[Bug 1791370] Re: update database on each boot, not just on package install
This is a low-priority bug and I had no expectation that this change needed to be SRUed into stable releases. Introducing a systemd unit is relatively high risk for an SRU because of its potential impact on boot speed/timing/ordering. I am declining this as an SRU. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1791370 Title: update database on each boot, not just on package install To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1791370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1791370] Re: update database on each boot, not just on package install
** Description changed: - Currently the secureboot databases are only updated at the time the - secureboot-db package is installed or upgraded, but this may not be the - point in time that the firmware needs to be updated. + [Impact] + Currently the secureboot databases are only updated at the time the secureboot-db package is installed or upgraded, but this may not be the point in time that the firmware needs to be updated. - New OS install: the secureboot-db package was installed during the image mastering, not when Ubuntu is written to the target disk. - Package installed while the system is booted in BIOS mode, later switched to UEFI mode - Hard drive moved to a new computer which doesn't yet have the updates We should ship a systemd unit to re-apply these revocations as necessary on each boot. The unit should be ConditionPathExists=/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f (don't use dbx for the condition, since if dbx is empty this variable may be absent.) + + [Test case] + - Ensure unit runs at boot + - Ensure unit runs in postinst on upgrade ** Description changed: [Impact] Currently the secureboot databases are only updated at the time the secureboot-db package is installed or upgraded, but this may not be the point in time that the firmware needs to be updated. - New OS install: the secureboot-db package was installed during the image mastering, not when Ubuntu is written to the target disk. - Package installed while the system is booted in BIOS mode, later switched to UEFI mode - Hard drive moved to a new computer which doesn't yet have the updates We should ship a systemd unit to re-apply these revocations as necessary on each boot. The unit should be ConditionPathExists=/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f (don't use dbx for the condition, since if dbx is empty this variable may be absent.) [Test case] - Ensure unit runs at boot - Ensure unit runs in postinst on upgrade + + [Regression potential] + Biggest potential is in the postinst, which now relies on dh to start the systemd oneshot service, rather than doing all the work itself. So if that's not working, things might act differently. + + Regression potential at boot is barely existent. If the service fails, + nothing bad happens except your system booting in degraded state. There + might be a minor slow down, but should not be much. ** Changed in: secureboot-db (Ubuntu Disco) Status: New => Fix Committed ** Changed in: secureboot-db (Ubuntu Bionic) Status: New => In Progress ** Changed in: secureboot-db (Ubuntu Disco) Status: Fix Committed => In Progress ** Changed in: secureboot-db (Ubuntu Xenial) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1791370 Title: update database on each boot, not just on package install To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1791370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1791370] Re: update database on each boot, not just on package install
** Also affects: secureboot-db (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: secureboot-db (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: secureboot-db (Ubuntu Eoan) Importance: Low Status: Fix Released ** Also affects: secureboot-db (Ubuntu Disco) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1791370 Title: update database on each boot, not just on package install To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1791370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1791370] Re: update database on each boot, not just on package install
This bug was fixed in the package secureboot-db - 1.5 --- secureboot-db (1.5) eoan; urgency=medium * Add secureboot-db.service to apply updates at boot (LP: #1791370) * Delete postinst script, as systemd service is started postinst by dh -- Julian Andres Klode Mon, 08 Jul 2019 17:36:02 +0200 ** Changed in: secureboot-db (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1791370 Title: update database on each boot, not just on package install To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1791370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1791370] Re: update database on each boot, not just on package install
Patch lgtm. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1791370 Title: update database on each boot, not just on package install To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1791370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1791370] Re: update database on each boot, not just on package install
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1791370 Title: update database on each boot, not just on package install To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1791370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1791370] Re: update database on each boot, not just on package install
Actual patch. ** Patch added: "service.patch" https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1791370/+attachment/5273984/+files/service.patch ** Changed in: secureboot-db (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1791370 Title: update database on each boot, not just on package install To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1791370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1791370] Re: update database on each boot, not just on package install
Patch for review -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1791370 Title: update database on each boot, not just on package install To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1791370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1791370] Re: update database on each boot, not just on package install
** Tags added: id-5b92dcef18769e2342a07c92 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1791370 Title: update database on each boot, not just on package install To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/secureboot-db/+bug/1791370/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
