What were you trying to do that didn't work?

Just like the UKI kernel cmdline addons, we need a way to extend the UKI (Unified kernel image) initrd to add additional files, modules, etc inside of it without the need of creating, signing and shipping a new UKI.

The high level procedure is easy:

1. create an addon/extension
2. sign it
3. put it into the ESP
4. reboot and see the addon applied

For systemd-sysext extension (assuming Fedora Rawhide) this means:

1. Prerequisite: Make sure systemd 255 is installed.
2. Prerequisite: Download mkosi and install it (see README): https://github.com/systemd/mkosi
3. Prerequisite: sudo dnf -y install bubblewrap
4. Prerequisite: systemctl start systemd-repart
5. Prerequisite: Make sure the initrd cerated with dracut contains:
   dracutmodules+=" systemd-sysext "
   drivers+=" squashfs dm_verity "
   Full dracut-virt.conf is https://gitlab.com/eesposit/eesposit-scripts/-/blob/main/qemu_machine/dracut-virt.conf?ref_type=heads 
6. Create a .crt and .key file containing the public and private key. This key must be part of MOK or in the security DB
7. create an extension using mkosi (https://gitlab.com/eesposit/eesposit-scripts/-/blob/main/qemu_machine/mkosi_script.sh?ref_type=heads does a dummy one for you, or check https://github.com/systemd/mkosi/commit/c42d8161f60d3cb161146aaaf068596ee66051ca )
8. After it is done, copy  $FOLDER/$EXT_NAME.raw into /boot/efi/EFI/Linux/devel.efi.extra.d/
   Note that this is not standard sysext behavior, as systemd-stub will actually take care of copying the sysext addon into /.extra/sysext/  of the initrd and sysext will look into that to fetch and load the addons (if they are correctly signed)

1. reboot

This doesn't work on Fedora Rawhide. The key is not recognized, despite being in the .platform keyring (`keyctl show %:.platform`). After asking the systemd maintainers, looks like we need that the keys must be into the .machine keyring (`keyctl show %:.machine`, which is empty rn). This is because the systemd-sysext extension is signed with dm-verity that trusts only the keys in that keyring.

On the other side, the UKI cmdline addons work fine with the .platform keyring, but this time a different choice was made.

Therefore one way to add the keys in the right keyring might be with `mokutils --trust-mok` which was added in shim 15.7:

https://github.com/rhboot/shim/commit/4e513405b4f1641710115780d19dcec130c5208f

https://github.com/rhboot/shim/blob/4e513405b4f1641710115780d19dcec130c5208f/MokVars.txt#L81

But I still can't manage to make it work. Keys are never added into the .machine keyring.

Additionally we also need to figure how to do the same without MOK, as we want to put the MSFT/RH keys in the right keyring, so that RH can ship signed systemd-sysext extensions.

The whole process works if I add rd.break into the kernel cmdline, and after reboot I manually load the extension (that should be present in /.extra/sysext) and disable signature verification with

SYSTEMD_LOG_LEVEL=debug SYSTEMD_DISSECT_VERITY_SIGNATURE=0 systemd-sysext merge --image-policy "root=unprotected+absent:usr=unprotected+absent"

Expected results

Keys are in .machine keyring and hopefully sysext extension work.

The main result we want is that the extension is recognized. Better if we don't need to move the MOK/db (both cases are important, the second even more) keys into another keyring, as we don't know if the cmdline addon (that relies on .platform) will work.

Actual results

No key in .machine keyring and extension not trusted.