[Bug 1558438] [NEW] "Disable secure boot" workflow is broken
Colin Watson
cjwatson at canonical.com
Thu Mar 17 08:44:59 UTC 2016
Public bug reported:
I upgraded to grub2 2.02~beta2-36ubuntu1 and was presented with the new
prompt to disable secure boot, since I have a dkms package installed.
The password I entered was 14 characters long. On the terminal, I see:
Installing for x86_64-efi platform.
Installation finished. No error reported.
password should be 8~16 characters
password should be 8~16 characters
password should be 8~16 characters
Abort
Looking at the code:
db_get dkms/secureboot_key
length=`echo $RET | wc -c`
if [ $length -lt 8 ] || [ $length -gt 16 ]; then
db_fset dkms/text/bad_secureboot_key seen false
db_input critical dkms/text/bad_secureboot_key
STATE=$(($STATE - 2))
elif [ $length -ne 0 ]; then
echo "${RET}\n${RET}" | mokutil --disable-validation >/dev/null || true
fi
There are a few problems here:
* You *must* use echo "$RET" rather than echo $RET; the password could contain metacharacters. In general you should always surround any $-expansion in a shell script with "" unless you specifically know that you're in one of the special cases where you need to not do so.
* This is a /bin/bash script for historical reasons. echo "${RET}\n${RET}" is non-portable syntax and only works in shells such as dash with the other style of echo. You should use this instead: printf '%s\n%s\n' "$RET" "$RET"
* While you're here, it seems to me that a password confirmation page would be a good idea, given that you obviously can't see what you're typing.
** Affects: grub2 (Ubuntu)
Importance: Critical
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to grub2 in Ubuntu.
https://bugs.launchpad.net/bugs/1558438
Title:
"Disable secure boot" workflow is broken
Status in grub2 package in Ubuntu:
New
Bug description:
I upgraded to grub2 2.02~beta2-36ubuntu1 and was presented with the
new prompt to disable secure boot, since I have a dkms package
installed. The password I entered was 14 characters long. On the
terminal, I see:
Installing for x86_64-efi platform.
Installation finished. No error reported.
password should be 8~16 characters
password should be 8~16 characters
password should be 8~16 characters
Abort
Looking at the code:
db_get dkms/secureboot_key
length=`echo $RET | wc -c`
if [ $length -lt 8 ] || [ $length -gt 16 ]; then
db_fset dkms/text/bad_secureboot_key seen false
db_input critical dkms/text/bad_secureboot_key
STATE=$(($STATE - 2))
elif [ $length -ne 0 ]; then
echo "${RET}\n${RET}" | mokutil --disable-validation >/dev/null || true
fi
There are a few problems here:
* You *must* use echo "$RET" rather than echo $RET; the password could contain metacharacters. In general you should always surround any $-expansion in a shell script with "" unless you specifically know that you're in one of the special cases where you need to not do so.
* This is a /bin/bash script for historical reasons. echo "${RET}\n${RET}" is non-portable syntax and only works in shells such as dash with the other style of echo. You should use this instead: printf '%s\n%s\n' "$RET" "$RET"
* While you're here, it seems to me that a password confirmation page would be a good idea, given that you obviously can't see what you're typing.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1558438/+subscriptions
More information about the foundations-bugs
mailing list