[Bug 1892797] Proposed package upload rejected

[Brian Murray]

An upload of sbsigntool to focal-proposed has been rejected from the
upload queue for the following reason: "This is missing the Breaks that
went into Groovy.".

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to sbsigntool in Ubuntu.
https://bugs.launchpad.net/bugs/1892797

Title:
  sbkeysync fails to return non-zero on error

Status in sbsigntool package in Ubuntu:
  Triaged
Status in sbsigntool source package in Bionic:
  Won't Fix
Status in sbsigntool source package in Focal:
  Won't Fix
Status in sbsigntool source package in Groovy:
  Triaged
Status in sbsigntool package in Debian:
  Unknown

Bug description:
  [Impact]
  sbkeysync may exit with exitcode 0 even if it failed to update keys. The secureboot-db service will report no error in this case. This can lead a user to believe they have protected themselves against known insecure bootloaders when they have not.

  An example of when this can happen - and where I noticed it - is if
  you have a system w/ limited variable store space and you try to
  import a new DBX update file. This is the case today if you pull in
  the latest DBX for boothole on an OVMF VM w/ a 2M NV variable store
  (we've since added 4M images - see bug 1885662).

  [Test Case]

  Boot a secureboot VM w/ 2MB flash, e.g.:
  $ cat > user-data.yaml << EOF
  #cloud-config
  password: ubuntu
  chpasswd: { expire: False }
  ssh_pwauth: True
  EOF

  $ cloud-localds seed.img user-data.yaml
  $ wget https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img
  $ virt-install --name test --boot loader=/usr/share/OVMF/OVMF_CODE.secboot.fd,loader_ro=yes,loader_type=pflash --import --disk path=test.img --disk path=test-seed.img --ram 4096 --vcpus 4 --os-type linux --os-variant ubuntu18.04 --graphics none --console pty,target_type=serial --network network:default --feature smm=on

  Then, from within the guest:
  $ wget https://uefi.org/sites/default/files/resources/dbxupdate_x64.bin
  $ sudo cp dbxupdate_x64.bin /usr/share/secureboot/updates/dbx
  $ sudo service secureboot-db stop
  $ sudo service secureboot-db start
  $ sudo systemctl status secureboot-db.service
  <...>
   /usr/share/secureboot/updates --verbose (code=exited, status=0/SUCCESS)
     Main PID: 2271 (code=exited, status=0/SUCCESS)

  Aug 25 16:41:07 ubuntu sbkeysync[2271]: Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin
  <...>

  [Fix]
  https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/commit/?id=f12484869c9590682ac3253d583bf59b890bb826

  [Regression Potential]
  It's possible that causing a command to fail that previously did not will lead to other issues. For example, if someone has a 'set -e' shell script that restarts the secureboot-db service, and then does other things, those other things would no longer happen after the secureboot-db servic restart begins to fail.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sbsigntool/+bug/1892797/+subscriptions