[Bug 1892797] Re: sbkeysync fails to return non-zero on error

Launchpad Bug Tracker 1892797 at bugs.launchpad.net
Tue Aug 25 04:58:37 UTC 2020 

This bug was fixed in the package sbsigntool - 0.9.2-2ubuntu3

---------------
sbsigntool (0.9.2-2ubuntu3) groovy; urgency=medium

  * sbkeysync: exit non-zero upon key insertion failure. (LP: #1892797)

 -- dann frazier <dannf at ubuntu.com>  Mon, 24 Aug 2020 18:35:41 -0600

** Changed in: sbsigntool (Ubuntu)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sbsigntool in Ubuntu.
https://bugs.launchpad.net/bugs/1892797

Title:
  sbkeysync fails to return non-zero on error

Status in sbsigntool package in Ubuntu:
  Fix Released
Status in sbsigntool package in Debian:
  Unknown

Bug description:
  [Impact]
  sbkeysync may exit with exitcode 0 even if it failed to update keys. The secureboot-db service will report no error in this case. This can lead a user to believe they have protected themselves against known insecure bootloaders when they have not.

  An example of when this can happen - and where I noticed it - is if
  you have a system w/ limited variable store space and you try to
  import a new DBX update file. This is the case today if you pull in
  the latest DBX for boothole on an OVMF VM w/ a 2M NV variable store
  (we've since added 4M images - see bug 1885662).

  [Test Case]
  Boot a secureboot VM, e.g.:
  cloud-localds seed.img user-data.yaml
  virt-install --name test \
   --boot loader=/usr/share/OVMF/OVMF_CODE.secboot.fd,loader_ro=yes,loader_type=pflash \
   --import \
   --disk path=focal-server-cloudimg-amd64.img \
   --disk path=seed.img \
   --ram 1024 --feature smm=on --vcpus 1 --os-type linux \
   --os-variant ubuntu18.04 --graphics none \
   --console pty,target_type=serial --network network:default

  [Fix]
  https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/commit/?id=f12484869c9590682ac3253d583bf59b890bb826

  [Whatever we renamed Regression Risk to..]
  TBD

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/1892797/+subscriptions

More information about the foundations-bugs mailing list