parent
182fd20c33
commit
301ac71fdb
@ -1,59 +0,0 @@
|
|||||||
From f12484869c9590682ac3253d583bf59b890bb826 Mon Sep 17 00:00:00 2001
|
|
||||||
From: dann frazier <dann.frazier@canonical.com>
|
|
||||||
Date: Wed, 12 Aug 2020 15:27:08 -0600
|
|
||||||
Subject: sbkeysync: Don't ignore errors from insert_new_keys()
|
|
||||||
|
|
||||||
If insert_new_keys() fails, say due to a full variable store, we currently
|
|
||||||
still exit(0). This can make it difficult to know something is wrong.
|
|
||||||
For example, Debian and Ubuntu implement a secureboot-db systemd service
|
|
||||||
to update the DB and DBX, which calls:
|
|
||||||
|
|
||||||
ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose
|
|
||||||
|
|
||||||
But although this seemed to succeed on my system, looking at the logs shows
|
|
||||||
a different story:
|
|
||||||
|
|
||||||
Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin into dbx
|
|
||||||
Error writing key update: Invalid argument
|
|
||||||
Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin
|
|
||||||
|
|
||||||
Signed-off-by: dann frazier <dann.frazier@canonical.com>
|
|
||||||
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
|
|
||||||
---
|
|
||||||
src/sbkeysync.c | 8 +++++---
|
|
||||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/sbkeysync.c b/src/sbkeysync.c
|
|
||||||
index e51f177..7748990 100644
|
|
||||||
--- a/src/sbkeysync.c
|
|
||||||
+++ b/src/sbkeysync.c
|
|
||||||
@@ -889,10 +889,12 @@ int main(int argc, char **argv)
|
|
||||||
{
|
|
||||||
bool use_default_keystore_dirs;
|
|
||||||
struct sync_context *ctx;
|
|
||||||
+ int rc;
|
|
||||||
|
|
||||||
use_default_keystore_dirs = true;
|
|
||||||
ctx = talloc_zero(NULL, struct sync_context);
|
|
||||||
list_head_init(&ctx->new_keys);
|
|
||||||
+ rc = EXIT_SUCCESS;
|
|
||||||
|
|
||||||
for (;;) {
|
|
||||||
int idx, c;
|
|
||||||
@@ -985,10 +987,10 @@ int main(int argc, char **argv)
|
|
||||||
if (ctx->verbose)
|
|
||||||
print_new_keys(ctx);
|
|
||||||
|
|
||||||
- if (!ctx->dry_run)
|
|
||||||
- insert_new_keys(ctx);
|
|
||||||
+ if (!ctx->dry_run && insert_new_keys(ctx))
|
|
||||||
+ rc = EXIT_FAILURE;
|
|
||||||
|
|
||||||
talloc_free(ctx);
|
|
||||||
|
|
||||||
- return EXIT_SUCCESS;
|
|
||||||
+ return rc;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
cgit 1.2.3-1.el7
|
|
||||||
|
|
@ -1,12 +0,0 @@
|
|||||||
diff -up sbsigntools-0.9.4/src/idc.c.openssl3 sbsigntools-0.9.4/src/idc.c
|
|
||||||
--- sbsigntools-0.9.4/src/idc.c.openssl3 2020-07-04 01:14:29.000000000 +0200
|
|
||||||
+++ sbsigntools-0.9.4/src/idc.c 2021-11-19 16:20:10.082475750 +0100
|
|
||||||
@@ -189,7 +189,7 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO
|
|
||||||
|
|
||||||
idc->data->type = OBJ_nid2obj(peid_nid);
|
|
||||||
idc->data->value = ASN1_TYPE_new();
|
|
||||||
- type_set_sequence(image, idc->data->value, peid, &IDC_PEID_it);
|
|
||||||
+ type_set_sequence(image, idc->data->value, peid, ASN1_ITEM_rptr(IDC_PEID));
|
|
||||||
|
|
||||||
idc->digest->alg->parameter = ASN1_TYPE_new();
|
|
||||||
idc->digest->alg->algorithm = OBJ_nid2obj(NID_sha256);
|
|
@ -1 +1 @@
|
|||||||
SHA512 (sbsigntools-0.9.4.tar.xz) = ad1a2ed2a937414c6aee593a6d37638a56076fdbda112943af16c46dcaca578d3dac6498dc02f7e62499328cd82b48ab635f4fbac1ae49c606c9a717d9301133
|
SHA512 (sbsigntools-0.9.5.tar.xz) = dbe52b709724eaaa0d5859ca0088190ee417e721a626681ea84cae3f04a7484e5caf64eb469094d3e373724c1f530cc75fa8ac63eaa91f803db2fda2f46c594f
|
||||||
|
Loading…
Reference in new issue