secureboot-db out of date, missing revocations from Aug 2016
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
secureboot-db (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Trusty |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned | ||
Bionic |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Impact
------
A signed variable update for secureboot dbx has been published by Microsoft to uefi.org; last updated 2016-08-11: http://
This file has not been included in the secureboot-db package in Ubuntu; so users who only boot Ubuntu and not Windows will not have these revocations applied, meaning their firmware will trust (and possibly be exploitable by) whatever binaries these revoked hashes correspond to.
Additionally, the attributes of the EFI variables need to be modified before trying to call sbkeysync so that the database update can be applied.
Test Case
---------
On a UEFI system with secureboot disabled do the following
1) Check the output of 'mokutil --dbx'
2) Update secureboot-db to the version from -proposed
3) Check the output of 'mokutil --dbx' and verify its different from the first run
Additionally it should be verified that the new package installs on a secureboot-enabled system, in a container, on a BIOS-booted system.
Regression Potential
-------
Its possible the revoked hashes are incorrect so they should be double checked to ensure they match the Microsoft update.
Original Description
-------
Separately, I seem in testing to be unable to apply this signed database update to my system using sbkeysync, despite having the Microsoft CA in my KEK. So it's possible that sbkeysync doesn't work; we may need to either fix it, or switch to other code that does work, such as the dbxtool in Fedora.
tags: | added: id-5b22e55970e8360b88ce82be |
Changed in secureboot-db (Ubuntu Trusty): | |
status: | New → Triaged |
Changed in secureboot-db (Ubuntu Xenial): | |
status: | New → Triaged |
Changed in secureboot-db (Ubuntu Bionic): | |
status: | New → Triaged |
Changed in secureboot-db (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in secureboot-db (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in secureboot-db (Ubuntu Bionic): | |
importance: | Undecided → Medium |
description: | updated |
tags: |
added: verification-done-xenial removed: verification-needed-xenial |
Error in testing:
New keys in filesystem: dbx/dbxupdate. bin dbx/dbxupdate. bin into dbx efi/efivars/ dbx-d719b2cb- 3d3a-4596- a3bc-dad00e6765 6f: Operation not permitted dbx/dbxupdate. bin
/tmp/keys/
Inserting key update /tmp/keys/
Can't create key file /sys/firmware/
Error syncing keystore file /tmp/keys/