secureboot-db out of date, missing revocations from Aug 2016

Bug #1776996 reported by Steve Langasek on 2018-06-14
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
secureboot-db (Ubuntu)
Medium
Unassigned
Trusty
Medium
Unassigned
Xenial
Medium
Unassigned
Bionic
Medium
Unassigned

Bug Description

Impact
------
A signed variable update for secureboot dbx has been published by Microsoft to uefi.org; last updated 2016-08-11: http://www.uefi.org/sites/default/files/resources/dbxupdate.zip

This file has not been included in the secureboot-db package in Ubuntu; so users who only boot Ubuntu and not Windows will not have these revocations applied, meaning their firmware will trust (and possibly be exploitable by) whatever binaries these revoked hashes correspond to.

Additionally, the attributes of the EFI variables need to be modified before trying to call sbkeysync so that the database update can be applied.

Test Case
---------
On a UEFI system with secureboot disabled do the following
1) Check the output of 'mokutil --dbx'
2) Update secureboot-db to the version from -proposed
3) Check the output of 'mokutil --dbx' and verify its different from the first run

Additionally it should be verified that the new package installs on a secureboot-enabled system, in a container, on a BIOS-booted system.

Regression Potential
--------------------
Its possible the revoked hashes are incorrect so they should be double checked to ensure they match the Microsoft update.

Original Description
--------------------
Separately, I seem in testing to be unable to apply this signed database update to my system using sbkeysync, despite having the Microsoft CA in my KEK. So it's possible that sbkeysync doesn't work; we may need to either fix it, or switch to other code that does work, such as the dbxtool in Fedora.

Steve Langasek (vorlon) wrote :

Error in testing:

New keys in filesystem:
 /tmp/keys/dbx/dbxupdate.bin
Inserting key update /tmp/keys/dbx/dbxupdate.bin into dbx
Can't create key file /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f: Operation not permitted
Error syncing keystore file /tmp/keys/dbx/dbxupdate.bin

Changed in secureboot-db (Ubuntu):
status: New → Triaged
importance: Undecided → Critical
importance: Critical → Medium
information type: Public → Public Security
tags: added: id-5b22e55970e8360b88ce82be
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package secureboot-db - 1.2

---------------
secureboot-db (1.2) cosmic; urgency=medium

  * Apply the August 2016 dbx updates from Microsoft. LP: #1776996.
  * chattr -i the EFI variables before trying to call sbkeysync, since the
    kernel now has these files immutable by default.

 -- Steve Langasek <email address hidden> Thu, 06 Sep 2018 23:35:21 -0700

Changed in secureboot-db (Ubuntu):
status: Triaged → Fix Released
Alex Murray (alexmurray) wrote :

@vorlon - seems this might be causing a failure - see #1791248

Changed in secureboot-db (Ubuntu Trusty):
status: New → Triaged
Changed in secureboot-db (Ubuntu Xenial):
status: New → Triaged
Changed in secureboot-db (Ubuntu Bionic):
status: New → Triaged
Changed in secureboot-db (Ubuntu Trusty):
importance: Undecided → Medium
Changed in secureboot-db (Ubuntu Xenial):
importance: Undecided → Medium
Changed in secureboot-db (Ubuntu Bionic):
importance: Undecided → Medium
description: updated

Hello Steve, or anyone else affected,

Accepted secureboot-db into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/secureboot-db/1.4~ubuntu0.18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in secureboot-db (Ubuntu Bionic):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-bionic
Łukasz Zemczak (sil2100) wrote :

Hello Steve, or anyone else affected,

Accepted secureboot-db into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/secureboot-db/1.4~ubuntu0.16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in secureboot-db (Ubuntu Xenial):
status: Triaged → Fix Committed
tags: added: verification-needed-xenial
Łukasz Zemczak (sil2100) wrote :

Hello Steve, or anyone else affected,

Accepted secureboot-db into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/secureboot-db/1.4~ubuntu0.14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-trusty to verification-done-trusty. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-trusty. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in secureboot-db (Ubuntu Trusty):
status: Triaged → Fix Committed
tags: added: verification-needed-trusty
Brian Murray (brian-murray) wrote :

