This bug was fixed in the package secureboot-db - 1.4~ubuntu0.16.04.1
---------------
secureboot-db (1.4~ubuntu0.16.04.1) xenial; urgency=medium
* Backport secureboot-db from cosmic to apply the August 2016 dbx updates
from Microsoft. LP: #1776996.
-- Brian Murray <br...@ubuntu.com> Fri, 19 Oct 2018 11:20:34 -0700
** Changed in: secureboot-db (Ubuntu Xenial)
Status: Fix Committed => Fix Released
** Changed in: secureboot-db (Ubuntu Bionic)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1776996
Title:
secureboot-db out of date, missing revocations from Aug 2016
Status in secureboot-db package in Ubuntu:
Fix Released
Status in secureboot-db source package in Trusty:
Fix Released
Status in secureboot-db source package in Xenial:
Fix Released
Status in secureboot-db source package in Bionic:
Fix Released
Bug description:
Impact
------
A signed variable update for secureboot dbx has been published by Microsoft
to uefi.org; last updated 2016-08-11:
http://www.uefi.org/sites/default/files/resources/dbxupdate.zip
This file has not been included in the secureboot-db package in
Ubuntu; so users who only boot Ubuntu and not Windows will not have
these revocations applied, meaning their firmware will trust (and
possibly be exploitable by) whatever binaries these revoked hashes
correspond to.
Additionally, the attributes of the EFI variables need to be modified
before trying to call sbkeysync so that the database update can be
applied.
Test Case
---------
On a UEFI system with secureboot disabled do the following
1) Check the output of 'mokutil --dbx'
2) Update secureboot-db to the version from -proposed
3) Check the output of 'mokutil --dbx' and verify its different from the
first run
Additionally it should be verified that the new package installs on a
secureboot-enabled system, in a container, on a BIOS-booted system.
Regression Potential
--------------------
Its possible the revoked hashes are incorrect so they should be double
checked to ensure they match the Microsoft update.
Original Description
--------------------
Separately, I seem in testing to be unable to apply this signed database
update to my system using sbkeysync, despite having the Microsoft CA in my KEK.
So it's possible that sbkeysync doesn't work; we may need to either fix it, or
switch to other code that does work, such as the dbxtool in Fedora.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1776996/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
