[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

** Changed in: oem-priority
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Launchpad Bug Tracker]

This bug was fixed in the package fwupd - 1.2.14-0~18.04.2

---
fwupd (1.2.14-0~18.04.2) bionic; urgency=medium

  * debian/rules: catch up to generate sbat section.

fwupd (1.2.14-0~18.04.1) bionic; urgency=medium

  * New upstream version (1.2.14) (LP: #1884788)
  * Bug fixes:
- Fixes crashes on fwupdaa64.efi on startup (LP: #1858590)
- Check version was updated by checking version
- Correctly import PKCS-7 remote metadata
- Decrease minimum battery requirement to 10%
- Disable the battery percentage checks if UPower is unavailable
- Do not do semver conversion in fu_common_vercmp()
- Fix the DeviceID set by GetDetails
- Force the synaptics-prometheus minor version from 0x02 to 0x01
- Prevent Dell updates to occur via synaptics-mst
- Read all releases and convert versions when comparing
- Use the correct timeout for unifying IO channel writes
- Validate that gpgme_op_verify_result() returned at least one signature
- Avoid checking for bolt support when not required
- Correct HWID support in wacom-raw
- Fix offset of vendor id of hidraw devices
- Make loading vendor/product/serial strings non-fatal
- Only check the vendor ID if the device has one set
- Use more systemd directives for directories
- Actually write the new device path if different than before
- Add a SynapticsMSTBoardID for a few Lenovo docks
- Add the counterpart GUID for the DW5821e
- Be more accepting when trying to recover a failed database migration
- Do not ask the user to upload a report if ReportURI is not set
- Do not segfault when trying to quit the downgrade selection
- Fix a crash when stopping the fwupd service
- Never show AppStream markup on the console
- Relax the certificate time checks in the self tests for the legacy 
certificate
- Reload metadata store when configuration changes
- Remove replug flag after the device comes back from reboot
- Update device_modified in sql database during updates
- Work properly with ICL thunderbolt controller
  * New features:
- Add support for tpm2-tools 4.X
- Allow specifying a firmware GUID to check any version exists
- Add SBAT region support (LP: #1921539)
  * Don't cleanup /var/cache/fwupdate anymore
  * Drop upstreamed patches:
- 0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch
- 0001-trivial-libfwupd-skip-tests-if-machine-id-is-empty-t.patch
- 0001-Allows-confined-snaps-to-activate-fwupd-via-D-Bus.patch
- 0001-Only-check-the-vendor-ID-if-the-device-has-one-set.patch
- 0001-efi-use-a-wildcard-section-copy-for-final-EFI-genera.patch
- CVE-2020-10759.patch
  * Remaining changes:
- meson-0.45-bc.patch: Fix build with meson 0.45
- Drop added Recommends: on bolt which is not in flavor seeds and adds a
  new service.
  * Backport a patch from upstream 1_2_X branch to fix SBAT character.
  * Backport a patch from upstream 1_2_X branch to fix vendor-id requirement
error on Dell WD19 (LP: #1921544)

 -- Yuan-Chen Cheng   Tue, 31 Aug 2021 15:58:09
+0800

** Changed in: fwupd (Ubuntu Bionic)
   Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10759

** Changed in: fwupd-signed (Ubuntu Bionic)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Launchpad Bug Tracker]

This bug was fixed in the package fwupd-signed - 1.10~ubuntu18.04.6

---
fwupd-signed (1.10~ubuntu18.04.6) bionic; urgency=medium

  * Build depends on fwupd version 1.2.14-0~18.04.2. (LP: #1921539)

fwupd-signed (1.10~ubuntu18.04.5) bionic; urgency=medium

  * Build depends on fwupd version 1.2.14-0~18.04.1
- LP: #1921544
- LP: #1921539
- LP: #1884788
- LP: #1858590

 -- Yuan-Chen Cheng   Tue, 31 Aug 2021 17:50:22
+0800

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

fwupd 1.2.14-0~18.04.2 from the bionic-proposed channel
+ fwupd-signed + shim from the bionic-proposed channel.
+ secure boot on.

test nvme firmware re-install
wd19sc docking firmware upgrade (ref: lp:1921544)
wd19tb docking firmware reinstall
  (fwupdmgr install --allow-reinstall  
4e3f12fc1901c05790ab17ff2223a79631477aa87979498874c4c262cfafc144-WD19FirmwareUpdateLinux_01.00.21.cab)

all passed.

