[Bug 1063061] Re: please backport support for EFI vars > 1KB

Steve Langasek steve.langasek at canonical.com
Wed Oct 24 00:14:28 UTC 2012 

I've verified that the patch enables the expected interface to EFI
variables.  Preparing a test KEK update and PK update, I get the
following output from sbkeysync --verbose:

$ sudo sbkeysync --verbose --keystore keydb
Filesystem keystore:
  keydb/KEK/test.KEK-update [3076 bytes]
  keydb/PK/test.PK-update [3076 bytes]
firmware keys:
  PK:
    /CN=DO NOT TRUST - PK
  KEK:
    /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation KEK CA 2011
  db:
    /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
    /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Testing Root Certificate Authority 2010
    /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows PCA 2010
    /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows Production PCA 2011
  dbx:
    0000000000000000000000000000000000000000000000000000000000000000
filesystem keys:
  PK:
    /C=US/ST=Oregon/L=Portland/O=Canonical Ltd./OU=Ubuntu Engineering/CN=Steve's test key/emailAddress=steve.langasek at canonical.com
     from keydb/PK/test.PK-update
  KEK:
    /C=US/ST=Oregon/L=Portland/O=Canonical Ltd./OU=Ubuntu Engineering/CN=Steve's test key/emailAddress=steve.langasek at canonical.com
     from keydb/KEK/test.KEK-update
  db:
  dbx:
New keys in filesystem:
 keydb/KEK/test.KEK-update
 keydb/PK/test.PK-update
Inserting key update keydb/KEK/test.KEK-update into KEK
Error writing key update: Permission denied
Error syncing keystore file keydb/KEK/test.KEK-update
$

The provided interface works as expected in this test case; the write is
blocked because Secure Boot is enabled and the update is not signed with
the platform key, so this is the expected error.  I don't have time at
the moment to test that a properly-authenticated write succeeds, but I
don't think testing that is required to confirm that the kernel change
is correct.  Marking verification-done.

** Tags removed: verification-needed-quantal
** Tags added: verification-done-quantal

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to mountall in Ubuntu.
https://bugs.launchpad.net/bugs/1063061

Title:
  please backport support for EFI vars > 1KB

Status in “linux” package in Ubuntu:
  Fix Committed
Status in “mountall” package in Ubuntu:
  Fix Released
Status in “sbsigntool” package in Ubuntu:
  Fix Released
Status in “linux” source package in Precise:
  Triaged
Status in “mountall” source package in Precise:
  Triaged
Status in “sbsigntool” source package in Precise:
  Invalid
Status in “linux” source package in Quantal:
  Fix Committed
Status in “mountall” source package in Quantal:
  Fix Released
Status in “sbsigntool” source package in Quantal:
  Fix Released

Bug description:
  As of Linux 3.5, it is not possible to update the SecureBoot database
  from userspace because the sysfs implementation only supports variable
  data up to 1KB in size and this is exceeded by even a minimum key
  database of one key.

  Matt Fleming has accepted a patch from Matthew Garrett to add a new
  filesystem that supports larger variables.  Please consider
  backporting this (as an SRU) to both quantal and precise.

     https://lkml.org/lkml/2012/10/5/22

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1063061/+subscriptions

More information about the foundations-bugs mailing list