| 2020-08-25 00:31:11 |
dann frazier |
bug |
|
|
added bug |
| 2020-08-25 00:31:23 |
dann frazier |
bug watch added |
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=968974 |
|
| 2020-08-25 00:31:23 |
dann frazier |
bug task added |
|
sbsigntool (Debian) |
|
| 2020-08-25 04:58:37 |
Launchpad Janitor |
sbsigntool (Ubuntu): status |
New |
Fix Released |
|
| 2020-08-25 20:45:22 |
dann frazier |
description |
[Impact]
sbkeysync may exit with exitcode 0 even if it failed to update keys. The secureboot-db service will report no error in this case. This can lead a user to believe they have protected themselves against known insecure bootloaders when they have not.
An example of when this can happen - and where I noticed it - is if you have a system w/ limited variable store space and you try to import a new DBX update file. This is the case today if you pull in the latest DBX for boothole on an OVMF VM w/ a 2M NV variable store (we've since added 4M images - see bug 1885662).
[Test Case]
Boot a secureboot VM, e.g.:
cloud-localds seed.img user-data.yaml
virt-install --name test \
--boot loader=/usr/share/OVMF/OVMF_CODE.secboot.fd,loader_ro=yes,loader_type=pflash \
--import \
--disk path=focal-server-cloudimg-amd64.img \
--disk path=seed.img \
--ram 1024 --feature smm=on --vcpus 1 --os-type linux \
--os-variant ubuntu18.04 --graphics none \
--console pty,target_type=serial --network network:default
[Fix]
https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/commit/?id=f12484869c9590682ac3253d583bf59b890bb826
[Whatever we renamed Regression Risk to..]
TBD |
[Impact]
sbkeysync may exit with exitcode 0 even if it failed to update keys. The secureboot-db service will report no error in this case. This can lead a user to believe they have protected themselves against known insecure bootloaders when they have not.
An example of when this can happen - and where I noticed it - is if you have a system w/ limited variable store space and you try to import a new DBX update file. This is the case today if you pull in the latest DBX for boothole on an OVMF VM w/ a 2M NV variable store (we've since added 4M images - see bug 1885662).
[Test Case]
Boot a secureboot VM w/ 2MB flash, e.g.:
$ cat > user-data.yaml << EOF
#cloud-config
password: ubuntu
chpasswd: { expire: False }
ssh_pwauth: True
EOF
$ cloud-localds seed.img user-data.yaml
$ wget https://cloud-images.ubuntu.com/focal/current/focal-server-cloudimg-amd64.img
$ virt-install --name test --boot loader=/usr/share/OVMF/OVMF_CODE.secboot.fd,loader_ro=yes,loader_type=pflash --import --disk path=test.img --disk path=test-seed.img --ram 4096 --vcpus 4 --os-type linux --os-variant ubuntu18.04 --graphics none --console pty,target_type=serial --network network:default --feature smm=on
Then, from within the guest:
$ wget https://uefi.org/sites/default/files/resources/dbxupdate_x64.bin
$ sudo cp dbxupdate_x64.bin /usr/share/secureboot/updates/dbx
$ sudo service secureboot-db stop
$ sudo service secureboot-db start
$ sudo systemctl status secureboot-db.service
<...>
/usr/share/secureboot/updates --verbose (code=exited, status=0/SUCCESS)
Main PID: 2271 (code=exited, status=0/SUCCESS)
Aug 25 16:41:07 ubuntu sbkeysync[2271]: Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin
<...>
[Fix]
https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/commit/?id=f12484869c9590682ac3253d583bf59b890bb826
[Regression Potential]
It's possible that causing a command to fail that previously did not will lead to other issues. For example, if someone has a 'set -e' shell script that restarts the secureboot-db service, and then does other things, those other things would no longer happen after the secureboot-db servic restart begins to fail. |
|
| 2020-08-25 20:45:32 |
dann frazier |
nominated for series |
|
Ubuntu Focal |
|
| 2020-08-25 20:45:32 |
dann frazier |
bug task added |
|
sbsigntool (Ubuntu Focal) |
|
| 2020-08-25 20:45:32 |
dann frazier |
nominated for series |
|
Ubuntu Groovy |
|
| 2020-08-25 20:45:32 |
dann frazier |
bug task added |
|
sbsigntool (Ubuntu Groovy) |
|
| 2020-08-25 20:45:32 |
dann frazier |
nominated for series |
|
Ubuntu Bionic |
|
| 2020-08-25 20:45:32 |
dann frazier |
bug task added |
|
sbsigntool (Ubuntu Bionic) |
|
| 2020-08-25 20:45:43 |
dann frazier |
sbsigntool (Ubuntu Focal): status |
New |
In Progress |
|
| 2020-08-26 16:15:14 |
Steve Langasek |
bug |
|
|
added subscriber Dimitri John Ledkov |
| 2020-08-26 18:44:53 |
Dimitri John Ledkov |
sbsigntool (Ubuntu Groovy): status |
Fix Released |
Triaged |
|
| 2020-08-26 18:44:59 |
Dimitri John Ledkov |
sbsigntool (Ubuntu Focal): status |
In Progress |
Won't Fix |
|
| 2020-08-26 18:45:01 |
Dimitri John Ledkov |
sbsigntool (Ubuntu Bionic): status |
New |
Won't Fix |
|
| 2021-03-03 20:15:47 |
Bug Watch Updater |
sbsigntool (Debian): status |
Unknown |
Confirmed |
|
| 2023-11-25 15:09:36 |
Dimitri John Ledkov |
sbsigntool (Ubuntu Groovy): status |
Triaged |
Won't Fix |
|
| 2023-11-25 15:10:44 |
Dimitri John Ledkov |
sbsigntool (Ubuntu): status |
Triaged |
Fix Released |
|
