2018-06-14 21:59:10 |
Steve Langasek |
bug |
|
|
added bug |
2018-06-14 21:59:28 |
Steve Langasek |
secureboot-db (Ubuntu): status |
New |
Triaged |
|
2018-06-14 21:59:29 |
Steve Langasek |
secureboot-db (Ubuntu): importance |
Undecided |
Critical |
|
2018-06-14 21:59:30 |
Steve Langasek |
secureboot-db (Ubuntu): importance |
Critical |
Medium |
|
2018-06-14 21:59:42 |
Steve Langasek |
information type |
Public |
Public Security |
|
2018-06-14 22:33:24 |
Steve Beattie |
bug |
|
|
added subscriber Steve Beattie |
2018-06-15 12:23:29 |
Francis Ginther |
tags |
|
id-5b22e55970e8360b88ce82be |
|
2018-09-07 07:24:45 |
Launchpad Janitor |
secureboot-db (Ubuntu): status |
Triaged |
Fix Released |
|
2018-10-15 21:54:44 |
Brian Murray |
nominated for series |
|
Ubuntu Bionic |
|
2018-10-15 21:54:44 |
Brian Murray |
bug task added |
|
secureboot-db (Ubuntu Bionic) |
|
2018-10-15 21:54:44 |
Brian Murray |
nominated for series |
|
Ubuntu Xenial |
|
2018-10-15 21:54:44 |
Brian Murray |
bug task added |
|
secureboot-db (Ubuntu Xenial) |
|
2018-10-15 21:54:44 |
Brian Murray |
nominated for series |
|
Ubuntu Trusty |
|
2018-10-15 21:54:44 |
Brian Murray |
bug task added |
|
secureboot-db (Ubuntu Trusty) |
|
2018-10-15 21:54:56 |
Brian Murray |
secureboot-db (Ubuntu Trusty): status |
New |
Triaged |
|
2018-10-15 21:55:01 |
Brian Murray |
secureboot-db (Ubuntu Xenial): status |
New |
Triaged |
|
2018-10-15 21:55:05 |
Brian Murray |
secureboot-db (Ubuntu Bionic): status |
New |
Triaged |
|
2018-10-15 21:55:08 |
Brian Murray |
secureboot-db (Ubuntu Trusty): importance |
Undecided |
Medium |
|
2018-10-15 21:55:12 |
Brian Murray |
secureboot-db (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2018-10-15 21:55:15 |
Brian Murray |
secureboot-db (Ubuntu Bionic): importance |
Undecided |
Medium |
|
2018-10-17 23:22:05 |
Brian Murray |
description |
A signed variable update for secureboot dbx has been published by Microsoft to uefi.org; last updated 2016-08-11: http://www.uefi.org/sites/default/files/resources/dbxupdate.zip
This file has not been included in the secureboot-db package in Ubuntu; so users who only boot Ubuntu and not Windows will not have these revocations applied, meaning their firmware will trust (and possibly be exploitable by) whatever binaries these revoked hashes correspond to.
Separately, I seem in testing to be unable to apply this signed database update to my system using sbkeysync, despite having the Microsoft CA in my KEK. So it's possible that sbkeysync doesn't work; we may need to either fix it, or switch to other code that does work, such as the dbxtool in Fedora. |
Impact
------
A signed variable update for secureboot dbx has been published by Microsoft to uefi.org; last updated 2016-08-11: http://www.uefi.org/sites/default/files/resources/dbxupdate.zip
This file has not been included in the secureboot-db package in Ubuntu; so users who only boot Ubuntu and not Windows will not have these revocations applied, meaning their firmware will trust (and possibly be exploitable by) whatever binaries these revoked hashes correspond to.
Additionally, the attributes of the EFI variables need to be modified before trying to call sbkeysync so that the database update can be applied.
Test Case
---------
On a UEFI system with secureboot disabled do the following
1) Check the output of 'mokutil --dbx'
2) Update secureboot-db to the version from -proposed
3) Check the output of 'mokutil --dbx' and verify its different from the first run
Additionally it should be verified that the new package installs on a secureboot-enabled system, in a container, on a BIOS-booted system.
Regression Potential
--------------------
Its possible the revoked hashes are incorrect so they should be double checked to ensure they match the Microsoft update.
Original Description
--------------------
Separately, I seem in testing to be unable to apply this signed database update to my system using sbkeysync, despite having the Microsoft CA in my KEK. So it's possible that sbkeysync doesn't work; we may need to either fix it, or switch to other code that does work, such as the dbxtool in Fedora. |
|
2018-10-23 15:22:11 |
Łukasz Zemczak |
secureboot-db (Ubuntu Bionic): status |
Triaged |
Fix Committed |
|
2018-10-23 15:22:13 |
Łukasz Zemczak |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2018-10-23 15:22:14 |
Łukasz Zemczak |
bug |
|
|
added subscriber SRU Verification |
2018-10-23 15:22:16 |
Łukasz Zemczak |
tags |
id-5b22e55970e8360b88ce82be |
id-5b22e55970e8360b88ce82be verification-needed verification-needed-bionic |
|
2018-10-23 15:30:11 |
Łukasz Zemczak |
secureboot-db (Ubuntu Xenial): status |
Triaged |
Fix Committed |
|
2018-10-23 15:30:16 |
Łukasz Zemczak |
tags |
id-5b22e55970e8360b88ce82be verification-needed verification-needed-bionic |
id-5b22e55970e8360b88ce82be verification-needed verification-needed-bionic verification-needed-xenial |
|
2018-10-23 15:35:50 |
Łukasz Zemczak |
secureboot-db (Ubuntu Trusty): status |
Triaged |
Fix Committed |
|
2018-10-23 15:35:54 |
Łukasz Zemczak |
tags |
id-5b22e55970e8360b88ce82be verification-needed verification-needed-bionic verification-needed-xenial |
id-5b22e55970e8360b88ce82be verification-needed verification-needed-bionic verification-needed-trusty verification-needed-xenial |
|
2018-10-30 18:39:27 |
Brian Murray |
attachment added |
|
bionic-bug176996.png https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1776996/+attachment/5207218/+files/bionic-bug176996.png |
|
2018-10-30 18:57:44 |
Brian Murray |
attachment added |
|
bionic-bug176996-withsb.png https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1776996/+attachment/5207219/+files/bionic-bug176996-withsb.png |
|
2018-10-30 19:01:13 |
Brian Murray |
tags |
id-5b22e55970e8360b88ce82be verification-needed verification-needed-bionic verification-needed-trusty verification-needed-xenial |
id-5b22e55970e8360b88ce82be verification-done-bionic verification-needed verification-needed-trusty verification-needed-xenial |
|
2018-10-30 19:19:00 |
Brian Murray |
attachment added |
|
xenial-bug176996.png https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1776996/+attachment/5207221/+files/xenial-bug176996.png |
|
2018-10-30 19:48:38 |
Brian Murray |
attachment added |
|
xenial-bug176996-withsb.png https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1776996/+attachment/5207223/+files/xenial-bug176996-withsb.png |
|
2018-10-30 22:06:48 |
Brian Murray |
tags |
id-5b22e55970e8360b88ce82be verification-done-bionic verification-needed verification-needed-trusty verification-needed-xenial |
id-5b22e55970e8360b88ce82be verification-done-bionic verification-done-xenial verification-needed verification-needed-trusty |
|
2018-10-30 22:15:23 |
Brian Murray |
attachment added |
|
trusty-bug176996.png https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1776996/+attachment/5207258/+files/trusty-bug176996.png |
|
2018-10-30 22:19:29 |
Brian Murray |
attachment added |
|
trusty-bug176996-withsb.png https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1776996/+attachment/5207259/+files/trusty-bug176996-withsb.png |
|
2018-10-30 22:56:58 |
Brian Murray |
tags |
id-5b22e55970e8360b88ce82be verification-done-bionic verification-done-xenial verification-needed verification-needed-trusty |
id-5b22e55970e8360b88ce82be verification-done-bionic verification-done-trusty verification-done-xenial verification-needed |
|
2018-10-30 23:48:43 |
Launchpad Janitor |
secureboot-db (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2018-10-30 23:48:48 |
Chris Halse Rogers |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2018-10-31 00:07:25 |
Launchpad Janitor |
secureboot-db (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2018-10-31 00:07:44 |
Launchpad Janitor |
secureboot-db (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|