---

log:

$ fwupdmgr install --allow-reinstall  
4e3f12fc1901c05790ab17ff2223a79631477aa87979498874c4c262cfafc144-WD19FirmwareUpdateLinux_01.00.21.cab
 
Decompressing…   [***]
Authenticating…  [***]
Installing on Package level of Dell dock…]
Restarting device…   [***]
Installing on RTS5413 in Dell dock…  ]
Restarting device…   [***] Less than 
one minute remaining…
Installing on RTS5487 in Dell dock…**]
Restarting device…   [***] Less than 
one minute remaining…
Installing on Thunderbolt controller in Dell dock…***]
Restarting device…   [***] Less than 
one minute remaining…
Installing on WD19TB…
Idle…[***]
Installing on VMM5331 in Dell dock…
Idle…[***]
Restarting device…   [***] Less than 
one minute remaining…
Installing on WD19TB…[** ]
Restarting device…   [***] Less than 
one minute remaining…
Tool version updates to address security vulnerabilities.


** Tags removed: verification-needed verification-needed-bionic
** Tags added: verification-done verification-done-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

Test to upgrade bios with secure boot on + fwupd 1.2.14-0~18.04.2/fwupd-
signed/shim from the bionic-proposed channel, it works just fine.

Upgrade bios from gnome-software test passed.

AI: test more like NVME, Docking, etc.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Brian Murray]

Hello Mario, or anyone else affected,

Accepted fwupd into bionic-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/fwupd/1.2.14-0~18.04.2
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
bionic to verification-done-bionic. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-bionic. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Tags removed: verification-failed-bionic
** Tags added: verification-needed-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

debdiff for fwupd-signed against the one in the proposed channel.

** Patch added: "fwupd-signed_1.10~ubuntu18.04.6.debdiff"
   
https://bugs.launchpad.net/oem-priority/+bug/1921539/+attachment/5521864/+files/fwupd-signed_1.10~ubuntu18.04.6.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

Did test the one in proposed, it does failed with new shim + sb on.

I prepare a ppa with updated fwupd.

sudo add-apt-repository ppa:ycheng-twn/fwupd-bionic-sbat-3

the unsigned-efi does have a sbat section:

---

~# objdump -h  /usr/lib/fwupd/efi/fwupdx64.efi

/usr/lib/fwupd/efi/fwupdx64.efi: file format pei-x86-64

Sections:
Idx Name  Size  VMA   LMA   File off  Algn
  0 .text 7a2b  4000  4000  0400  2**4
  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .reloc000a  c000  c000  8000  2**0
  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .data 2ea8  d000  d000  8200  2**5
  CONTENTS, ALLOC, LOAD, DATA
  3 .sbat 00ec  0001  0001  b200  2**0
  CONTENTS, ALLOC, LOAD, READONLY, DATA
  4 .dynamic  0150  00011000  00011000  b400  2**3
  CONTENTS, ALLOC, LOAD, DATA
  5 .rela 0e70  00012000  00012000  b600  2**3
  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .rela.plt 0018  00012e70  00012e70  c670  2**3
  CONTENTS, ALLOC, LOAD, READONLY, DATA
  7 .dynsym   0288  00013000  00013000  ca00  2**3
  CONTENTS, ALLOC, LOAD, READONLY, DATA

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Steve Langasek]

> if we do want to support secure boot on bionic

Yes, this is non-negotiable.  In fact, publication of the updated shim
to bionic has been held up because of concerns over regressing fwupd-
signed, which exists specifically *for* support under SecureBoot.

