** Description changed: - TODO + [ Impact ] + + * Every device running Ubuntu on UEFI with Secure Boot enabled is + impacted. + + * Ubuntu currently ships a shim bootloader signed by the Microsoft 3rd party + UEFI CA 2011. This Certificate Authority (CA) allows Ubuntu to boot on a + wide variety of devices that ship from the factory with Microsoft's trust. + However, this CA, and its corresponding Key Exchange Key (KEK) CA used for + signing revocations, is set to expire in July 2026. After this date, it + cannot be used to sign any further bootloader updates or security revocations. + + * To retain the ability to ship future shim security updates and process future + UEFI revocations, Ubuntu as an OS must roll out updates to the code signing + and KEK infrastructure. All major Linux distributions and hardware vendors + supporting Linux have aligned on using fwupd and the Linux Vendor Firmware + Service (LVFS) as the mechanism to do so. + + * Only recent versions of fwupd support installing these specific CA updates. + Thus, we have decided to backport the latest fwupd release to ensure users + can receive these critical certificates before the 2026 deadline. + + [ Test Plan ] + + * Smoke test fwupd still retains basic functionality after the update. + + * Verify on an empty virtual machine with only the 2011 UEFI CA installed + that fwupd is capable of installing the 2023 CAs. + + [ Where problems could occur ] + + * This is a major upstream update being pushed to multiple stable Ubuntu + releases; as a result, there is obvious regression potential. + + * However, not having the CA updates installable on devices running Ubuntu + stable releases will have much larger consequences. As a result, the + reporter believes that making these updates is the lesser of two evils + and absolutely critical for future boot security updates. + + [ Other Info ] + + * We are additionally backporting libxmlb and libjcat which are direct + dependencies from the same author. These libraries are heavily intertwined + with fwupd and rarely used outside of it; backporting newer versions is + deemed to be the least disruptive way to ensure fwupd is functional. + + * This is a very large hammer and goes beyond the usual scope of an SRU, + but the resolution of this issue is absolutely critical for the future + functionality of stable Ubuntu in the face of the Microsoft 2011 CA + expiry. + + * Alternative options such as backporting only the db and KEK update mechanism + of fwupd were explored and discarded due to fragility. + + * The current version of fwupd in 22.04 LTS is no longer supported upstream + in any case. + + * These updates are built in a PPA with only the security pocket enabled + and will be copied to the main archive. + This is done with the express purpose of being able to easily copy them + to the security pocket at any time.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2142578 Title: [SRU] fwupd backports for KEK and db updates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/2142578/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
