sbkeysync fails to return non-zero on error
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sbsigntool (Debian) |
Confirmed
|
Unknown
|
|||
sbsigntool (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Won't Fix
|
Undecided
|
Unassigned | ||
Focal |
Won't Fix
|
Undecided
|
Unassigned | ||
Groovy |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
[Impact]
sbkeysync may exit with exitcode 0 even if it failed to update keys. The secureboot-db service will report no error in this case. This can lead a user to believe they have protected themselves against known insecure bootloaders when they have not.
An example of when this can happen - and where I noticed it - is if you have a system w/ limited variable store space and you try to import a new DBX update file. This is the case today if you pull in the latest DBX for boothole on an OVMF VM w/ a 2M NV variable store (we've since added 4M images - see bug 1885662).
[Test Case]
Boot a secureboot VM w/ 2MB flash, e.g.:
$ cat > user-data.yaml << EOF
#cloud-config
password: ubuntu
chpasswd: { expire: False }
ssh_pwauth: True
EOF
$ cloud-localds seed.img user-data.yaml
$ wget https:/
$ virt-install --name test --boot loader=
Then, from within the guest:
$ wget https:/
$ sudo cp dbxupdate_x64.bin /usr/share/
$ sudo service secureboot-db stop
$ sudo service secureboot-db start
$ sudo systemctl status secureboot-
<...>
/usr/share/
Main PID: 2271 (code=exited, status=0/SUCCESS)
Aug 25 16:41:07 ubuntu sbkeysync[2271]: Error syncing keystore file /usr/share/
<...>
[Regression Potential]
It's possible that causing a command to fail that previously did not will lead to other issues. For example, if someone has a 'set -e' shell script that restarts the secureboot-db service, and then does other things, those other things would no longer happen after the secureboot-db servic restart begins to fail.
description: | updated |
Changed in sbsigntool (Ubuntu Focal): | |
status: | New → In Progress |
Changed in sbsigntool (Debian): | |
status: | Unknown → Confirmed |
Changed in sbsigntool (Ubuntu Groovy): | |
status: | Triaged → Won't Fix |
Changed in sbsigntool (Ubuntu): | |
status: | Triaged → Fix Released |
This bug was fixed in the package sbsigntool - 0.9.2-2ubuntu3
---------------
sbsigntool (0.9.2-2ubuntu3) groovy; urgency=medium
* sbkeysync: exit non-zero upon key insertion failure. (LP: #1892797)
-- dann frazier <email address hidden> Mon, 24 Aug 2020 18:35:41 -0600