mjhjmtu

I am trying to add additional keys to .secondary_trusted_keys. Documentation says, to do so the additional keys has to be signed by a key which is already a resident in either .builtin_trusted_keys or .secondary_trusted_keys.

Steps:

1.Rebuilt Kernel 4.15.8 for Ubuntu 18.04 to get hold of signing key (certs/signing_key.pem) which is built into the Kernel.

prashant@pra-ubuntu-1804:~/bionic/certs$ openssl x509 -in signing_key.pem -text -noout
Certificate:
 Data:
 Version: 3 (0x2)
 Serial Number:
 83:db:41:db:8e:32:42:ba
 Signature Algorithm: sha512WithRSAEncryption
 Issuer: CN = Build time autogenerated kernel key
 Validity
 Not Before: Jan 17 17:49:27 2019 GMT
 Not After : Dec 24 17:49:27 2118 GMT
 Subject: CN = Build time autogenerated kernel key
 Subject Public Key Info:
 Public Key Algorithm: rsaEncryption
 Public-Key: (4096 bit)
 Modulus:
 00:b5:2a:d2:eb:f5:27:69:84:fa:37:39:38:b7:1f:
 7b:a0:e3:28:c7:60:09:b2:0a:c4:f6:78:be:ce:66:
 de:1f:a1:55:1d:48:fa:08:db:c4:16:fe:fb:33:d1:
 70:40:88:18:b7:44:83:c1:f9:c2:90:40:06:97:4a:
 dd:94:f1:70:e9:dd:8a:ee:75:f4:dd:d3:c6:56:bc:
 dd:71:d2:ac:7b:d1:60:9f:bc:e4:19:70:96:65:b2:
 11:da:64:d8:2f:d4:ea:b9:b2:73:3f:24:1b:bd:31:
 bd:4b:21:b9:8d:ea:ea:ba:88:2e:a3:6c:5a:12:72:
 46:36:e0:a3:0b:2a:95:13:1a:a3:32:a0:bb:e2:83:
 37:98:c2:00:c8:dd:1a:99:f6:b4:03:cd:21:9e:42:
 f5:9f:a4:c8:50:c1:61:10:28:fb:2e:16:8b:f5:f4:
 09:f6:72:e7:5a:e4:9d:61:7f:b3:71:59:63:b4:70:
 76:bd:50:e5:77:aa:ba:d4:53:a5:06:50:1e:6d:0c:
 9c:17:09:34:c7:60:13:0a:10:5a:06:ff:17:08:6e:
 45:07:06:e5:26:87:70:a6:5f:a6:ae:09:5d:ac:48:
 45:ee:e1:2f:b5:c8:57:90:b0:29:5e:d2:86:c4:e4:
 0b:f9:ff:97:c1:b4:8c:fb:e3:91:85:76:50:bf:61:
 a8:40:d5:45:ba:3b:94:63:1c:7d:b8:27:f1:13:53:
 18:20:2f:1b:36:7d:8a:a3:5a:8d:3b:01:3d:98:e9:
 02:48:ba:03:92:e9:0a:c1:40:92:f5:0b:2e:ed:70:
 48:14:a1:b8:6c:3b:10:36:bb:38:f5:d2:73:a1:a2:
 81:4c:cd:dc:49:95:da:8f:75:b8:1b:ed:e4:be:67:
 1a:fa:7f:51:69:46:53:51:75:2e:55:f7:c1:10:f1:
 62:7b:ba:6a:67:d3:19:0a:22:5d:77:51:ec:9a:0f:
 3a:5d:46:5c:25:33:4a:31:69:c1:5a:f4:88:7b:91:
 d0:79:47:ad:22:c8:8e:8e:6c:ec:22:d9:d1:3e:74:
 5a:f9:0c:5f:5b:ad:c7:20:38:89:c7:ff:cc:0b:a0:
 c8:99:a9:aa:c5:5a:70:5b:90:e1:96:38:38:6f:60:
 6a:b5:ae:02:fc:9d:90:b7:84:08:bd:a1:9a:b3:46:
 a6:25:3e:51:14:ab:fc:95:f8:bd:e4:e0:88:16:88:
 18:76:e4:b7:5e:0e:72:a4:49:92:98:32:ac:04:d4:
 8f:9e:e0:13:de:b4:dd:3b:9c:85:93:bc:51:42:a0:
 7e:68:ef:60:09:f0:72:c8:30:da:5d:b8:d4:71:98:
 3c:c4:52:e0:81:b8:21:2f:5b:f7:fa:9e:0f:d0:23:
 e4:8b:ff
 Exponent: 65537 (0x10001)
 X509v3 extensions:
 X509v3 Basic Constraints: critical
 CA:FALSE
 X509v3 Key Usage: 
 Digital Signature
 X509v3 Subject Key Identifier: 
 A5:E0:1C:E6:A4:66:83:25:1B:DC:0C:7E:6E:4C:9D:35:86:1B:56:61
 X509v3 Authority Key Identifier: 
 keyid:A5:E0:1C:E6:A4:66:83:25:1B:DC:0C:7E:6E:4C:9D:35:86:1B:56:61

