[Bug 1892797] [NEW] sbkeysync fails to return non-zero on error

dann frazier 1892797 at bugs.launchpad.net
Tue Aug 25 00:31:11 UTC 2020 

Public bug reported:

[Impact]
sbkeysync may exit with exitcode 0 even if it failed to update keys. The secureboot-db service will report no error in this case. This can lead a user to believe they have protected themselves against known insecure bootloaders when they have not.

An example of when this can happen - and where I noticed it - is if you
have a system w/ limited variable store space and you try to import a
new DBX update file. This is the case today if you pull in the latest
DBX for boothole on an OVMF VM w/ a 2M NV variable store (we've since
added 4M images - see bug 1885662).

[Test Case]
Boot a secureboot VM, e.g.:
cloud-localds seed.img user-data.yaml
virt-install --name test \
 --boot loader=/usr/share/OVMF/OVMF_CODE.secboot.fd,loader_ro=yes,loader_type=pflash \
 --import \
 --disk path=focal-server-cloudimg-amd64.img \
 --disk path=seed.img \
 --ram 1024 --feature smm=on --vcpus 1 --os-type linux \
 --os-variant ubuntu18.04 --graphics none \
 --console pty,target_type=serial --network network:default

[Fix]
https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/commit/?id=f12484869c9590682ac3253d583bf59b890bb826

[Whatever we renamed Regression Risk to..]
TBD

** Affects: sbsigntool (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: sbsigntool (Debian)
     Importance: Unknown
         Status: Unknown

** Bug watch added: Debian Bug tracker #968974
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968974

** Also affects: sbsigntool (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968974
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sbsigntool in Ubuntu.
https://bugs.launchpad.net/bugs/1892797

Title:
  sbkeysync fails to return non-zero on error

Status in sbsigntool package in Ubuntu:
  New
Status in sbsigntool package in Debian:
  Unknown

Bug description:
  [Impact]
  sbkeysync may exit with exitcode 0 even if it failed to update keys. The secureboot-db service will report no error in this case. This can lead a user to believe they have protected themselves against known insecure bootloaders when they have not.

  An example of when this can happen - and where I noticed it - is if
  you have a system w/ limited variable store space and you try to
  import a new DBX update file. This is the case today if you pull in
  the latest DBX for boothole on an OVMF VM w/ a 2M NV variable store
  (we've since added 4M images - see bug 1885662).

  [Test Case]
  Boot a secureboot VM, e.g.:
  cloud-localds seed.img user-data.yaml
  virt-install --name test \
   --boot loader=/usr/share/OVMF/OVMF_CODE.secboot.fd,loader_ro=yes,loader_type=pflash \
   --import \
   --disk path=focal-server-cloudimg-amd64.img \
   --disk path=seed.img \
   --ram 1024 --feature smm=on --vcpus 1 --os-type linux \
   --os-variant ubuntu18.04 --graphics none \
   --console pty,target_type=serial --network network:default

  [Fix]
  https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/commit/?id=f12484869c9590682ac3253d583bf59b890bb826

  [Whatever we renamed Regression Risk to..]
  TBD

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/1892797/+subscriptions

More information about the foundations-bugs mailing list