sbkeysync: Don't ignore errors from insert_new_keys()

If insert_new_keys() fails, say due to a full variable store, we currently
still exit(0). This can make it difficult to know something is wrong.
For example, Debian and Ubuntu implement a secureboot-db systemd service
to update the DB and DBX, which calls:

 ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose

But although this seemed to succeed on my system, looking at the logs shows
a different story:

Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin into dbx
Error writing key update: Invalid argument
Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin

Signed-off-by: dann frazier <>
Signed-off-by: James Bottomley <>
1 file changed