So, I'm going to mark this verification-failed since the sbat section is
missing.

Please upload a fixed fwupd package with sbat support ASAP so that we
can land the updated shim.

** Changed in: fwupd-signed (Ubuntu Focal)
   Status: Fix Committed => Fix Released

** Tags removed: verification-needed-bionic
** Tags added: verification-failed-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

per check fwupd-signed in the bionic-proposed channel, it does not have sbat 
section.
if we do want to support secure boot on bionic, we need the refine the 
debian/rules
and rolling the deb again. Are we going to do that? If yes, you can ping me to 
work
the debdiff. If not, you also can ping me and I can do the verification for it.

# objdump -h /usr/lib/fwupd/efi/fwupdx64.efi.signed

/usr/lib/fwupd/efi/fwupdx64.efi.signed: file format pei-x86-64

Sections:
Idx Name  Size  VMA   LMA   File off  Algn
  0 .text 7a30  4000  4000  0400  2**4
  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .reloc000a  c000  c000  8000  2**0
  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .data 2ea8  d000  d000  8200  2**5
  CONTENTS, ALLOC, LOAD, DATA
  3 .dynamic  0150  0001  0001  b200  2**3
  CONTENTS, ALLOC, LOAD, DATA
  4 .rela 0e70  00011000  00011000  b400  2**3
  CONTENTS, ALLOC, LOAD, READONLY, DATA
  5 .rela.plt 0018  00011e70  00011e70  c470  2**3
  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .dynsym   0270  00012000  00012000  c800  2**3
  CONTENTS, ALLOC, LOAD, READONLY, DATA

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Brian Murray]

Hello Mario, or anyone else affected,

Accepted fwupd-signed into bionic-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/fwupd-
signed/1.10~ubuntu18.04.5 in a few hours, and then in the -proposed
repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
bionic to verification-done-bionic. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-bionic. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: fwupd-signed (Ubuntu Bionic)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Brian Murray]

Hello Mario, or anyone else affected,

Accepted fwupd into bionic-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/fwupd/1.2.14-0~18.04.1
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
bionic to verification-done-bionic. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-bionic. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: fwupd (Ubuntu Bionic)
   Status: In Progress => Fix Committed

** Tags removed: verification-done
** Tags added: verification-needed verification-needed-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Launchpad Bug Tracker]

This bug was fixed in the package fwupd - 1.5.11-0ubuntu1~20.04.2

---
fwupd (1.5.11-0ubuntu1~20.04.2) focal; urgency=medium

  * force to use libjcat >= 0.1.3, or signature verification will
failed.

fwupd (1.5.11-0ubuntu1~20.04.1) focal; urgency=medium

  * New upstream version (1.5.11) to support Dell dock USB4 module.
(LP: #1934209)
  * Drop all patches upstream.
  * Downgrade libgusb from 0.3.5 to 0.3.4 which used in focal after
checking through all commits between.

fwupd (1.5.8-0ubuntu1) hirsute; urgency=medium

  * New upstream version (1.5.8)
  * Backport a patch to fix SBAT (LP: #1921539)
  * Drop all other patches, upstream.

fwupd (1.5.7-3) unstable; urgency=medium

  * Backport a patch to fix regression in fwupdtool activate
  * Backport a patch to fix activatable devices getting stuck in an update loop
  * Rebuild to pick up new signing keys.

fwupd (1.5.7-2) unstable; urgency=medium

  * Backport a patch to fix FTBFS on armhf for SBAT

fwupd (1.5.7-1) unstable; urgency=medium

  * New upstream version (1.5.7)
- Fixes issues with SBAT on UEFI.
  * Fixes dependencies for -dev packages:
Closes: #980691, #980684

fwupd (1.5.6-1) unstable; urgency=medium

  [ Steve McIntyre ]
  * Fix up Uploaders for the -signed packages - remove Jared, add Matthias

