Public bug reported: In discussion with the Security Team, I've learned that the dbx plugin in fwupd is enabled by default. Prior to 22.04 release I had conversations about the fact that we should not be using fwupd to deliver dbx updates by default, but these don't seem to have resulted in changes to the packaging. We may in the future want to use fwupd to deliver dbx updates, but in the meantime there is a concern that delivery of dbx updates needs to be coordinated with the OS (we have the secureboot-db package seeded across all products in support of this), and there is not coordination between fwupd and the OS package manager.
We need to update fwupd to disable the dbx plugin by default (DisabledPlugins= in /etc/fwupd/daemon.conf). This affects both jammy and focal, where fwupd has been SRUed. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: fwupd 1.7.5-3 ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30 Uname: Linux 5.15.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu82 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Fri May 6 11:04:01 2022 InstallationDate: Installed on 2019-12-23 (864 days ago) InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017) RebootRequiredPkgs: Error: path contained symlinks. SourcePackage: fwupd UpgradeStatus: Upgraded to jammy on 2022-04-15 (20 days ago) ** Affects: fwupd (Ubuntu) Importance: Undecided Status: New ** Affects: fwupd (Ubuntu Focal) Importance: Undecided Status: New ** Affects: fwupd (Ubuntu Impish) Importance: Undecided Status: New ** Affects: fwupd (Ubuntu Jammy) Importance: Undecided Status: New ** Affects: fwupd (Ubuntu Kinetic) Importance: Undecided Status: New ** Tags: amd64 apport-bug fr-2358 jammy wayland-session ** Description changed: In discussion with the Security Team, I've learned that the dbx plugin in fwupd is enabled by default. Prior to 22.04 release I had conversations about the fact that we should not be using fwupd to deliver dbx updates by default, but these don't seem to have resulted in changes to the packaging. We may in the future want to use fwupd to deliver dbx updates, but in the meantime there is a concern that delivery of dbx updates needs to be coordinated with the OS (we have the secureboot-db package seeded across all products in support of this), and there is not coordination between fwupd and the OS package manager. We need to update fwupd to disable the dbx plugin by default (DisabledPlugins= in /etc/fwupd/daemon.conf). + + This affects both jammy and focal, where fwupd has been SRUed. ProblemType: Bug DistroRelease: Ubuntu 22.04 Package: fwupd 1.7.5-3 ProcVersionSignature: Ubuntu 5.15.0-27.28-generic 5.15.30 Uname: Linux 5.15.0-27-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu82 Architecture: amd64 CasperMD5CheckResult: unknown CurrentDesktop: ubuntu:GNOME Date: Fri May 6 11:04:01 2022 InstallationDate: Installed on 2019-12-23 (864 days ago) InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017) RebootRequiredPkgs: Error: path contained symlinks. SourcePackage: fwupd UpgradeStatus: Upgraded to jammy on 2022-04-15 (20 days ago) ** Also affects: fwupd (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: fwupd (Ubuntu Impish) Importance: Undecided Status: New ** Also affects: fwupd (Ubuntu Kinetic) Importance: Undecided Status: New ** Also affects: fwupd (Ubuntu Focal) Importance: Undecided Status: New ** Tags added: fr-2358 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1971965 Title: fwupd has dbx plugin enabled but shouldn't To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1971965/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs