:70:a6:5f:a6:ae:09:5d:ac:48:
45:ee:e1:2f:b5:c8:57:90:b0:29:5e:d2:86:c4:e4:
0b:f9:ff:97:c1:b4:8c:fb:e3:91:85:76:50:bf:61:
a8:40:d5:45:ba:3b:94:63:1c:7d:b8:27:f1:13:53:
18:20:2f:1b:36:7d:8a:a3:5a:8d:3b:01:3d:98:e9:
02:48:ba:03:92:e9:0a:c1:40:92:f5:0b:2e:ed:70:
48:14:a1:b8:6c:3b:10:36:bb:38:f5:d2:73:a1:a2:
81:4c:cd:dc:49:95:da:8f:75:b8:1b:ed:e4:be:67:
1a:fa:7f:51:69:46:53:51:75:2e:55:f7:c1:10:f1:
62:7b:ba:6a:67:d3:19:0a:22:5d:77:51:ec:9a:0f:
3a:5d:46:5c:25:33:4a:31:69:c1:5a:f4:88:7b:91:
d0:79:47:ad:22:c8:8e:8e:6c:ec:22:d9:d1:3e:74:
5a:f9:0c:5f:5b:ad:c7:20:38:89:c7:ff:cc:0b:a0:
c8:99:a9:aa:c5:5a:70:5b:90:e1:96:38:38:6f:60:
6a:b5:ae:02:fc:9d:90:b7:84:08:bd:a1:9a:b3:46:
a6:25:3e:51:14:ab:fc:95:f8:bd:e4:e0:88:16:88:
18:76:e4:b7:5e:0e:72:a4:49:92:98:32:ac:04:d4:
8f:9e:e0:13:de:b4:dd:3b:9c:85:93:bc:51:42:a0:
7e:68:ef:60:09:f0:72:c8:30:da:5d:b8:d4:71:98:
3c:c4:52:e0:81:b8:21:2f:5b:f7:fa:9e:0f:d0:23:
e4:8b:ff
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature
X509v3 Subject Key Identifier:
A5:E0:1C:E6:A4:66:83:25:1B:DC:0C:7E:6E:4C:9D:35:86:1B:56:61
X509v3 Authority Key Identifier:
keyid:A5:E0:1C:E6:A4:66:83:25:1B:DC:0C:7E:6E:4C:9D:35:86:1B:56:61
Signature Algorithm: sha512WithRSAEncryption
b2:28:03:c3:2b:43:a6:1f:cd:e0:56:a7:a5:cf:e3:e9:88:48:
1c:86:d1:fa:ea:3f:21:15:6f:ec:95:66:57:e5:37:0c:ae:1a:
6b:86:5c:af:21:38:b6:87:e7:f8:8e:cc:da:66:c0:a2:6f:be:
44:11:58:e4:97:ac:a4:ce:e3:37:9d:37:bc:a5:b4:22:aa:7c:
ca:f5:c8:67:b5:a6:aa:31:37:34:dd:a4:81:55:80:b0:e7:0e:
da:61:ee:ad:7a:92:95:3a:18:3d:7f:3c:a3:ea:c8:fb:98:78:
b4:cd:b0:43:3e:3b:ee:a2:7a:00:58:c1:3d:15:51:ca:db:7c:
ef:ab:d1:66:3e:42:a9:d2:8a:48:1f:69:ff:7a:56:1e:03:23:
dd:6f:fc:97:28:9f:07:94:81:63:b4:76:c2:69:77:68:3d:7c:
71:3e:bc:02:fc:95:0b:49:31:82:a8:b0:78:45:60:18:7e:d6:
f7:f6:8e:e1:82:29:bc:28:91:e9:4e:77:ce:61:40:a1:7b:8b:
c1:77:b3:af:5f:e0:1c:90:56:98:0b:7c:70:ec:ad:ea:02:77:
26:d5:7d:f7:35:ae:18:da:24:c6:51:19:45:7c:2a:e3:07:26:
c4:88:8b:c0:4e:c2:98:07:fd:0a:5e:d7:23:19:76:35:3f:1f:
d7:15:95:22:a1:6a:28:8a:a4:24:d7:fe:2b:c4:86:7e:51:4f:
15:a6:e0:9e:76:dd:e2:ae:db:ca:e1:84:6d:e6:f7:30:da:3a:
22:83:2a:2b:35:76:93:44:a0:40:2d:23:c6:6d:0c:fd:b5:a7:
b6:7f:a2:25:3c:7e:f1:bd:ff:2c:f7:7b:e1:bb:de:02:36:eb:
5d:c4:eb:83:e9:16:4f:ce:dc:4c:c8:a3:1f:93:aa:b9:38:b2:
8c:68:50:4a:5a:50:ef:31:d3:cc:25:3b:5d:ec:84:24:a9:c9:
4d:61:f1:4c:7a:c1:63:39:66:78:94:cb:ba:4e:09:5e:9b:a8:
23:a5:a2:c4:be:08:13:f6:80:9f:41:1f:05:7b:1e:34:1b:d3:
92:5b:43:36:e2:06:30:9d:b6:40:0d:4a:ea:75:03:fa:90:8b:
15:ae:3c:fe:06:b8:19:96:e6:4b:b0:c3:c9:be:90:ea:99:9b:
54:41:ab:b1:16:1e:25:d5:42:78:e4:28:19:c0:67:30:86:df:
b7:f4:d9:fc:62:2c:2f:73:27:47:58:33:5a:c2:da:98:b8:a2:
dd:1f:80:2f:20:33:75:a2:a0:b8:af:d1:03:46:1a:a8:20:ea:
a9:c9:39:82:cb:b8:a2:26:24:43:f7:b8:79:5f:65:22:76:3f:
97:88:e5:21:d1:25:fc:77
2. 已验证.builtin_trusted_keys具有相同的签名密钥。
prashant@pra-ubuntu-1804:~/bionic/certs$ sudo keyctl show -x %:.builtin_trusted_keys
Keyring
0x3c40ebe7 ---lswrv 0 0 keyring: .builtin_trusted_keys
0x00a352e3 ---lswrv 0 0 \_ asymmetric: Build time autogenerated kernel key: a5e01ce6a46683251bdc0c7e6e4c9d35861b5661
3.生成由此构建时自动生成的内核密钥签名的密钥对以添加到.secondary_trusted_keys
prashant@pra-ubuntu-1804:~/bionic/certs$ openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -out additional_cert.csr -keyout additional_key.pem
Generating a 2048 bit RSA private key
................................+++
..................................+++
writing new private key to 'additional_key.pem'
-----
prashant@pra-ubuntu-1804:~/bionic/certs$ openssl x509 -req -sha512 -days 36500 -in additional_cert.csr -outform DER -out additional_cert.x509 -CA signing_key.pem -CAkey signing_key.pem -CAcreateserial
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Getting CA Private Key
4.但是当我尝试添加时附加证书到.secondary_trusted_keys, 它失败:
prashant@pra-ubuntu-1804:~$ sudo keyctl padd asymmetric "" %:.secondary_trusted_keys <additional_cert.x509
add_key: Required key not available
我需要添加额外的公钥.secondary_trusted_keys。