  [ Mario Limonciello ]
  * New upstream version (1.5.6)
  * drop all upstream patches

fwupd (1.5.5-2) unstable; urgency=medium

  * fwupd.postinst: Adjust to read /etc/os-release instead of `/etc/lsb-
release`

fwupd (1.5.5-1) unstable; urgency=medium

  * New upstream version (1.5.5)
  * trivial: debian: migrate uefi->uefi_capsule in uefi.conf
  * trivial: debian: fix modules-load.d directory
  * trivial: debian: add dbus to recommends (Closes: #980049)
  * Backport 2 patches for continual "Unknown" message on new connections
  * trivial: debian: read /etc/lsb-release instead of dpkg-dev (Closes: 
#977860, #977861, #970783)

fwupd (1.5.3-2) unstable; urgency=medium

  * trivial: debian: only install fwupd-msr.conf if needed

fwupd (1.5.3-1) unstable; urgency=medium

  * New upstream version (1.5.3)
  * Drop all patches (upstream)
  * Follow defaults for nvme and redfish plugins (don't need efivar now)
  * debian/control:
- Drop libsoup build dependency
- Add libcurl build dependency
- Add systemd build dependency
  * Migrate debian/fwupd.preinst content to debian/fwupd.maintscript

fwupd (1.5.1-5) unstable; urgency=medium

  * Backport patch to fix ppc64el autopkgtest failure

fwupd (1.5.1-4) unstable; urgency=medium

  * trivial: debian: disable downloading from LVFS in autopkgtest

fwupd (1.5.1-3) unstable; urgency=medium

  * Add breaks for fwupdate 12-7 (Closes: #960688)
  * trivial: debian: add git to fwupdate-tests dependencies

fwupd (1.5.1-2) unstable; urgency=medium

  [ Mario Limonciello ]
  * Backport a patch to indicate if packages are supported or not
  * backport a patch to fix autopkgtests on ppc64el
  * trivial: debian: don't hardcode paths in libexec
  * trivial: debian: disable msr plugin on all !x86

  [ Jessica Clarke ]
  * debian: Check DEB_HOST_ARCH_CPU not DEB_HOST_ARCH for MSR plugin
  * debian: Prefer Makefile substitution over shell substitution
  * debian: Use if/else rather than overriding default values
  * debian: Drop pointless dh_shlibdeps override
  * debian: Check for valgrind in Makefile not shell and don't hard-code path
  * debian: Fix dangerous lack of set -e
  * debian: Fix another instance of unusual ifeq syntax
  * debian: Build up CONFARGS list rather than individual variables
  * debian: Fix another dangerous missing set -e
  * debian: Use uniform spacing around semicolons
  * debian: Avoid looking like a set -e is missing
  * debian: Remove unnecessary ./ use
  * debian: Add quotes around glob

fwupd (1.5.1-1) unstable; urgency=medium

  * New upstream version (1.5.1)
  * Drop backported patches

fwupd (1.4.6-2) unstable; urgency=medium

  * Add udisks2 to recommends
  * Backport a patch to fix a crash when udisks2 is missing (Closes: #970054)
  * Disable flashrom for ia64

fwupd (1.4.6-1) unstable; urgency=medium

  * New upstream version (1.4.6)

fwupd (1.4.5-1) unstable; urgency=medium

  * New upstream version (1.4.5)
  * Drop flashrom patch, now upstream
  * Regenerate control file
- Refresh dependencies for 1.4.x
- Drop Jared as uploader

fwupd (1.3.11-2) unstable; urgency=medium

  * Stop generating debian/control automatically at build time
  * Add build-dep on libflashrom-dev

 -- Yuan-Chen Cheng   Fri, 23 Jul 2021 15:14:53
+0800

** Changed in: fwupd (Ubuntu Focal)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions


-- 
ubuntu-bugs mailing list

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

** Changed in: fwupd-signed (Ubuntu Focal)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Julian Andres Klode]

According to bug 1934209:

Verification passed on Focal

Secure boot on
shim-signed: 1.40.6+15.4-0ubuntu7 (proposed channel, sbat applied)
fwupd: 1.5.11-0ubuntu1~20.04.2 (propsoed channel, sbat applied)

