Public bug reported:
In discussion with the Security Team, I've learned that the dbx plugin
in fwupd is enabled by default. Prior to 22.04 release I had
conversations about the fact that we should not be using fwupd to
deliver dbx updates by default, but these don't seem to have resulted in
changes to the packaging. We may in the future want to use fwupd to
deliver dbx updates, but in the meantime there is a concern that
delivery of dbx updates needs to be coordinated with the OS (we have the
secureboot-db package seeded across all products in support of this),
and there is not coordination between fwupd and the OS package manager.
We need to update fwupd to disable the dbx plugin by default
(DisabledPlugins= in /etc/fwupd/daemon.conf).
This affects both jammy and focal, where fwupd has been SRUed.
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: fwupd 1.7.5-3
ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30
Uname: Linux 5.15.0-27-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu82
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
Date: Fri May 6 11:04:01 2022
InstallationDate: Installed on 2019-12-23 (864 days ago)
InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017)
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: fwupd
UpgradeStatus: Upgraded to jammy on 2022-04-15 (20 days ago)
** Affects: fwupd (Ubuntu)
Importance: Undecided
Status: New
** Affects: fwupd (Ubuntu Focal)
Importance: Undecided
Status: New
** Affects: fwupd (Ubuntu Impish)
Importance: Undecided
Status: New
** Affects: fwupd (Ubuntu Jammy)
Importance: Undecided
Status: New
** Affects: fwupd (Ubuntu Kinetic)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug fr-2358 jammy wayland-session
** Description changed:
In discussion with the Security Team, I've learned that the dbx plugin
in fwupd is enabled by default. Prior to 22.04 release I had
conversations about the fact that we should not be using fwupd to
deliver dbx updates by default, but these don't seem to have resulted in
changes to the packaging. We may in the future want to use fwupd to
deliver dbx updates, but in the meantime there is a concern that
delivery of dbx updates needs to be coordinated with the OS (we have the
secureboot-db package seeded across all products in support of this),
and there is not coordination between fwupd and the OS package manager.
We need to update fwupd to disable the dbx plugin by default
(DisabledPlugins= in /etc/fwupd/daemon.conf).
+
+ This affects both jammy and focal, where fwupd has been SRUed.
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: fwupd 1.7.5-3
ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30
Uname: Linux 5.15.0-27-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
ApportVersion: 2.20.11-0ubuntu82
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
Date: Fri May 6 11:04:01 2022
InstallationDate: Installed on 2019-12-23 (864 days ago)
InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017)
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: fwupd
UpgradeStatus: Upgraded to jammy on 2022-04-15 (20 days ago)
** Also affects: fwupd (Ubuntu Jammy)
Importance: Undecided
Status: New
** Also affects: fwupd (Ubuntu Impish)
Importance: Undecided
Status: New
** Also affects: fwupd (Ubuntu Kinetic)
Importance: Undecided
Status: New
** Also affects: fwupd (Ubuntu Focal)
Importance: Undecided
Status: New
** Tags added: fr-2358
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1971965
Title:
fwupd has dbx plugin enabled but shouldn't
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1971965/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
