Bug#986683: shim-signed-common: /usr/sbin/update-secureboot-policy ignores unknown arguments

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#986683: shim-signed-common: /usr/sbin/update-secureboot-policy ignores unknown arguments
From: Simon Heimberg <simohe@besonet.ch>
Date: Fri, 09 Apr 2021 15:00:29 +0300
Message-id: <[🔎] 161796962944.987.10134389970104744157.reportbug@lap-ea.heimberg.local>
Reply-to: Simon Heimberg <simohe@besonet.ch>, 986683@bugs.debian.org

Package: shim-signed-common
Version: 1.33+15+1533136590.3beb971-7
Severity: normal

Dear Maintainer,

the script  /usr/sbin/update-secureboot-policy ignores unknown arguments. But
there are scripts which call it with other arguments.
(--new-key and --enroll-key in vboxdrv.sh from oracle virtualbox (see in
https://www.virtualbox.org/changeset/79186/vbox)).
One such call managed to block a command on my computer, so it was running
forever and blocking manual started related commands.
(Looking as described in https://superuser.com/questions/1493050/update-
secureboot-policy-enroll-key-running-on-every-new-startup-eating-reso , but my
key was already registered manually.)
Could you please abort show an error message on unsupported arguments?

My work around is to add a wrapper script around /usr/sbin/update-secureboot-
policy which aborts on unsupported arguments with an error message. So the
script should not hang anymore, and hopefully log a nice error message.
Currently my compiled kernel modules are signed again, maybe because of the
wrapper, maybe already since I killed the hanging process.

Thank you very much for your work.

Greetings,
Simon



-- System Information:
Debian Release: 10.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-16-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8), LANGUAGE=de_CH:de (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages shim-signed-common depends on:
ii  debconf [debconf-2.0]  1.5.71
ii  mokutil                0.3.0+1538710437.fb6250f-1

shim-signed-common recommends no packages.

shim-signed-common suggests no packages.

-- debconf information:
  shim/error/secureboot_key_mismatch:
  shim/enable_secureboot: false
  shim/title/secureboot:
* shim/disable_secureboot: false
* shim/error/bad_secureboot_key:
* shim/secureboot_explanation:

Reply to:

Next by Date: Bug#986779: preinst script misses dependency on dpkg-dev
Next by thread: Bug#986779: preinst script misses dependency on dpkg-dev
Index(es):
- Date
- Thread