** Description changed: [ Impact ] - * Every device running Ubuntu on UEFI with Secure Boot enabled is + * Every device running Ubuntu on UEFI with Secure Boot enabled is impacted. - * Ubuntu currently ships a shim bootloader signed by the Microsoft 3rd party - UEFI CA 2011. This Certificate Authority (CA) allows Ubuntu to boot on a - wide variety of devices that ship from the factory with Microsoft's trust. - However, this CA, and its corresponding Key Exchange Key (KEK) CA used for - signing revocations, is set to expire in July 2026. After this date, it - cannot be used to sign any further bootloader updates or security revocations. + * Ubuntu currently ships a shim bootloader signed by the Microsoft 3rd party + UEFI CA 2011. This Certificate Authority (CA) allows Ubuntu to boot on a + wide variety of devices that ship from the factory with Microsoft's trust. + However, this CA, and its corresponding Key Exchange Key (KEK) CA used for + signing revocations, is set to expire in July 2026. After this date, it + cannot be used to sign any further bootloader updates or security revocations. - * To retain the ability to ship future shim security updates and process future - UEFI revocations, Ubuntu as an OS must roll out updates to the code signing - and KEK infrastructure. All major Linux distributions and hardware vendors - supporting Linux have aligned on using fwupd and the Linux Vendor Firmware - Service (LVFS) as the mechanism to do so. + * To retain the ability to ship future shim security updates and process future + UEFI revocations, Ubuntu as an OS must roll out updates to the code signing + and KEK infrastructure. All major Linux distributions and hardware vendors + supporting Linux have aligned on using fwupd and the Linux Vendor Firmware + Service (LVFS) as the mechanism to do so. - * Only recent versions of fwupd support installing these specific CA updates. - Thus, we have decided to backport the latest fwupd release to ensure users - can receive these critical certificates before the 2026 deadline. + * Only fwupd 2.x.x supports installing these specific CA updates. + Thus, we have decided to backport the latest fwupd release to ensure users + can receive these critical certificates before the 2026 deadline. + + * Those firmware updates no longer supported by old fwupd will also now + be available, potentially resolving critical security issues in the + firmware. [ Test Plan ] - * Smoke test fwupd still retains basic functionality after the update. + * Smoke test fwupd still retains basic functionality after the update. - * Verify on an empty virtual machine with only the 2011 UEFI CA installed - that fwupd is capable of installing the 2023 CAs. + * Verify on an empty virtual machine with only the 2011 UEFI CA installed + that fwupd is capable of installing the 2023 CAs. + + * Canonical Certifications team should test the fwupd updates on certified device: + 1. Test their to update UEFI db and KEK CA; + 2. Ensure that devices with firmware updates available do not lose the ability to update firmware. [ Where problems could occur ] - * This is a major upstream update being pushed to multiple stable Ubuntu - releases; as a result, there is obvious regression potential. + * This is a major upstream update being pushed to multiple stable Ubuntu + releases; as a result, there is obvious regression potential. - * However, not having the CA updates installable on devices running Ubuntu - stable releases will have much larger consequences. As a result, the - reporter believes that making these updates is the lesser of two evils - and absolutely critical for future boot security updates. + * However, not having the CA updates installable on devices running Ubuntu + stable releases will have much larger consequences. As a result, the + reporter believes that making these updates is the lesser of two evils + and absolutely critical for future boot security updates. + + * Fwupd versions before 1.9.x are no longer supported, and not necessarily + able to download and install updates anymore, so regressing on this ability + on those branches is no longer a real concern. + + * This update does not automatically change any enrolled keys, it updates + fwupd package to make available the ability to install key updates. + db update is signed by Microsoft's old KEK, KEK updates needs to be signed + by every OEM with their PK. + Firmware internally verifies the cryptographic authenticity of these updates, + fwupd merely acts as a conduit for passing the appropriate updates to the + firmware. [ Other Info ] - * We are additionally backporting libxmlb and libjcat which are direct - dependencies from the same author. These libraries are heavily intertwined - with fwupd and rarely used outside of it; backporting newer versions is - deemed to be the least disruptive way to ensure fwupd is functional. + * We are additionally backporting libxmlb and libjcat which are direct + dependencies from the same author. These libraries are heavily intertwined + with fwupd and rarely used outside of it; backporting newer versions is + deemed to be the least disruptive way to ensure fwupd is functional. - * This is a very large hammer and goes beyond the usual scope of an SRU, - but the resolution of this issue is absolutely critical for the future - functionality of stable Ubuntu in the face of the Microsoft 2011 CA - expiry. + * This is a very large hammer and goes beyond the usual scope of an SRU, + but the resolution of this issue is absolutely critical for the future + functionality of stable Ubuntu in the face of the Microsoft 2011 CA + expiry. - * Alternative options such as backporting only the db and KEK update mechanism - of fwupd were explored and discarded due to fragility. + * Alternative options such as backporting only the db and KEK update mechanism + of fwupd were explored and discarded due to fragility. - * The current version of fwupd in 22.04 LTS is no longer supported upstream - in any case. + * The current version of fwupd in 22.04 LTS is no longer supported upstream + in any case. - * These updates are built in a PPA with only the security pocket enabled - and will be copied to the main archive. - This is done with the express purpose of being able to easily copy them - to the security pocket at any time. + * These updates are built in a PPA with only the security pocket enabled + and will be copied to the main archive. + This is done with the express purpose of being able to easily copy them + to the security pocket at any time. + + * The jammy backport disables support for modem manager and updating modem + firmware due to jammy's out of date modem manager not being compatible with + new fwupd.
** Description changed: [ Impact ] * Every device running Ubuntu on UEFI with Secure Boot enabled is impacted. * Ubuntu currently ships a shim bootloader signed by the Microsoft 3rd party UEFI CA 2011. This Certificate Authority (CA) allows Ubuntu to boot on a wide variety of devices that ship from the factory with Microsoft's trust. However, this CA, and its corresponding Key Exchange Key (KEK) CA used for signing revocations, is set to expire in July 2026. After this date, it cannot be used to sign any further bootloader updates or security revocations. * To retain the ability to ship future shim security updates and process future UEFI revocations, Ubuntu as an OS must roll out updates to the code signing and KEK infrastructure. All major Linux distributions and hardware vendors supporting Linux have aligned on using fwupd and the Linux Vendor Firmware Service (LVFS) as the mechanism to do so. * Only fwupd 2.x.x supports installing these specific CA updates. Thus, we have decided to backport the latest fwupd release to ensure users can receive these critical certificates before the 2026 deadline. - * Those firmware updates no longer supported by old fwupd will also now + * Those firmware updates no longer supported by old fwupd will also now be available, potentially resolving critical security issues in the firmware. [ Test Plan ] * Smoke test fwupd still retains basic functionality after the update. * Verify on an empty virtual machine with only the 2011 UEFI CA installed that fwupd is capable of installing the 2023 CAs. - * Canonical Certifications team should test the fwupd updates on certified device: - 1. Test their to update UEFI db and KEK CA; - 2. Ensure that devices with firmware updates available do not lose the ability to update firmware. + * Canonical Certifications team should test the fwupd updates on certified device: + 1. Test their to update UEFI db and KEK CA; + 2. Ensure that devices with firmware updates available do not lose the ability to update firmware. [ Where problems could occur ] * This is a major upstream update being pushed to multiple stable Ubuntu releases; as a result, there is obvious regression potential. * However, not having the CA updates installable on devices running Ubuntu stable releases will have much larger consequences. As a result, the reporter believes that making these updates is the lesser of two evils and absolutely critical for future boot security updates. - * Fwupd versions before 1.9.x are no longer supported, and not necessarily - able to download and install updates anymore, so regressing on this ability - on those branches is no longer a real concern. + * Fwupd versions before 1.9.x are no longer supported, and not necessarily + able to download and install updates anymore, so regressing on this ability + on those branches is no longer a real concern. - * This update does not automatically change any enrolled keys, it updates - fwupd package to make available the ability to install key updates. - db update is signed by Microsoft's old KEK, KEK updates needs to be signed - by every OEM with their PK. - Firmware internally verifies the cryptographic authenticity of these updates, - fwupd merely acts as a conduit for passing the appropriate updates to the - firmware. + * This update does not automatically change any enrolled keys, it updates + fwupd package to make available the ability to install key updates. + db update is signed by Microsoft's old KEK, KEK updates needs to be signed + by every OEM with their PK. + Firmware internally verifies the cryptographic authenticity of these updates, + fwupd merely acts as a conduit for passing the appropriate updates to the + firmware. [ Other Info ] * We are additionally backporting libxmlb and libjcat which are direct dependencies from the same author. These libraries are heavily intertwined with fwupd and rarely used outside of it; backporting newer versions is deemed to be the least disruptive way to ensure fwupd is functional. * This is a very large hammer and goes beyond the usual scope of an SRU, but the resolution of this issue is absolutely critical for the future functionality of stable Ubuntu in the face of the Microsoft 2011 CA expiry. * Alternative options such as backporting only the db and KEK update mechanism of fwupd were explored and discarded due to fragility. * The current version of fwupd in 22.04 LTS is no longer supported upstream in any case. * These updates are built in a PPA with only the security pocket enabled and will be copied to the main archive. This is done with the express purpose of being able to easily copy them to the security pocket at any time. - * The jammy backport disables support for modem manager and updating modem - firmware due to jammy's out of date modem manager not being compatible with - new fwupd. + * The jammy backport disables support for modem manager and updating modem + firmware due to jammy's out of date modem manager not being compatible with + new fwupd. + + * Resolute added some patches for notifying snapd of db update in order to + be able to do TPM FDE resealing. These patches remain in the backports due to + TPM FDE availability in Noble. The snapd side of the story should + automatically be available via snapd update. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2142578 Title: [SRU] fwupd backports for KEK and db updates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/2142578/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
