[Bug 1791370] Re: update database on each boot, not just on package install
Launchpad Bug Tracker
1791370 at bugs.launchpad.net
Mon Jul 8 16:29:45 UTC 2019
This bug was fixed in the package secureboot-db - 1.5
---------------
secureboot-db (1.5) eoan; urgency=medium
* Add secureboot-db.service to apply updates at boot (LP: #1791370)
* Delete postinst script, as systemd service is started postinst by dh
-- Julian Andres Klode <juliank at ubuntu.com> Mon, 08 Jul 2019 17:36:02
+0200
** Changed in: secureboot-db (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to secureboot-db in Ubuntu.
https://bugs.launchpad.net/bugs/1791370
Title:
update database on each boot, not just on package install
Status in secureboot-db package in Ubuntu:
Fix Released
Bug description:
Currently the secureboot databases are only updated at the time the
secureboot-db package is installed or upgraded, but this may not be
the point in time that the firmware needs to be updated.
- New OS install: the secureboot-db package was installed during the image mastering, not when Ubuntu is written to the target disk.
- Package installed while the system is booted in BIOS mode, later switched to UEFI mode
- Hard drive moved to a new computer which doesn't yet have the updates
We should ship a systemd unit to re-apply these revocations as
necessary on each boot.
The unit should be
ConditionPathExists=/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
(don't use dbx for the condition, since if dbx is empty this variable
may be absent.)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1791370/+subscriptions
More information about the foundations-bugs
mailing list