efivar -a doesn't work, cannot be used to update SecureBoot variables
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
efivar (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[SRU Justification]
When using append mode, libefivar's efivarfs_
[Test case]
1. wget -q http://
2. unzip dbxupdate.zip
3. sudo apt install efivar
4. sudo chattr -i /sys/firmware/
5. sudo efivar -n d719b2cb-
6. Confirm that this fails with 'efivar: Invalid argument'.
7. Install efivar and libefivar1 from -proposed
8. Repeat step 5
9. Confirm that this command exits non-zero
10. Confirm that 'mokutil --dbx' shows a significant number of revoked hashes.
[Regression potential]
Since this function has clearly never ever worked, the only regression potential is if someone somewhere is calling this function with a payload that /shouldn't/ be written to nvram, and as a result of fixing this bug they now have junk written in an EFI variable.
While it's true that this makes efivar -a non-functional, we have other tools in main (sbkeysync from sbsigntool) which can be used to do these SecureBoot db updates, so while an SRU is justified I'm not planning to do one at this time.