Hi Marc, Backporting the fwupd deb package to anything older than Jammy will be an uphill battle.
Fwupd depends on various system libraries (primarily in the Glib ecosystem), and the fwupd upstream developers have introduced hard dependencies on versions that were frozen around RHEL 9. Even for Jammy we have to revert some minor upstream changes to make it happen. We can look into ESM deb backports a bit more, but for ESM customers, suggesting a move to fwupd in snap form might be much easier. Mate On Thu, Feb 26, 2026 at 6:25 PM Marc Deslauriers <[email protected]> wrote: > > From the security team's point of view, we would really like to see a > functioning fwupd both in standard support releases and in ESM releases. > Being able to update system firmware is necessary to get both firmware > and bundled microcode security fixes. This is in addition to the KEK and > db updates which will be required for continued Secure Boot support. > > While backporting a whole new version of fwupd is quite unusual for an > SRU, I do believe a one-off full version bump is the right approach not > just to fix the specific issue described in this bug, but also to ensure > proper firmware updates in the future. > > I also think we should make sure these packages are built without the > -updates pocket enabled so that they can get copied to the -security > pocket once the SRU process has been completed. > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/2142578 > > Title: > [SRU] fwupd backports for KEK and db updates > > Status in fwupd package in Ubuntu: > Invalid > Status in gnome-software package in Ubuntu: > Invalid > Status in libjcat package in Ubuntu: > Invalid > Status in libxmlb package in Ubuntu: > Invalid > Status in plasma-discover package in Ubuntu: > Invalid > Status in fwupd source package in Jammy: > In Progress > Status in gnome-software source package in Jammy: > New > Status in libjcat source package in Jammy: > In Progress > Status in libxmlb source package in Jammy: > In Progress > Status in plasma-discover source package in Jammy: > New > Status in fwupd source package in Noble: > In Progress > Status in gnome-software source package in Noble: > New > Status in libjcat source package in Noble: > In Progress > Status in libxmlb source package in Noble: > In Progress > Status in plasma-discover source package in Noble: > New > Status in fwupd source package in Questing: > In Progress > Status in gnome-software source package in Questing: > New > Status in libjcat source package in Questing: > In Progress > Status in libxmlb source package in Questing: > In Progress > Status in plasma-discover source package in Questing: > New > > Bug description: > [ Impact ] > > * Every device running Ubuntu on UEFI with Secure Boot enabled is > impacted. > > * Ubuntu currently ships a shim bootloader signed by the Microsoft 3rd > party > UEFI CA 2011. This Certificate Authority (CA) allows Ubuntu to boot on a > wide variety of devices that ship from the factory with Microsoft's > trust. > However, this CA, and its corresponding Key Exchange Key (KEK) CA used > for > signing revocations, is set to expire in July 2026. After this date, it > cannot be used to sign any further bootloader updates or security > revocations. > > * To retain the ability to ship future shim security updates and process > future > UEFI revocations, Ubuntu as an OS must roll out updates to the code > signing > and KEK infrastructure. All major Linux distributions and hardware > vendors > supporting Linux have aligned on using fwupd and the Linux Vendor > Firmware > Service (LVFS) as the mechanism to do so. > > * Only fwupd 2.x.x supports installing these specific CA updates. > Thus, we have decided to backport the latest fwupd release to ensure > users > can receive these critical certificates before the 2026 deadline. > > * Those firmware updates no longer supported by old fwupd will also > now be available, potentially resolving critical security issues in > the firmware. > > [ Test Plan ] > > * Smoke test fwupd still retains basic functionality after the > update. > > * Verify on an empty virtual machine with only the 2011 UEFI CA installed > that fwupd is capable of installing the 2023 CAs. > > * Canonical Certifications team should test the fwupd updates on certified > device: > 1. Test their to update UEFI db and KEK CA; > 2. Ensure that devices with firmware updates available do not lose the > ability to update firmware. > > [ Where problems could occur ] > > * This is a major upstream update being pushed to multiple stable Ubuntu > releases; as a result, there is obvious regression potential. > > * However, not having the CA updates installable on devices running Ubuntu > stable releases will have much larger consequences. As a result, the > reporter believes that making these updates is the lesser of two evils > and absolutely critical for future boot security updates. > > * Fwupd versions before 1.9.x are no longer supported, and not necessarily > able to download and install updates anymore, so regressing on this > ability > on those branches is no longer a real concern. > > * This update does not automatically change any enrolled keys, it updates > fwupd package to make available the ability to install key updates. > db update is signed by Microsoft's old KEK, KEK updates needs to be > signed > by every OEM with their PK. > Firmware internally verifies the cryptographic authenticity of these > updates, > fwupd merely acts as a conduit for passing the appropriate updates to the > firmware. > > [ Other Info ] > > * We are additionally backporting libxmlb and libjcat which are direct > dependencies from the same author. These libraries are heavily > intertwined > with fwupd and rarely used outside of it; backporting newer versions is > deemed to be the least disruptive way to ensure fwupd is functional. > > * This is a very large hammer and goes beyond the usual scope of an SRU, > but the resolution of this issue is absolutely critical for the future > functionality of stable Ubuntu in the face of the Microsoft 2011 CA > expiry. > > * Alternative options such as backporting only the db and KEK update > mechanism > of fwupd were explored and discarded due to fragility. > > * The current version of fwupd in 22.04 LTS is no longer supported upstream > in any case. > > * These updates are built in a PPA with only the security pocket enabled > and will be copied to the main archive. > This is done with the express purpose of being able to easily copy them > to the security pocket at any time. > > * The jammy backport disables support for modem manager and updating modem > firmware due to jammy's out of date modem manager not being compatible > with > new fwupd. > > * Resolute added some patches for notifying snapd of db update in order to > be able to do TPM FDE resealing. These patches remain in the backports > due to > TPM FDE availability in Noble. The snapd side of the story should > automatically be available via snapd update. > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/2142578/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2142578 Title: [SRU] fwupd backports for KEK and db updates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/2142578/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