** Tags removed: verification-needed verification-needed-focal
** Tags added: verification-done verification-done-focal

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

** Changed in: oem-priority
   Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Łukasz Zemczak]

Hello Mario, or anyone else affected,

Accepted fwupd into focal-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/fwupd/1.5.11-0ubuntu1~20.04.1 in a
few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
focal to verification-done-focal. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-focal. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: fwupd (Ubuntu Focal)
   Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-focal

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

I think we can re-use the fwupd-sign that Mario uploaded, since the
version number is not changed.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

follow up #29, per the built un-signed fwupdx64.efi, it does have the
sbat section.

$ objdump -h ./fwupdx64.efi

./fwupdx64.efi: file format pei-x86-64

Sections:
Idx Name  Size  VMA   LMA   File off  Algn
  0 .text 7a2b  4000  4000  0400  2**4
  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .reloc000a  c000  c000  8000  2**0
  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .data 2ea8  d000  d000  8200  2**5
  CONTENTS, ALLOC, LOAD, DATA
  3 .sbat 00ec  0001  0001  b200  2**0
  CONTENTS, ALLOC, LOAD, READONLY, DATA
  4 .dynamic  0150  00011000  00011000  b400  2**3
  CONTENTS, ALLOC, LOAD, DATA
  5 .rela 0e70  00012000  00012000  b600  2**3
  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .rela.plt 0018  00012e70  00012e70  c670  2**3
  CONTENTS, ALLOC, LOAD, READONLY, DATA
  7 .dynsym   0288  00013000  00013000  ca00  2**3
  CONTENTS, ALLOC, LOAD, READONLY, DATA

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

the one mario uploaded to bionic queue missing the debian/rules change.

I put one with those change in https://launchpad.net/~ycheng-
twn/+archive/ubuntu/fwupd-bionic-sbat-1

per quick check, the major diff from current one in debian buster are
the two arm patch:

0010-uefi-capsule-Sync-linker-scripts-with-latest-used-by.patch
0011-uefi-capsule-Include-crt0-for-arm-and-aarch64-that-a.patch

juliank think we don't need those, so I didn't include them.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Launchpad Bug Tracker]

This bug was fixed in the package fwupd-signed - 1.30.1

---
fwupd-signed (1.30.1) groovy; urgency=medium

  * Build depend on fwupd 1.4.7-0~20.10.1
- LP: #1921544
- LP: #1921539
- LP: #1909734
- LP: #1886912
- LP: #1900935

 -- Mario Limonciello   Fri, 26 Mar 2021
14:04:01 -0500

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Launchpad Bug Tracker]

This bug was fixed in the package fwupd - 1.4.7-0~20.10.1

---
fwupd (1.4.7-0~20.10.1) groovy; urgency=medium

  * new upstream version (1.4.7)
  * Bug fixes:
-  Check returned volumes before accessing them
-  Correct a Thunderbolt assertion if kernel failed FW read
-  Do not dedupe NVMe devices
-  Do not match all HIDRAW\VEN_06CB devices
-  Don't allow device updates while needing activation
-  Fix adding multiple flags to devices
-  Fix critical warning regression with 'fwupdate -a'
-  Fix probe warning for the Logitech Unifying device
-  Fix the quirk key name for the Lenovo HDMI with power
-  Make TPM more optional
-  Make udisks2 errors more apparent
-  Only set the version format for ESRT entries
-  Remove the Hughski public key
-  Restore recognizing gpg and pkcs7 types still
-  Wait a few ms for the Logitech hardware to settle after detach
  * New features
- Add support for SBAT. (LP: #1921539)
- Adds support for Synaptics fingerprinter reader (LP:# 1900935)
  * Fixes TPM PCR0 reading failures if all characters are 0.
(LP: #1909734)
  * Fixes Synaptics RMI probe causing touchscreen failures
(LP: #1886912)
  * Backport a patch from upstream 1_4_X branch to fix SBAT character.
  * Backport a patch from upstream 1_4_X branch to fix vendor-id requirement
error on Dell WD19 (LP: #1921544)

 -- Mario Limonciello   Fri, 26 Mar 2021
13:45:02 -0500

** Changed in: fwupd (Ubuntu Groovy)
   Status: Fix Committed => Fix Released

** Changed in: fwupd-signed (Ubuntu Groovy)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Mathew Hodson]

** Tags removed: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

Per #23, change to verified done in groovy.

