[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#986683: shim-signed-common: /usr/sbin/update-secureboot-policy ignores unknown arguments

Package: shim-signed-common
Version: 1.33+15+1533136590.3beb971-7
Severity: normal

Dear Maintainer,

the script  /usr/sbin/update-secureboot-policy ignores unknown arguments. But
there are scripts which call it with other arguments.
(--new-key and --enroll-key in vboxdrv.sh from oracle virtualbox (see in
One such call managed to block a command on my computer, so it was running
forever and blocking manual started related commands.
(Looking as described in https://superuser.com/questions/1493050/update-
secureboot-policy-enroll-key-running-on-every-new-startup-eating-reso , but my
key was already registered manually.)
Could you please abort show an error message on unsupported arguments?

My work around is to add a wrapper script around /usr/sbin/update-secureboot-
policy which aborts on unsupported arguments with an error message. So the
script should not hang anymore, and hopefully log a nice error message.
Currently my compiled kernel modules are signed again, maybe because of the
wrapper, maybe already since I killed the hanging process.

Thank you very much for your work.


-- System Information:
Debian Release: 10.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-16-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8), LANGUAGE=de_CH:de (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages shim-signed-common depends on:
ii  debconf [debconf-2.0]  1.5.71
ii  mokutil                0.3.0+1538710437.fb6250f-1

shim-signed-common recommends no packages.

shim-signed-common suggests no packages.

-- debconf information:
  shim/enable_secureboot: false
* shim/disable_secureboot: false
* shim/error/bad_secureboot_key:
* shim/secureboot_explanation:

Reply to: