[Bug 1776996] Re: secureboot-db out of date, missing revocations from Aug 2016
Launchpad Bug Tracker
1776996 at bugs.launchpad.net
Fri Sep 7 07:24:45 UTC 2018
This bug was fixed in the package secureboot-db - 1.2
---------------
secureboot-db (1.2) cosmic; urgency=medium
* Apply the August 2016 dbx updates from Microsoft. LP: #1776996.
* chattr -i the EFI variables before trying to call sbkeysync, since the
kernel now has these files immutable by default.
-- Steve Langasek <steve.langasek at ubuntu.com> Thu, 06 Sep 2018
23:35:21 -0700
** Changed in: secureboot-db (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to secureboot-db in Ubuntu.
https://bugs.launchpad.net/bugs/1776996
Title:
secureboot-db out of date, missing revocations from Aug 2016
Status in secureboot-db package in Ubuntu:
Fix Released
Bug description:
A signed variable update for secureboot dbx has been published by
Microsoft to uefi.org; last updated 2016-08-11:
http://www.uefi.org/sites/default/files/resources/dbxupdate.zip
This file has not been included in the secureboot-db package in
Ubuntu; so users who only boot Ubuntu and not Windows will not have
these revocations applied, meaning their firmware will trust (and
possibly be exploitable by) whatever binaries these revoked hashes
correspond to.
Separately, I seem in testing to be unable to apply this signed
database update to my system using sbkeysync, despite having the
Microsoft CA in my KEK. So it's possible that sbkeysync doesn't work;
we may need to either fix it, or switch to other code that does work,
such as the dbxtool in Fedora.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1776996/+subscriptions
More information about the foundations-bugs
mailing list