Package: sicherboot
Version: 0.1.3
Severity: important
Tags: patch
I installed sicherboot after its recommendation in #826045 for
systemd-boot integration (instead of a tediously manually updated
syslinux-efi configuration file). As I don't use secure boot, I answered
'n' to the question about enrolling keys, as hinted. This seemed to
produce a bunch of warnings, but on inspection the contents of /boot/efi
appeared to be correct, and rebooting worked as expected.
However now I find apt upgrade is failing and leaving things
unconfigured:
----------------------------------------
Setting up linux-image-4.11.0-2-amd64 (4.11.11-1) ...
/etc/kernel/postinst.d/dracut:
sicherboot: Installing 4.11.0-2-amd64 to ESP
objcopy: cannot open: /boot//initrd.img-4.11.0-2-amd64: No such file or
directory
run-parts: /etc/kernel/postinst.d/dracut exited with return code 1
----------------------------------------
I think what's happened here is that the new kernel (with ABI bump, so a new
filename) has been unpacked, then sicherboot install-kernel has been called
(via /etc/kernel/postinst.d/dracut) before any call to update-initramfs -u to
make initrd.img-4.11.0-2-amd64. Thus the hook exits 1 and apt/dpkg dies.
I increased the bug severity to "important" because of this breakage.
To try to fix things I ran update-initramfs manually, but sicherboot doesn't
seem to like not having keys enrolled:
----------------------------------------
% sudo update-initramfs -u
update-initramfs: Generating /boot/initrd.img-4.11.0-1-amd64
warning: data remaining[23685632 vs 23693957]: gaps between PE/COFF sections?
warning: data remaining[23685632 vs 23693960]: gaps between PE/COFF sections?
Can't load key from file '/etc/sicherboot/keys/db.key'
140154209566080:error:02001002:system library:fopen:No such file or
directory:../crypto/bio/bss_file.c:74:fopen('/etc/sicherboot/keys/db.key','r')
140154209566080:error:2006D080:BIO routines:BIO_new_file:no such
file:../crypto/bio/bss_file.c:81:
run-parts: /etc/initramfs/post-update.d//zz-sicherboot exited with return code 1
----------------------------------------
As I had answered 'n' to the sicherboot setup question about enrolling
keys, no keys were generated. This isn't handled by sign_image, which
passes nonexistent files as parameters to sbsign, causing it to fail.
The following patch fixes this and allows update-initramfs to complete
successfully.
--- /usr/sbin/sicherboot.distrib 2017-07-04 10:52:58.000000000 +0100
+++ /usr/sbin/sicherboot 2017-07-19 14:18:24.830787198 +0100
@@ -100,6 +100,11 @@
exit 1
fi
+ if [ ! \( -e "${KEY_HOME}/db.key" -a -e "${KEY_HOME}/db.crt" \) ]; then
+ echo "No db.key, skipping sign_image."
+ return 0
+ fi
+
local image="$1"
local out="$2"
Hope this makes sense. Thank you for writing sicherboot.
--
https://rjy.org.uk/
