** Description changed: [Impact] sbkeysync may exit with exitcode 0 even if it failed to update keys. The secureboot-db service will report no error in this case. This can lead a user to believe they have protected themselves against known insecure bootloaders when they have not. An example of when this can happen - and where I noticed it - is if you have a system w/ limited variable store space and you try to import a new DBX update file. This is the case today if you pull in the latest DBX for boothole on an OVMF VM w/ a 2M NV variable store (we've since added 4M images - see bug 1885662). [Test Case] - Boot a secureboot VM, e.g.: - cloud-localds seed.img user-data.yaml - virt-install --name test \ - --boot loader=/usr/share/OVMF/OVMF_CODE.secboot.fd,loader_ro=yes,loader_type=pflash \ - --import \ - --disk path=focal-server-cloudimg-amd64.img \ - --disk path=seed.img \ - --ram 1024 --feature smm=on --vcpus 1 --os-type linux \ - --os-variant ubuntu18.04 --graphics none \ - --console pty,target_type=serial --network network:default + + Boot a secureboot VM w/ 2MB flash, e.g.: + $ cat > user-data.yaml << EOF + #cloud-config + password: ubuntu + chpasswd: { expire: False } + ssh_pwauth: True + EOF + + $ cloud-localds seed.img user-data.yaml + $ wget https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img + $ virt-install --name test --boot loader=/usr/share/OVMF/OVMF_CODE.secboot.fd,loader_ro=yes,loader_type=pflash --import --disk path=test.img --disk path=test-seed.img --ram 4096 --vcpus 4 --os-type linux --os-variant ubuntu18.04 --graphics none --console pty,target_type=serial --network network:default --feature smm=on + + Then, from within the guest: + $ wget https://uefi.org/sites/default/files/resources/dbxupdate_x64.bin + $ sudo cp dbxupdate_x64.bin /usr/share/secureboot/updates/dbx + $ sudo service secureboot-db stop + $ sudo service secureboot-db start + $ sudo systemctl status secureboot-db.service + <...> + /usr/share/secureboot/updates --verbose (code=exited, status=0/SUCCESS) + Main PID: 2271 (code=exited, status=0/SUCCESS) + + Aug 25 16:41:07 ubuntu sbkeysync[2271]: Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin + <...> [Fix] https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/commit/?id=f12484869c9590682ac3253d583bf59b890bb826 - [Whatever we renamed Regression Risk to..] - TBD + [Regression Potential] + It's possible that causing a command to fail that previously did not will lead to other issues. For example, if someone has a 'set -e' shell script that restarts the secureboot-db service, and then does other things, those other things would no longer happen after the secureboot-db servic restart begins to fail.
** Also affects: sbsigntool (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: sbsigntool (Ubuntu Groovy) Importance: Undecided Status: Fix Released ** Also affects: sbsigntool (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: sbsigntool (Ubuntu Focal) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1892797 Title: sbkeysync fails to return non-zero on error To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/1892797/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs