Merge branch 'f33' into f34

f38
Dominik 'Rathann' Mierzejewski 4 years ago
commit a2f93a3463

@ -0,0 +1,59 @@
From f12484869c9590682ac3253d583bf59b890bb826 Mon Sep 17 00:00:00 2001
From: dann frazier <dann.frazier@canonical.com>
Date: Wed, 12 Aug 2020 15:27:08 -0600
Subject: sbkeysync: Don't ignore errors from insert_new_keys()
If insert_new_keys() fails, say due to a full variable store, we currently
still exit(0). This can make it difficult to know something is wrong.
For example, Debian and Ubuntu implement a secureboot-db systemd service
to update the DB and DBX, which calls:
ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose
But although this seemed to succeed on my system, looking at the logs shows
a different story:
Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin into dbx
Error writing key update: Invalid argument
Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin
Signed-off-by: dann frazier <dann.frazier@canonical.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
src/sbkeysync.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/sbkeysync.c b/src/sbkeysync.c
index e51f177..7748990 100644
--- a/src/sbkeysync.c
+++ b/src/sbkeysync.c
@@ -889,10 +889,12 @@ int main(int argc, char **argv)
{
bool use_default_keystore_dirs;
struct sync_context *ctx;
+ int rc;
use_default_keystore_dirs = true;
ctx = talloc_zero(NULL, struct sync_context);
list_head_init(&ctx->new_keys);
+ rc = EXIT_SUCCESS;
for (;;) {
int idx, c;
@@ -985,10 +987,10 @@ int main(int argc, char **argv)
if (ctx->verbose)
print_new_keys(ctx);
- if (!ctx->dry_run)
- insert_new_keys(ctx);
+ if (!ctx->dry_run && insert_new_keys(ctx))
+ rc = EXIT_FAILURE;
talloc_free(ctx);
- return EXIT_SUCCESS;
+ return rc;
}
--
cgit 1.2.3-1.el7

@ -2,7 +2,7 @@
Name: sbsigntools Name: sbsigntools
Version: 0.9.4 Version: 0.9.4
Release: 3%{?dist} Release: 4%{?dist}
Summary: Signing utility for UEFI secure boot Summary: Signing utility for UEFI secure boot
License: GPLv3+ License: GPLv3+
URL: https://build.opensuse.org/package/show/home:jejb1:UEFI/sbsigntools URL: https://build.opensuse.org/package/show/home:jejb1:UEFI/sbsigntools
@ -14,6 +14,8 @@ Source1: %{name}-mktarball.sh
Patch0: %{name}-no-git.patch Patch0: %{name}-no-git.patch
# add Fedora gnu-efi path and link statically against libefi.a/libgnuefi.a # add Fedora gnu-efi path and link statically against libefi.a/libgnuefi.a
Patch1: %{name}-gnuefi.patch Patch1: %{name}-gnuefi.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1955828
Patch2: https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/patch/?id=f12484869c9590682ac3253d583bf59b890bb826#/f12484869c9590682ac3253d583bf59b890bb826.patch
# same as gnu-efi # same as gnu-efi
ExclusiveArch: x86_64 aarch64 %{arm} %{ix86} ExclusiveArch: x86_64 aarch64 %{arm} %{ix86}
BuildRequires: make BuildRequires: make
@ -81,6 +83,9 @@ make check
%{_mandir}/man1/sbverify.1.* %{_mandir}/man1/sbverify.1.*
%changelog %changelog
* Mon May 17 2021 Dominik Mierzejewski <dominik@greysector.net> - 0.9.4-4
- don't ignore errors from sbkeysync (fixes rhbz#1955828)
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-3 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

Loading…
Cancel
Save