[Bug 1776996] Re: secureboot-db out of date, missing revocations from Aug 2016

Brian Murray brian at ubuntu.com
Fri Oct 26 21:30:07 UTC 2018 

The package successfully installed and upgraded on a bionic container:

The following packages will be upgraded:
  secureboot-db
1 upgraded, 0 newly installed, 0 to remove and 49 not upgraded.
Need to get 8488 B of archives.
After this operation, 21.5 kB disk space will be freed.
Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 secureboot-db amd64 1.4~ubuntu0.18.04.1 [8488 B]
Fetched 8488 B in 0s (27.8 kB/s)        
(Reading database ... 28527 files and directories currently installed.)
Preparing to unpack .../secureboot-db_1.4~ubuntu0.18.04.1_amd64.deb ...
Unpacking secureboot-db (1.4~ubuntu0.18.04.1) over (1.1) ...
Setting up secureboot-db (1.4~ubuntu0.18.04.1) ...
Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting

And on an Ubuntu 16.04 container:

The following packages will be upgraded:
  secureboot-db
1 upgraded, 0 newly installed, 0 to remove and 25 not upgraded.
Need to get 8398 B of archives.
After this operation, 21.5 kB disk space will be freed.
Get:1 http://archive.ubuntu.com/ubuntu xenial-proposed/main amd64 secureboot-db amd64 1.4~ubuntu0.16.04.1 [8398 B]
Fetched 8398 B in 0s (45.1 kB/s)        
(Reading database ... 25691 files and directories currently installed.)
Preparing to unpack .../secureboot-db_1.4~ubuntu0.16.04.1_amd64.deb ...
Unpacking secureboot-db (1.4~ubuntu0.16.04.1) over (1.1) ...
Setting up secureboot-db (1.4~ubuntu0.16.04.1) ...
Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting

And on trusty:

The following packages will be upgraded:
  secureboot-db
1 upgraded, 0 newly installed, 0 to remove and 4 not upgraded.
Need to get 8396 B of archives.
After this operation, 8192 B of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu/ trusty-proposed/main secureboot-db amd64 1.4~ubuntu0.14.04.1 [8396 B]
Fetched 8396 B in 0s (27.4 kB/s)         
(Reading database ... 25120 files and directories currently installed.)
Preparing to unpack .../secureboot-db_1.4~ubuntu0.14.04.1_amd64.deb ...
Unpacking secureboot-db (1.4~ubuntu0.14.04.1) over (1.1) ...
Setting up secureboot-db (1.4~ubuntu0.14.04.1) ...
Can't access efivars filesystem at /sys/firmware/efi/efivars, aborting

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to secureboot-db in Ubuntu.
https://bugs.launchpad.net/bugs/1776996

Title:
  secureboot-db out of date, missing revocations from Aug 2016

Status in secureboot-db package in Ubuntu:
  Fix Released
Status in secureboot-db source package in Trusty:
  Fix Committed
Status in secureboot-db source package in Xenial:
  Fix Committed
Status in secureboot-db source package in Bionic:
  Fix Committed

Bug description:
  Impact
  ------
  A signed variable update for secureboot dbx has been published by Microsoft to uefi.org; last updated 2016-08-11: http://www.uefi.org/sites/default/files/resources/dbxupdate.zip

  This file has not been included in the secureboot-db package in
  Ubuntu; so users who only boot Ubuntu and not Windows will not have
  these revocations applied, meaning their firmware will trust (and
  possibly be exploitable by) whatever binaries these revoked hashes
  correspond to.

  Additionally, the attributes of the EFI variables need to be modified
  before trying to call sbkeysync so that the database update can be
  applied.

  Test Case
  ---------
  On a UEFI system with secureboot disabled do the following
  1) Check the output of 'mokutil --dbx'
  2) Update secureboot-db to the version from -proposed
  3) Check the output of 'mokutil --dbx' and verify its different from the first run

  Additionally it should be verified that the new package installs on a
  secureboot-enabled system, in a container, on a BIOS-booted system.

  Regression Potential
  --------------------
  Its possible the revoked hashes are incorrect so they should be double checked to ensure they match the Microsoft update.

  Original Description
  --------------------
  Separately, I seem in testing to be unable to apply this signed database update to my system using sbkeysync, despite having the Microsoft CA in my KEK.  So it's possible that sbkeysync doesn't work; we may need to either fix it, or switch to other code that does work, such as the dbxtool in Fedora.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1776996/+subscriptions

More information about the foundations-bugs mailing list