[Impact]
sbkeysync may exit with exitcode 0 even if it failed to update keys. The secureboot-db service will report no error in this case. This can lead a user to believe they have protected themselves against known insecure bootloaders when they have not.
An example of when this can happen - and where I noticed it - is if you have a system w/ limited variable store space and you try to import a new DBX update file. This is the case today if you pull in the latest DBX for boothole on an OVMF VM w/ a 2M NV variable store (we've since added 4M images - see bug 1885662).
[Impact]
sbkeysync may exit with exitcode 0 even if it failed to update keys. The secureboot-db service will report no error in this case. This can lead a user to believe they have protected themselves against known insecure bootloaders when they have not.
An example of when this can happen - and where I noticed it - is if you have a system w/ limited variable store space and you try to import a new DBX update file. This is the case today if you pull in the latest DBX for boothole on an OVMF VM w/ a 2M NV variable store (we've since added 4M images - see bug 1885662).
[Test Case] /usr/share/ OVMF/OVMF_ CODE.secboot. fd,loader_ ro=yes, loader_ type=pflash \ server- cloudimg- amd64.img \ type=serial --network network:default
Boot a secureboot VM, e.g.:
cloud-localds seed.img user-data.yaml
virt-install --name test \
--boot loader=
--import \
--disk path=focal-
--disk path=seed.img \
--ram 1024 --feature smm=on --vcpus 1 --os-type linux \
--os-variant ubuntu18.04 --graphics none \
--console pty,target_
[Fix] /git.kernel. org/pub/ scm/linux/ kernel/ git/jejb/ sbsigntools. git/commit/ ?id=f12484869c9 590682ac3253d58 3bf59b890bb826
https:/
[Whatever we renamed Regression Risk to..]
TBD