[Bug 1801626] Re: secureboot-db installs new vars without explict owner permission
Dimitri John Ledkov
1801626 at bugs.launchpad.net
Tue Jun 30 03:24:30 UTC 2020
$ systemctl cat secureboot-db.service | grep Condition
ConditionPathExists=/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
If db is empty, the var doesn't exist, and secureboot-db.service does
not run.
If db is populated, we populate dbx, to prevent known vulnerable
binaries to be usable on the system.
** Changed in: secureboot-db (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to secureboot-db in Ubuntu.
https://bugs.launchpad.net/bugs/1801626
Title:
secureboot-db installs new vars without explict owner permission
Status in secureboot-db package in Ubuntu:
Fix Released
Bug description:
The latest secureboot-db package pulled via an apt-get upgrade
installed several DBX entries into my system's secure boot EFI vars
without explicit permission.
This system is in setup mode, and it doesn't even have a PK installed.
Installing DBX entries should not happen in this case. Especially
without explicit consent of the system's owner / administrator. Why is
this enabled by default? The ubuntu installer doesn't even have the
option for turning it off. (It shouldn't be enabled by default in the
first place.)
This is a severe trust violation. I would expect ubuntu to do better
than randomly install Secure Boot entries as part of system update.
(Or should I start disabling the updater dialogs like I did with
Windows 7 when MS started pulling crap like this with their update
service?)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1801626/+subscriptions
More information about the foundations-bugs
mailing list