** Tags removed: verification-needed-groovy
** Tags added: verification-done-groovy

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

Per #23, create another bug for groovy sbat SRU in lp:1926011

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Dimitri John Ledkov]

$ wget http://archive.ubuntu.com/ubuntu/dists/groovy-proposed/main/uefi
/fwupd-amd64/1.4.7-0~20.10.1/fwupdx64.efi.signed

$ md5sum fwupdx64.efi.signed
e3a387f8f87852e670d105145cb96168  fwupdx64.efi.signed

$ objdump -h ./fwupdx64.efi.signed

./fwupdx64.efi.signed: file format pei-x86-64

Sections:
Idx Name  Size  VMA   LMA   File off  Algn
  0 .text 75c0  4000  4000  0400  2**4
  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .reloc000a  c000  c000  7a00  2**0
  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .data 2d68  d000  d000  7c00  2**5
  CONTENTS, ALLOC, LOAD, DATA
  3 .dynamic  0150  0001  0001  aa00  2**3
  CONTENTS, ALLOC, LOAD, DATA
  4 .rela 0e70  00011000  00011000  ac00  2**3
  CONTENTS, ALLOC, LOAD, READONLY, DATA
  5 .rela.plt 0018  00011e70  00011e70  bc70  2**3
  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .dynsym   0270  00012000  00012000  c000  2**3
  CONTENTS, ALLOC, LOAD, READONLY, DATA

The binary clearly does not have .sbat section, thus it will not be
trusted or booted by new shim in hirsute.

fwupd in hirsute does have .sbat section.

This SRU claims to add .sbat for the first time in groovy, but actually
does not. So it is ok to release this SRU in groovy, but we need a
follow up SRU to add sbat section for real.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

today I use the same machine, install debian 10.9 in text mode, and
install

fwupd / fwupd-signed: 1.2.13-3+deb10u2
existing shim-signed: 1.33+15+1533136590.3beb971-7

I found I also need to install policykit-1.

Then I did the same test with secure boot on. The test is passed.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Mario Limonciello]

@xnox was there some sort of signing rotation or anything?  could
fwupdx64.efi in groovy have gotten signed prematurely to said rotation?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

@mario, I turn secure boot on, and boot into OS, then run the fwupdmgr
install command, then reboot, then I saw the failure.

One more thing, for new shim + groovy grub, I found the same failure happens if 
I use groovy/grub 
1.155+2.04-1ubuntu35 as boot into OS (so I can't boot into OS with this grub), 
however if I use groovy/grub 1.167+2.04-1ubuntu44 from the update channel, then 
I can boot into OS.

Feel free to ask questions if anyone wants to reproduce and doesn't know
certain steps in detail, or you want to know my steps in more detail as
reviewing.

A full running session is here:

root@u-Latitude-5300:~# sh run.sh ; exit
+ dpkg -l
+ grep shim
ii  shim   15.4-0ubuntu1
   amd64boot loader to chain-load signed boot loaders under Secure Boot
ii  shim-signed1.46+15.4-0ubuntu1   
   amd64Secure Boot chain-loading bootloader (Microsoft-signed binary)
+ + grep fwupd
echo please run reboot 1.4.7-0~20.10.1  
   amd64Firmware update daemon
ii  fwupd-signed   1.30.1+1.4.7-0~20.10.1   
   amd64Linux Firmware Updater EFI signed binary
ii  libfwupd2:amd641.4.7-0~20.10.1  
   amd64Firmware update daemon library
ii  libfwupdplugin1:amd64  1.4.7-0~20.10.1  
   amd64Firmware update daemon plugin library
+ fwupdmgr install 
9da74134678173a97e2d3eb4a79f0beba0e43e85155777e040396bad6b70d0b4-firmware.cab 
--allow-reinstall
Decompressing…   [***]
Authenticating…  [***]
Installing on System Firmware…/  ]
Scheduling…  [***]
Successfully installed firmware

