Public bug reported: [Impact] sbkeysync may exit with exitcode 0 even if it failed to update keys. The secureboot-db service will report no error in this case. This can lead a user to believe they have protected themselves against known insecure bootloaders when they have not.
An example of when this can happen - and where I noticed it - is if you have a system w/ limited variable store space and you try to import a new DBX update file. This is the case today if you pull in the latest DBX for boothole on an OVMF VM w/ a 2M NV variable store (we've since added 4M images - see bug 1885662). [Test Case] Boot a secureboot VM, e.g.: cloud-localds seed.img user-data.yaml virt-install --name test \ --boot loader=/usr/share/OVMF/OVMF_CODE.secboot.fd,loader_ro=yes,loader_type=pflash \ --import \ --disk path=focal-server-cloudimg-amd64.img \ --disk path=seed.img \ --ram 1024 --feature smm=on --vcpus 1 --os-type linux \ --os-variant ubuntu18.04 --graphics none \ --console pty,target_type=serial --network network:default [Fix] https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/commit/?id=f12484869c9590682ac3253d583bf59b890bb826 [Whatever we renamed Regression Risk to..] TBD ** Affects: sbsigntool (Ubuntu) Importance: Undecided Status: New ** Affects: sbsigntool (Debian) Importance: Unknown Status: Unknown ** Bug watch added: Debian Bug tracker #968974 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968974 ** Also affects: sbsigntool (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968974 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892797 Title: sbkeysync fails to return non-zero on error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/1892797/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs