Public bug reported:
Currently the secureboot databases are only updated at the time the
secureboot-db package is installed or upgraded, but this may not be the
point in time that the firmware needs to be updated.
- New OS install: the secureboot-db package was installed during the image
mastering, not when Ubuntu is written to the target disk.
- Package installed while the system is booted in BIOS mode, later switched to
UEFI mode
- Hard drive moved to a new computer which doesn't yet have the updates
We should ship a systemd unit to re-apply these revocations as necessary
on each boot.
The unit should be
ConditionPathExists=/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
(don't use dbx for the condition, since if dbx is empty this variable
may be absent.)
** Affects: secureboot-db (Ubuntu)
Importance: Low
Status: Triaged
** Changed in: secureboot-db (Ubuntu)
Status: New => Triaged
** Changed in: secureboot-db (Ubuntu)
Importance: Undecided => Low
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1791370
Title:
update database on each boot, not just on package install
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1791370/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
