Comment 0 for bug 1892797

[Impact]
sbkeysync may exit with exitcode 0 even if it failed to update keys. The secureboot-db service will report no error in this case. This can lead a user to believe they have protected themselves against known insecure bootloaders when they have not.

An example of when this can happen - and where I noticed it - is if you have a system w/ limited variable store space and you try to import a new DBX update file. This is the case today if you pull in the latest DBX for boothole on an OVMF VM w/ a 2M NV variable store (we've since added 4M images - see bug 1885662).

[Test Case]
Boot a secureboot VM, e.g.:
cloud-localds seed.img user-data.yaml
virt-install --name test \
 --boot loader=/usr/share/OVMF/OVMF_CODE.secboot.fd,loader_ro=yes,loader_type=pflash \
 --import \
 --disk path=focal-server-cloudimg-amd64.img \
 --disk path=seed.img \
 --ram 1024 --feature smm=on --vcpus 1 --os-type linux \
 --os-variant ubuntu18.04 --graphics none \
 --console pty,target_type=serial --network network:default

[Fix]
https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/commit/?id=f12484869c9590682ac3253d583bf59b890bb826

[Whatever we renamed Regression Risk to..]
TBD