[Bug 1840845] Re: secureboot-db.service should not run in a container

Dimitri John Ledkov 1840845 at bugs.launchpad.net
Sat Nov 25 15:34:06 UTC 2023 

I have concerns about not running this in "the installer" in case
installation is actually being performed.

If installation is completed, and dbx updates are not applied it means
the system is vulnerable to be attacked between installation complete &
first boot (i.e. in case systems are provisioned and shipped).

Also, because we currently do not have snapd secboot dbx resealing
support, we rely on live session to apply dbx revocations to seal
against them during provisioning.

Can we please update curtin / subiquity to apply dbx updates, prior to
doing `snap prepare-image` or installing bootloaders ?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to secureboot-db in Ubuntu.
https://bugs.launchpad.net/bugs/1840845

Title:
  secureboot-db.service should not run in a container

Status in secureboot-db package in Ubuntu:
  Confirmed

Bug description:
  1) # lsb_release -rd
  Description:	Ubuntu Eoan Ermine (development branch)
  Release:	19.10

  2) root at e1:~# apt-cache policy secureboot-db 
  secureboot-db:
    Installed: 1.5
    Candidate: 1.5
    Version table:
   *** 1.5 500
          500 http://archive.ubuntu.com/ubuntu eoan/main amd64 Packages
          100 /var/lib/dpkg/status

  3) secureboot-db.service does not run inside a LXD container

  # systemctl status secureboot-db.service
  ● secureboot-db.service - Secure Boot updates for DB and DBX
     Loaded: loaded (/lib/systemd/system/secureboot-db.service; enabled; vendor preset: enabled)
     Active: inactive (dead)
  Condition: start condition failed at Tue 2019-08-20 20:51:09 UTC; 9s ago
             └─ ConditionVirtualization=!container was not met

  Aug 20 20:42:06 e1 systemd[1]: Started Secure Boot updates for DB and DBX.
  Aug 20 20:51:09 e1 systemd[1]: Condition check resulted in Secure Boot updates for DB and DBX being skipped.

  4) secureboot-db.service starts and fetches keys but cannot write to
  /sys

  # journalctl -o short-precise -b -u secureboot-db.service | egrep "(Error|Cant|chattr)" 
  Aug 20 20:04:18.947034 e1 chattr[285]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
  Aug 20 20:04:19.057942 e1 chattr[302]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
  Aug 20 20:04:19.083525 e1 chattr[304]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f
  Aug 20 20:04:19.123167 e1 sbkeysync[315]: Error syncing keystore file /usr/share/secureboot/updates/dbx/MS-2016-08-08.bin
  Aug 20 20:26:27.716688 e1 chattr[207]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
  Aug 20 20:26:27.817164 e1 chattr[224]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
  Aug 20 20:26:27.855895 e1 chattr[239]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f
  Aug 20 20:26:27.893937 e1 sbkeysync[248]: Error syncing keystore file /usr/share/secureboot/updates/dbx/MS-2016-08-08.bin
  Aug 20 20:38:10.105456 e1 chattr[235]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
  Aug 20 20:38:10.111700 e1 chattr[245]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
  Aug 20 20:38:10.140787 e1 chattr[250]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f
  Aug 20 20:38:10.188091 e1 sbkeysync[262]: Error syncing keystore file /usr/share/secureboot/updates/dbx/MS-2016-08-08.bin
  Aug 20 20:42:05.935136 e1 chattr[232]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
  Aug 20 20:42:06.015810 e1 chattr[241]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
  Aug 20 20:42:06.076527 e1 chattr[258]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f
  Aug 20 20:42:06.116561 e1 sbkeysync[266]: Error syncing keystore file /usr/share/secureboot/updates/dbx/MS-2016-08-08.bin

  
  This can be fixed by adding another condition to the unit.

  
  # /etc/systemd/system/secureboot-db.service.d/override.conf
  [Unit]
  ConditionVirtualization=!container

  ProblemType: Bug
  DistroRelease: Ubuntu 19.10
  Package: secureboot-db 1.5
  ProcVersionSignature: Ubuntu 4.15.0-58.64~16.04.1-generic 4.15.18
  Uname: Linux 4.15.0-58-generic x86_64
  ApportVersion: 2.20.11-0ubuntu7
  Architecture: amd64
  Date: Tue Aug 20 20:48:32 2019
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   LANG=C.UTF-8
  SourcePackage: secureboot-db
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1840845/+subscriptions

More information about the foundations-bugs mailing list