An update requires a reboot to complete. Restart now? [y|N]: n
+ md5sum /usr/libexec/fwupd/efi/fwupdx64.efi.signed 
/boot/efi/EFI/ubuntu/fwupdx64.efi
e3a387f8f87852e670d105145cb96168  /usr/libexec/fwupd/efi/fwupdx64.efi.signed
e3a387f8f87852e670d105145cb96168  /boot/efi/EFI/ubuntu/fwupdx64.efi
+ mokutil --sb
SecureBoot enabled
+ echo please run reboot
please run reboot

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Mario Limonciello]

@ycheng-twn:

In your groovy tests from one run to another was secure boot on from the
moment you initiated the FW update?  Or did you just turn it on after
the reboot and pick "Linux Firmware Updater" entry?

I ask because fwupd will examine the state of secure boot at the time
the update is attempted from in Ubuntu.  If it's off, the non-signed
UEFI binary is placed on the ESP.  If it's on at that time, the signed
binary is placed on the ESP.  If you subverted the flow by changing
secure boot "in-between" that could be the reason for the failure with
SB on.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

Test passed on hirsute.

I use the same machine, install hirsute, apt upgrade everything, and
confirm it have update shim and fwupd. Then turn on secure boot and do
the same test, I found fwupd does upgrade bios fw as secure boot is on,
so it's test passed.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

I'll try to test hirsute as I got the chance to.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

@mario, the "newer shim from hirsute" + the existing grub on groovy with
secure boot on boot into OS as expected.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Dimitri John Ledkov]

@ycheng-twn securution/foundations would like to recheck fwupd.efi
binaries.

we will not release new shim to groovy, until we know that fwupd.efi is
compatible.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Mario Limonciello]

does the newer shim + grub work?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

Bios 1.10.4 is not the most updated version on lvfs. However I think the
new mechanism need to also work on old bios version.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

I did the following test, the result is failed.

Machine: Dell Latitude 5300
BIOS: 1.10.4
Test case: download 1.10.4 bios cab from lfvs, and reinstall the bios using 
fwupd with the command "fwupdmgr install .cab --allow-reinstall"

Pass means: we can run BIOS re-install.
Failed means: we can't run BIOS re-install and we will see the error message on 
the screen. The error message is shown on the monitor in text with blue 
background.

shim and shim-signed 15.4-0-ubuntu1 + fwupd and fwupd-signed 1.4.5-1
secure boot off: Pass

shim and shim-singed 15.4-0-ubuntu1 + fwupd and fwupd-signed 1.4.5-1
secure boot on, failed msg: Verification failed: (0x1A) Security 
Violation

shim and shim-signed 15.4-0-ubuntu1 + fwupd and fwupd-signed 1.4.7-0~20.10.1
secure boot on, failed msg: Verification failed: (0x1A) Security 
Violation

The following pkg were install to do above test.
fwupd_1.4.7-0~20.10.1_amd64.deb
fwupd-signed_1.30.1+1.4.7-0~20.10.1_amd64.deb
libfwupd2_1.4.7-0~20.10.1_amd64.deb
libfwupdplugin1_1.4.7-0~20.10.1_amd64.deb

Is the test procedure wrong or need to install something else?

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Mario Limonciello]

@xnox

Can you propose this idea to upstream fwupd?  Unlike GRUB there is a
stronger ABI between the EFI application and userspace.

