Ubuntu
secureboot-db package

secureboot-db.service should not run in a container

Bug #1840845 reported by Ryan Harper on 2019-08-20

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	secureboot-db (Ubuntu)	Confirmed	Undecided	Unassigned

Bug Description

1) # lsb_release -rd
Description: Ubuntu Eoan Ermine (development branch)
Release: 19.10

2) root@e1:~# apt-cache policy secureboot-db
secureboot-db:
  Installed: 1.5
  Candidate: 1.5
  Version table:
*** 1.5 500
        500 http://archive.ubuntu.com/ubuntu eoan/main amd64 Packages
        100 /var/lib/dpkg/status

3) secureboot-db.service does not run inside a LXD container

# systemctl status secureboot-db.service
● secureboot-db.service - Secure Boot updates for DB and DBX
   Loaded: loaded (/lib/systemd/system/secureboot-db.service; enabled; vendor preset: enabled)
   Active: inactive (dead)
Condition: start condition failed at Tue 2019-08-20 20:51:09 UTC; 9s ago
           └─ ConditionVirtualization=!container was not met

Aug 20 20:42:06 e1 systemd[1]: Started Secure Boot updates for DB and DBX.
Aug 20 20:51:09 e1 systemd[1]: Condition check resulted in Secure Boot updates for DB and DBX being skipped.

4) secureboot-db.service starts and fetches keys but cannot write to /sys

# journalctl -o short-precise -b -u secureboot-db.service | egrep "(Error|Cant|chattr)"
Aug 20 20:04:18.947034 e1 chattr[285]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
Aug 20 20:04:19.057942 e1 chattr[302]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
Aug 20 20:04:19.083525 e1 chattr[304]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f
Aug 20 20:04:19.123167 e1 sbkeysync[315]: Error syncing keystore file /usr/share/secureboot/updates/dbx/MS-2016-08-08.bin
Aug 20 20:26:27.716688 e1 chattr[207]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
Aug 20 20:26:27.817164 e1 chattr[224]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
Aug 20 20:26:27.855895 e1 chattr[239]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f
Aug 20 20:26:27.893937 e1 sbkeysync[248]: Error syncing keystore file /usr/share/secureboot/updates/dbx/MS-2016-08-08.bin
Aug 20 20:38:10.105456 e1 chattr[235]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
Aug 20 20:38:10.111700 e1 chattr[245]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
Aug 20 20:38:10.140787 e1 chattr[250]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f
Aug 20 20:38:10.188091 e1 sbkeysync[262]: Error syncing keystore file /usr/share/secureboot/updates/dbx/MS-2016-08-08.bin
Aug 20 20:42:05.935136 e1 chattr[232]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c
Aug 20 20:42:06.015810 e1 chattr[241]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
Aug 20 20:42:06.076527 e1 chattr[258]: /usr/bin/chattr: Permission denied while reading flags on /sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f
Aug 20 20:42:06.116561 e1 sbkeysync[266]: Error syncing keystore file /usr/share/secureboot/updates/dbx/MS-2016-08-08.bin

This can be fixed by adding another condition to the unit.

# /etc/systemd/system/secureboot-db.service.d/override.conf
[Unit]
ConditionVirtualization=!container

ProblemType: Bug
DistroRelease: Ubuntu 19.10
Package: secureboot-db 1.5
ProcVersionSignature: Ubuntu 4.15.0-58.64~16.04.1-generic 4.15.18
Uname: Linux 4.15.0-58-generic x86_64
ApportVersion: 2.20.11-0ubuntu7
Architecture: amd64
Date: Tue Aug 20 20:48:32 2019
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
LANG=C.UTF-8
SourcePackage: secureboot-db
UpgradeStatus: No upgrade log present (probably fresh install)

Tags:

Related branches

~sdeziel/ubuntu/+source/secureboot-db:not-in-containers

Ready for review for merging into ubuntu/+source/secureboot-db:ubuntu/devel

Dimitri John Ledkov (community): Needs Information on 2023-11-25

git-ubuntu import: Pending requested 2023-10-27