The package successfully installed and upgraded on a bionic container:

The following packages will be upgraded:
  secureboot-db
1 upgraded, 0 newly installed, 0 to remove and 49 not upgraded.
Need to get 8488 B of archives.
After this operation, 21.5 kB disk space will be freed.
Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 secureboot-db amd64 1.4~ubuntu0.18.04.1 [8488 B]
Fetched 8488 B in 0s (27.8 kB/s)
(Reading database ... 28527 files and directories currently installed.)
Preparing to unpack .../secureboot-db_1.4~ubuntu0.18.04.1_amd64.deb ...
Unpacking secureboot-db (1.4~ubuntu0.18.04.1) over (1.1) ...
Setting up secureboot-db (1.4~ubuntu0.18.04.1) ...
Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting

And on an Ubuntu 16.04 container:

The following packages will be upgraded:
  secureboot-db
1 upgraded, 0 newly installed, 0 to remove and 25 not upgraded.
Need to get 8398 B of archives.
After this operation, 21.5 kB disk space will be freed.
Get:1 http://archive.ubuntu.com/ubuntu xenial-proposed/main amd64 secureboot-db amd64 1.4~ubuntu0.16.04.1 [8398 B]
Fetched 8398 B in 0s (45.1 kB/s)
(Reading database ... 25691 files and directories currently installed.)
Preparing to unpack .../secureboot-db_1.4~ubuntu0.16.04.1_amd64.deb ...
Unpacking secureboot-db (1.4~ubuntu0.16.04.1) over (1.1) ...
Setting up secureboot-db (1.4~ubuntu0.16.04.1) ...
Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting

And on trusty:

The following packages will be upgraded:
  secureboot-db
1 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.
Need to get 8396 B of archives.
After this operation, 8192 B of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main secureboot-db amd64 1.4~ubuntu0.14.04.1 [8396 B]
Fetched 8396 B in 0s (27.4 kB/s)
(Reading database ... 25120 files and directories currently installed.)
Preparing to unpack .../secureboot-db_1.4~ubuntu0.14.04.1_amd64.deb ...
Unpacking secureboot-db (1.4~ubuntu0.14.04.1) over (1.1) ...
Setting up secureboot-db (1.4~ubuntu0.14.04.1) ...
Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting

Brian Murray (brian-murray) wrote :

Installing version of secureboot-db from bionic -proposed on an UEFI system without secureboot was successful and new keys were added to the filesystem.

Brian Murray (brian-murray) wrote :

Installing the version of secureboot-db from bionic -proposed on an UEFI system with secureboot enabled was also successful and the new keys were added to the filesystem.

Brian Murray (brian-murray) wrote :

The bionic package from -proposed also successfully installed on a BIOS system.

bdmurray@clean-bionic-amd64:~$ sudo apt install secureboot-db
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be upgraded:
  secureboot-db
1 upgraded, 0 newly installed, 0 to remove and 266 not upgraded.
Need to get 8,488 B of archives.
After this operation, 21.5 kB disk space will be freed.
Get:1 http://192.168.10.7/ubuntu bionic-proposed/main amd64 secureboot-db amd64 1.4~ubuntu0.18.04.1 [8,488 B]
Fetched 8,488 B in 0s (0 B/s)
(Reading database ... 166001 files and directories currently installed.)
Preparing to unpack .../secureboot-db_1.4~ubuntu0.18.04.1_amd64.deb ...
Unpacking secureboot-db (1.4~ubuntu0.18.04.1) over (1.1) ...
Setting up secureboot-db (1.4~ubuntu0.18.04.1) ...
Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting

tags: added: verification-done-bionic
removed: verification-needed-bionic
Brian Murray (brian-murray) wrote :

Installing the version of secureboot-db from xenial-proposed on an UEFI system without secureboot was successful and new keys were added to the filesystem.