So I think it would be better to make it an upstream decision and then
mirror it in Ubuntu rather than Ubuntu having to chase the potential for
an ABI disaster if fwupd userspace starts to change in the future.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

RE: [Bug 1921539] Re: Add support for SBAT

[Mario Limonciello]

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Dimitri John Ledkov]

New shim is available in hirsute-proposed now, and I guess since this is
now available in groovy-proposed, we can copy shim into groovy-proposed
to complete end to end testing with the new shim.

** Changed in: fwupd-signed (Ubuntu Hirsute)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Dimitri John Ledkov]

Ideally I would want us to split fwupd into fwupd-unsigned & fwupd-
unsigned, like we did with grub.

That way
* fwupd will drop shipping .efi binaries
* fwupd-unsigned will only build and submit .efi binary for signing
* fwupd-signed will ship signed .efi binary

with fwupd-unsigned & fwupd-signed binary copied to all distributions,
with relaxed dependencies to not depend on a strict version of fwupd
userspace things.

Such that all releases share the very same build of fwupd.efi, just like
all releases share the shim.efi and grub.efi nowadays.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

given shim with sbat feature still not release (lp:1921134), this is
more a pre-landing so that we can test as shim+sbat is there.

Give so, as long as there are not other regression, I plan to tag
verification-done-groovy soon.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Łukasz Zemczak]

Hello Mario, or anyone else affected,

Accepted fwupd into groovy-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/fwupd/1.4.7-0~20.10.1
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
groovy to verification-done-groovy. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-groovy. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: fwupd (Ubuntu Groovy)
   Status: In Progress => Fix Committed

** Tags added: verification-needed verification-needed-groovy

** Changed in: fwupd-signed (Ubuntu Groovy)
   Status: In Progress => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Launchpad Bug Tracker]

This bug was fixed in the package fwupd - 1.5.8-0ubuntu1

---
fwupd (1.5.8-0ubuntu1) hirsute; urgency=medium

  * New upstream version (1.5.8)
  * Backport a patch to fix SBAT (LP: #1921539)
  * Drop all other patches, upstream.

 -- Mario Limonciello   Fri, 26 Mar 2021
14:07:35 -0500

** Changed in: fwupd (Ubuntu Hirsute)
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

Hirsute/fwupd with sbat patch now in proposed.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

** Tags added: sbat

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

** Changed in: oem-priority
   Importance: Undecided => High

** Changed in: oem-priority
   Status: New => Confirmed

** Tags added: fwupd

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

for focal, SRU to version 1.4.7 and add SBAT patch is tracked in
lp:1920723

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

** Also affects: oem-priority
   Importance: Undecided
   Status: New

** Changed in: oem-priority
 Assignee: (unassigned) => Yuan-Chen Cheng (ycheng-twn)

** Tags added: oem-priority

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Mario Limonciello]

** Changed in: fwupd (Ubuntu Focal)
   Status: New => In Progress

** Changed in: fwupd (Ubuntu Groovy)
   Status: New => In Progress

** Changed in: fwupd (Ubuntu Hirsute)
   Status: New => In Progress

** Changed in: fwupd-signed (Ubuntu Bionic)
   Status: New => In Progress

** Changed in: fwupd-signed (Ubuntu Focal)
   Status: New => In Progress

** Changed in: fwupd-signed (Ubuntu Groovy)
   Status: New => In Progress

** Changed in: fwupd-signed (Ubuntu Hirsute)
   Status: New => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Mario Limonciello]

** Changed in: fwupd (Ubuntu Bionic)
   Status: New => In Progress

** Changed in: fwupd (Ubuntu Bionic)
 Assignee: (unassigned) => Mario Limonciello (superm1)

** Changed in: fwupd-signed (Ubuntu Bionic)
 Assignee: (unassigned) => Mario Limonciello (superm1)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1921539] Re: Add support for SBAT

[Mario Limonciello]

All releases need to be updated including Hirsute.

Hirsute has fwupd 1.5.7 which contains sbat support, but had a mistake
with the wrong character ('.' vs '-').  See
https://github.com/fwupd/fwupd/pull/3070 for more context.

** Also affects: fwupd-signed (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1921539/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs