[Bug 1791370] Re: update database on each boot, not just on package install
Julian Andres Klode
julian.klode at canonical.com
Mon Jul 15 13:23:11 UTC 2019
** Also affects: secureboot-db (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: secureboot-db (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: secureboot-db (Ubuntu Eoan)
Importance: Low
Status: Fix Released
** Also affects: secureboot-db (Ubuntu Disco)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to secureboot-db in Ubuntu.
https://bugs.launchpad.net/bugs/1791370
Title:
update database on each boot, not just on package install
Status in secureboot-db package in Ubuntu:
Fix Released
Status in secureboot-db source package in Xenial:
New
Status in secureboot-db source package in Bionic:
New
Status in secureboot-db source package in Disco:
New
Status in secureboot-db source package in Eoan:
Fix Released
Bug description:
Currently the secureboot databases are only updated at the time the
secureboot-db package is installed or upgraded, but this may not be
the point in time that the firmware needs to be updated.
- New OS install: the secureboot-db package was installed during the image mastering, not when Ubuntu is written to the target disk.
- Package installed while the system is booted in BIOS mode, later switched to UEFI mode
- Hard drive moved to a new computer which doesn't yet have the updates
We should ship a systemd unit to re-apply these revocations as
necessary on each boot.
The unit should be
ConditionPathExists=/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
(don't use dbx for the condition, since if dbx is empty this variable
may be absent.)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1791370/+subscriptions
More information about the foundations-bugs
mailing list