 Signature Algorithm: sha512WithRSAEncryption
 b2:28:03:c3:2b:43:a6:1f:cd:e0:56:a7:a5:cf:e3:e9:88:48:
 1c:86:d1:fa:ea:3f:21:15:6f:ec:95:66:57:e5:37:0c:ae:1a:
 6b:86:5c:af:21:38:b6:87:e7:f8:8e:cc:da:66:c0:a2:6f:be:
 44:11:58:e4:97:ac:a4:ce:e3:37:9d:37:bc:a5:b4:22:aa:7c:
 ca:f5:c8:67:b5:a6:aa:31:37:34:dd:a4:81:55:80:b0:e7:0e:
 da:61:ee:ad:7a:92:95:3a:18:3d:7f:3c:a3:ea:c8:fb:98:78:
 b4:cd:b0:43:3e:3b:ee:a2:7a:00:58:c1:3d:15:51:ca:db:7c:
 ef:ab:d1:66:3e:42:a9:d2:8a:48:1f:69:ff:7a:56:1e:03:23:
 dd:6f:fc:97:28:9f:07:94:81:63:b4:76:c2:69:77:68:3d:7c:
 71:3e:bc:02:fc:95:0b:49:31:82:a8:b0:78:45:60:18:7e:d6:
 f7:f6:8e:e1:82:29:bc:28:91:e9:4e:77:ce:61:40:a1:7b:8b:
 c1:77:b3:af:5f:e0:1c:90:56:98:0b:7c:70:ec:ad:ea:02:77:
 26:d5:7d:f7:35:ae:18:da:24:c6:51:19:45:7c:2a:e3:07:26:
 c4:88:8b:c0:4e:c2:98:07:fd:0a:5e:d7:23:19:76:35:3f:1f:
 d7:15:95:22:a1:6a:28:8a:a4:24:d7:fe:2b:c4:86:7e:51:4f:
 15:a6:e0:9e:76:dd:e2:ae:db:ca:e1:84:6d:e6:f7:30:da:3a:
 22:83:2a:2b:35:76:93:44:a0:40:2d:23:c6:6d:0c:fd:b5:a7:
 b6:7f:a2:25:3c:7e:f1:bd:ff:2c:f7:7b:e1:bb:de:02:36:eb:
 5d:c4:eb:83:e9:16:4f:ce:dc:4c:c8:a3:1f:93:aa:b9:38:b2:
 8c:68:50:4a:5a:50:ef:31:d3:cc:25:3b:5d:ec:84:24:a9:c9:
 4d:61:f1:4c:7a:c1:63:39:66:78:94:cb:ba:4e:09:5e:9b:a8:
 23:a5:a2:c4:be:08:13:f6:80:9f:41:1f:05:7b:1e:34:1b:d3:
 92:5b:43:36:e2:06:30:9d:b6:40:0d:4a:ea:75:03:fa:90:8b:
 15:ae:3c:fe:06:b8:19:96:e6:4b:b0:c3:c9:be:90:ea:99:9b:
 54:41:ab:b1:16:1e:25:d5:42:78:e4:28:19:c0:67:30:86:df:
 b7:f4:d9:fc:62:2c:2f:73:27:47:58:33:5a:c2:da:98:b8:a2:
 dd:1f:80:2f:20:33:75:a2:a0:b8:af:d1:03:46:1a:a8:20:ea:
 a9:c9:39:82:cb:b8:a2:26:24:43:f7:b8:79:5f:65:22:76:3f:
 97:88:e5:21:d1:25:fc:77

2.Verified that .builtin_trusted_keys has the same signing key.

prashant@pra-ubuntu-1804:~/bionic/certs$ sudo keyctl show -x %:.builtin_trusted_keys
Keyring
0x3c40ebe7 ---lswrv 0 0 keyring: .builtin_trusted_keys
0x00a352e3 ---lswrv 0 0 _ asymmetric: Build time autogenerated kernel key: a5e01ce6a46683251bdc0c7e6e4c9d35861b5661

3.Generated a key pair signed by this build time autogenerated
kernel key to add to .secondary_trusted_keys

prashant@pra-ubuntu-1804:~/bionic/certs$ openssl req -new -nodes -utf8 -sha512 -days 36500 -batch -out additional_cert.csr -keyout additional_key.pem
Generating a 2048 bit RSA private key
................................+++
..................................+++
writing new private key to 'additional_key.pem'
-----
prashant@pra-ubuntu-1804:~/bionic/certs$ openssl x509 -req -sha512 -days 36500 -in additional_cert.csr -outform DER -out additional_cert.x509 -CA signing_key.pem -CAkey signing_key.pem -CAcreateserial
Signature ok
subject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
Getting CA Private Key

4.But when I try to add additional_cert to .secondary_trusted_keys, it fails:

prashant@pra-ubuntu-1804:~$ sudo keyctl padd asymmetric "" %:.secondary_trusted_keys <additional_cert.x509 
add_key: Required key not available

I need to add additional public keys to .secondary_trusted_keys.