[Bug 1776996] Re: secureboot-db out of date, missing revocations from Aug 2016
Steve Langasek
steve.langasek at canonical.com
Thu Jun 14 22:00:58 UTC 2018
Error in testing:
New keys in filesystem:
/tmp/keys/dbx/dbxupdate.bin
Inserting key update /tmp/keys/dbx/dbxupdate.bin into dbx
Can't create key file /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f: Operation not permitted
Error syncing keystore file /tmp/keys/dbx/dbxupdate.bin
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to secureboot-db in Ubuntu.
https://bugs.launchpad.net/bugs/1776996
Title:
secureboot-db out of date, missing revocations from Aug 2016
Status in secureboot-db package in Ubuntu:
Triaged
Bug description:
A signed variable update for secureboot dbx has been published by
Microsoft to uefi.org; last updated 2016-08-11:
http://www.uefi.org/sites/default/files/resources/dbxupdate.zip
This file has not been included in the secureboot-db package in
Ubuntu; so users who only boot Ubuntu and not Windows will not have
these revocations applied, meaning their firmware will trust (and
possibly be exploitable by) whatever binaries these revoked hashes
correspond to.
Separately, I seem in testing to be unable to apply this signed
database update to my system using sbkeysync, despite having the
Microsoft CA in my KEK. So it's possible that sbkeysync doesn't work;
we may need to either fix it, or switch to other code that does work,
such as the dbxtool in Fedora.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1776996/+subscriptions
More information about the foundations-bugs
mailing list