** Description changed:
[Impact]
sbkeysync may exit with exitcode 0 even if it failed to update keys. The
secureboot-db service will report no error in this case. This can lead a user
to believe they have protected themselves against known insecure bootloaders
when they have not.
An example of when this can happen - and where I noticed it - is if you
have a system w/ limited variable store space and you try to import a
new DBX update file. This is the case today if you pull in the latest
DBX for boothole on an OVMF VM w/ a 2M NV variable store (we've since
added 4M images - see bug 1885662).
[Test Case]
- Boot a secureboot VM, e.g.:
- cloud-localds seed.img user-data.yaml
- virt-install --name test \
- --boot
loader=/usr/share/OVMF/OVMF_CODE.secboot.fd,loader_ro=yes,loader_type=pflash \
- --import \
- --disk path=focal-server-cloudimg-amd64.img \
- --disk path=seed.img \
- --ram 1024 --feature smm=on --vcpus 1 --os-type linux \
- --os-variant ubuntu18.04 --graphics none \
- --console pty,target_type=serial --network network:default
+
+ Boot a secureboot VM w/ 2MB flash, e.g.:
+ $ cat > user-data.yaml << EOF
+ #cloud-config
+ password: ubuntu
+ chpasswd: { expire: False }
+ ssh_pwauth: True
+ EOF
+
+ $ cloud-localds seed.img user-data.yaml
+ $ wget
https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img
+ $ virt-install --name test --boot
loader=/usr/share/OVMF/OVMF_CODE.secboot.fd,loader_ro=yes,loader_type=pflash
--import --disk path=test.img --disk path=test-seed.img --ram 4096 --vcpus 4
--os-type linux --os-variant ubuntu18.04 --graphics none --console
pty,target_type=serial --network network:default --feature smm=on
+
+ Then, from within the guest:
+ $ wget https://uefi.org/sites/default/files/resources/dbxupdate_x64.bin
+ $ sudo cp dbxupdate_x64.bin /usr/share/secureboot/updates/dbx
+ $ sudo service secureboot-db stop
+ $ sudo service secureboot-db start
+ $ sudo systemctl status secureboot-db.service
+ <...>
+ /usr/share/secureboot/updates --verbose (code=exited, status=0/SUCCESS)
+ Main PID: 2271 (code=exited, status=0/SUCCESS)
+
+ Aug 25 16:41:07 ubuntu sbkeysync[2271]: Error syncing keystore file
/usr/share/secureboot/updates/dbx/dbxupdate_x64.bin
+ <...>
[Fix]
https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/commit/?id=f12484869c9590682ac3253d583bf59b890bb826
- [Whatever we renamed Regression Risk to..]
- TBD
+ [Regression Potential]
+ It's possible that causing a command to fail that previously did not will
lead to other issues. For example, if someone has a 'set -e' shell script that
restarts the secureboot-db service, and then does other things, those other
things would no longer happen after the secureboot-db servic restart begins to
fail.
** Also affects: sbsigntool (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: sbsigntool (Ubuntu Groovy)
Importance: Undecided
Status: Fix Released
** Also affects: sbsigntool (Ubuntu Bionic)
Importance: Undecided
Status: New
** Changed in: sbsigntool (Ubuntu Focal)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1892797
Title:
sbkeysync fails to return non-zero on error
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/1892797/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
