[Bug 1840845] Re: secureboot-db.service should not run in a container

Seth Arnold 1840845 at bugs.launchpad.net
Thu Jul 30 04:32:40 UTC 2020 

This should also not run in a live environment, such as the installer,
rescue media, etc.

Thanks

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to secureboot-db in Ubuntu.
https://bugs.launchpad.net/bugs/1840845

Title:
  secureboot-db.service should not run in a container

Status in secureboot-db package in Ubuntu:
  New

Bug description:
  1) # lsb_release -rd
  Description:	Ubuntu Eoan Ermine (development branch)
  Release:	19.10

  2) root at e1:~# apt-cache policy secureboot-db 
  secureboot-db:
    Installed: 1.5
    Candidate: 1.5
    Version table:
   *** 1.5 500
          500 http://archive.ubuntu.com/ubuntu eoan/main amd64 Packages
          100 /var/lib/dpkg/status

  3) secureboot-db.service does not run inside a LXD container

  # systemctl status secureboot-db.service
  ● secureboot-db.service - Secure Boot updates for DB and DBX
     Loaded: loaded (/lib/systemd/system/secureboot-db.service; enabled; vendor preset: enabled)
     Active: inactive (dead)
  Condition: start condition failed at Tue 2019-08-20 20:51:09 UTC; 9s ago
             └─ ConditionVirtualization=!container was not met

  Aug 20 20:42:06 e1 systemd[1]: Started Secure Boot updates for DB and DBX.
  Aug 20 20:51:09 e1 systemd[1]: Condition check resulted in Secure Boot updates for DB and DBX being skipped.

  4) secureboot-db.service starts and fetches keys but cannot write to
  /sys

  # journalctl -o short-precise -b -u secureboot-db.service | egrep "(Error|Cant|chattr)" 
  Aug 20 20:04:18.947034 e1 chattr[285]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
  Aug 20 20:04:19.057942 e1 chattr[302]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
  Aug 20 20:04:19.083525 e1 chattr[304]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f
  Aug 20 20:04:19.123167 e1 sbkeysync[315]: Error syncing keystore file /usr/share/secureboot/updates/dbx/MS-2016-08-08.bin
  Aug 20 20:26:27.716688 e1 chattr[207]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
  Aug 20 20:26:27.817164 e1 chattr[224]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
  Aug 20 20:26:27.855895 e1 chattr[239]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f
  Aug 20 20:26:27.893937 e1 sbkeysync[248]: Error syncing keystore file /usr/share/secureboot/updates/dbx/MS-2016-08-08.bin
  Aug 20 20:38:10.105456 e1 chattr[235]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
  Aug 20 20:38:10.111700 e1 chattr[245]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
  Aug 20 20:38:10.140787 e1 chattr[250]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f
  Aug 20 20:38:10.188091 e1 sbkeysync[262]: Error syncing keystore file /usr/share/secureboot/updates/dbx/MS-2016-08-08.bin
  Aug 20 20:42:05.935136 e1 chattr[232]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
  Aug 20 20:42:06.015810 e1 chattr[241]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
  Aug 20 20:42:06.076527 e1 chattr[258]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f
  Aug 20 20:42:06.116561 e1 sbkeysync[266]: Error syncing keystore file /usr/share/secureboot/updates/dbx/MS-2016-08-08.bin

  
  This can be fixed by adding another condition to the unit.

  
  # /etc/systemd/system/secureboot-db.service.d/override.conf
  [Unit]
  ConditionVirtualization=!container

  ProblemType: Bug
  DistroRelease: Ubuntu 19.10
  Package: secureboot-db 1.5
  ProcVersionSignature: Ubuntu 4.15.0-58.64~16.04.1-generic 4.15.18
  Uname: Linux 4.15.0-58-generic x86_64
  ApportVersion: 2.20.11-0ubuntu7
  Architecture: amd64
  Date: Tue Aug 20 20:48:32 2019
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   LANG=C.UTF-8
  SourcePackage: secureboot-db
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1840845/+subscriptions

More information about the foundations-bugs mailing list