*** Description of problem: dbxtool fails to apply updates when the dbx variable is absent. *** Version-Release number of selected component (if applicable): - dbxtool-0.4-1.fc20 - upstream as well (at commit 12448049) *** How reproducible: 100% *** Steps to Reproduce: 1. install an OVMF Fedora 20 guest 2. enroll PK, KEK (including "Microsoft Corporation KEK CA 2011", SHA1 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30) 3. run the following command: dbxtool --apply /usr/share/dbxtool/ *** Actual results: dbxtool: Could not get dbx variable: No such file or directory *** Expected results: update succeeds *** Additional info: will attach patches (to be applied on top of upstream 12448049)
Created attachment 944504 [details] [1/4] main(): free(NULL) is valid; simplify the code src/dbxtool.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-)
Created attachment 944505 [details] [2/4] esl_htable_create(): create empty hash table for (dbx_len == 0) In one of the next patches, a call to esl_htable_create() will become possible with (dbx_len == 0). Treat this condition as dbx entirely absent and create an empty hash table accordingly. --- src/eslhtable.c | 5 +++++ 1 file changed, 5 insertions(+)
Created attachment 944506 [details] [3/4] dump_dbx(): don't choke on (len == 0) In the next patch, a call to dump_dbx() with (len == 0) will become possible. Treat this condition as dbx entirely absent and just return early, with success. --- src/dbxtool.c | 3 +++ 1 file changed, 3 insertions(+)
Created attachment 944507 [details] [4/4] main(): apply updates even when dbx isn't there yet We should be able to apply updates when the platform has no dbx variable yet. Accept the absence of dbx when the user requests --apply (with or without --list), - keeping the initial NULL / zero values of "dbx_buffer" and "dbx_len", respectively, - and setting "attributes" to NV+BS+RT+AT+AppendWrite, as documented eg. under <http://www.uefi.org/revocationlistfile>. Note that this depends on the following efivar commit: commit 5a43dce1ef31d3d4927a4c67400a7e33ff8afe75 Author: Peter Jones <pjones> Date: Fri Aug 22 12:23:28 2014 -0400 Revert "Only open with O_CREAT if we're not using EFI_VARIABLE_APPEND_WRITE." This reverts commit 7153d0dbb7d1d36b1712dfa91e2e62043880fdfa. which is part of efivar-0.12. --- src/dbxtool.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-)
With the above patches applied (and using efivar 0.12 or later): * with --apply: Applying 1 updates Applying "DBXUpdate-2014-04-13-22-14-00.bin" 2010-3-6 19:17:21 * after that, with --list: 1: efi_guid_microsoft efi_guid_sha256 80b4d96931bf0d02fd91a61e19d14f1da452e66db2408ca8604d411f92659f0a 2: efi_guid_microsoft efi_guid_sha256 f52f83a3fa9cfbd6920f722824dbe4034534d25b8507246b3b957dac6e1bce7a 3: efi_guid_microsoft efi_guid_sha256 c5d9d8a186e2c82d09afaa2a6f7f2e73870d3e64f72c4e08ef67796a840f0fbd 4: efi_guid_microsoft efi_guid_sha256 363384d14d1f2e0b7815626484c459ad57a318ef4396266048d058c5a19bbf76 5: efi_guid_microsoft efi_guid_sha256 1aec84b84b6c65a51220a9be7181965230210d62d6d33c48999c6b295a2b0a06 6: efi_guid_microsoft efi_guid_sha256 e6ca68e94146629af03f69c2f86e6bef62f930b37c6fbcc878b78df98c0334e5 7: efi_guid_microsoft efi_guid_sha256 c3a99a460da464a057c3586d83cef5f4ae08b7103979ed8932742df0ed530c66 8: efi_guid_microsoft efi_guid_sha256 58fb941aef95a25943b3fb5f2510a0df3fe44c58c95e0ab80487297568ab9771 9: efi_guid_microsoft efi_guid_sha256 5391c3a2fb112102a6aa1edc25ae77e19f5d6f09cd09eeb2509922bfcd5992ea 10: efi_guid_microsoft efi_guid_sha256 d626157e1d6a718bc124ab8da27cbb65072ca03a7b6b257dbdcbbd60f65ef3d1 11: efi_guid_microsoft efi_guid_sha256 d063ec28f67eba53f1642dbf7dff33c6a32add869f6013fe162e2c32f1cbe56d 12: efi_guid_microsoft efi_guid_sha256 29c6eb52b43c3aa18b2cd8ed6ea8607cef3cfae1bafe1165755cf2e614844a44 13: efi_guid_microsoft efi_guid_sha256 90fbe70e69d633408d3e170c6832dbb2d209e0272527dfb63d49d29572a6f44c
efivar-0.13-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/efivar-0.13-1.fc19
efivar-0.13-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/efivar-0.13-1.fc20
efivar-0.13-1.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/efivar-0.13-1.fc21
dbxtool-0.5-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/dbxtool-0.5-1.fc19
dbxtool-0.5-1.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/dbxtool-0.5-1.fc20
dbxtool-0.5-1.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/dbxtool-0.5-1.fc21
Package efivar-0.13-1.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing efivar-0.13-1.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-12302/efivar-0.13-1.fc21 then log in and leave karma (feedback).
dbxtool-0.5-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
efivar-0.13-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
efivar-0.13-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
efivar-0.13-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
dbxtool-0.5-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
dbxtool-0.5-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.