Bug#986683: shim-signed-common: /usr/sbin/update-secureboot-policy ignores unknown arguments
the script /usr/sbin/update-secureboot-policy ignores unknown arguments. But
there are scripts which call it with other arguments.
(--new-key and --enroll-key in vboxdrv.sh from oracle virtualbox (see in
One such call managed to block a command on my computer, so it was running
forever and blocking manual started related commands.
(Looking as described in https://superuser.com/questions/1493050/update-
secureboot-policy-enroll-key-running-on-every-new-startup-eating-reso , but my
key was already registered manually.)
Could you please abort show an error message on unsupported arguments?
My work around is to add a wrapper script around /usr/sbin/update-secureboot-
policy which aborts on unsupported arguments with an error message. So the
script should not hang anymore, and hopefully log a nice error message.
Currently my compiled kernel modules are signed again, maybe because of the
wrapper, maybe already since I killed the hanging process.
Thank you very much for your work.
-- System Information:
Debian Release: 10.9
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-16-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8), LANGUAGE=de_CH:de (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages shim-signed-common depends on:
ii debconf [debconf-2.0] 1.5.71
ii mokutil 0.3.0+1538710437.fb6250f-1
shim-signed-common recommends no packages.
shim-signed-common suggests no packages.
-- debconf information:
* shim/disable_secureboot: false