Brian Murray (brian-murray) wrote :

Installing the version of secureboot-db from xenial-proposed on an UEFI system with secureboot enabled was also successful and the new keys were added to the filesystem.

Brian Murray (brian-murray) wrote :

The xenial package from -proposed also successfully installed on a BIOS system.

bdmurray@clean-xenial-amd64:~$ sudo apt install secureboot-db
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
  libllvm4.0
Use 'sudo apt autoremove' to remove it.
The following packages will be upgraded:
  secureboot-db
1 upgraded, 0 newly installed, 0 to remove and 48 not upgraded.
Need to get 8,398 B of archives.
After this operation, 21.5 kB disk space will be freed.
Get:1 http://192.168.10.7/ubuntu xenial-proposed/main amd64 secureboot-db amd64 1.4~ubuntu0.16.04.1 [8,398 B]
Fetched 8,398 B in 0s (355 kB/s)
(Reading database ... 215711 files and directories currently installed.)
Preparing to unpack .../secureboot-db_1.4~ubuntu0.16.04.1_amd64.deb ...
Unpacking secureboot-db (1.4~ubuntu0.16.04.1) over (1.1) ...
Setting up secureboot-db (1.4~ubuntu0.16.04.1) ...
Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting

tags: added: verification-done-xenial
removed: verification-needed-xenial
Brian Murray (brian-murray) wrote :

Installing version of secureboot-db from trusty-proposed on an UEFI system without secureboot was successful and new keys were added to the filesystem.

Brian Murray (brian-murray) wrote :

Installing the version of secureboot-db from trusty-proposed on an UEFI system with secureboot enabled was also successful and the new keys were added to the filesystem.

Brian Murray (brian-murray) wrote :

The trusty package from -proposed also successfully installed on a BIOS system.

bdmurray@clean-trusty-amd64:~$ sudo apt install secureboot-db
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
  libdbusmenu-gtk4 libqpdf13
Use 'apt-get autoremove' to remove them.
The following packages will be upgraded:
  secureboot-db
1 upgraded, 0 newly installed, 0 to remove and 11 not upgraded.
Need to get 8,396 B of archives.
After this operation, 8,192 B of additional disk space will be used.
Get:1 http://ubuntu.osuosl.org/ubuntu/ trusty-proposed/main secureboot-db amd64 1.4~ubuntu0.14.04.1 [8,396 B]
Fetched 8,396 B in 0s (45.5 kB/s)
(Reading database ... 204091 files and directories currently installed.)
Preparing to unpack .../secureboot-db_1.4~ubuntu0.14.04.1_amd64.deb ...
Unpacking secureboot-db (1.4~ubuntu0.14.04.1) over (1.1) ...
Setting up secureboot-db (1.4~ubuntu0.14.04.1) ...
Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting

tags: added: verification-done-trusty
removed: verification-needed-trusty
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package secureboot-db - 1.4~ubuntu0.14.04.1

---------------
secureboot-db (1.4~ubuntu0.14.04.1) trusty; urgency=medium

  * Backport secureboot-db from cosmic to apply the August 2016 dbx updates
    from Microsoft. LP: #1776996.

 -- Brian Murray <email address hidden> Fri, 19 Oct 2018 11:20:34 -0700

Changed in secureboot-db (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for secureboot-db has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package secureboot-db - 1.4~ubuntu0.16.04.1

---------------
secureboot-db (1.4~ubuntu0.16.04.1) xenial; urgency=medium

  * Backport secureboot-db from cosmic to apply the August 2016 dbx updates
    from Microsoft. LP: #1776996.

 -- Brian Murray <email address hidden> Fri, 19 Oct 2018 11:20:34 -0700

Changed in secureboot-db (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package secureboot-db - 1.4~ubuntu0.18.04.1

---------------
secureboot-db (1.4~ubuntu0.18.04.1) bionic; urgency=medium

  * Backport secureboot-db from cosmic to apply the August 2016 dbx updates
    from Microsoft. LP: #1776996.

 -- Brian Murray <email address hidden> Fri, 19 Oct 2018 11:20:34 -0700

Changed in secureboot-db (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers