From f12484869c9590682ac3253d583bf59b890bb826 Mon Sep 17 00:00:00 2001 From: dann frazier Date: Wed, 12 Aug 2020 15:27:08 -0600 Subject: sbkeysync: Don't ignore errors from insert_new_keys() If insert_new_keys() fails, say due to a full variable store, we currently still exit(0). This can make it difficult to know something is wrong. For example, Debian and Ubuntu implement a secureboot-db systemd service to update the DB and DBX, which calls: ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose But although this seemed to succeed on my system, looking at the logs shows a different story: Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin into dbx Error writing key update: Invalid argument Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin Signed-off-by: dann frazier Signed-off-by: James Bottomley --- src/sbkeysync.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/sbkeysync.c b/src/sbkeysync.c index e51f177..7748990 100644 --- a/src/sbkeysync.c +++ b/src/sbkeysync.c @@ -889,10 +889,12 @@ int main(int argc, char **argv) { bool use_default_keystore_dirs; struct sync_context *ctx; + int rc; use_default_keystore_dirs = true; ctx = talloc_zero(NULL, struct sync_context); list_head_init(&ctx->new_keys); + rc = EXIT_SUCCESS; for (;;) { int idx, c; @@ -985,10 +987,10 @@ int main(int argc, char **argv) if (ctx->verbose) print_new_keys(ctx); - if (!ctx->dry_run) - insert_new_keys(ctx); + if (!ctx->dry_run && insert_new_keys(ctx)) + rc = EXIT_FAILURE; talloc_free(ctx); - return EXIT_SUCCESS; + return rc; } -- cgit 1.2.3-1.el7