** Description changed: [SRU] 2.74.1: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2138629 [ Impact ] On FDE installation, an official firmware updated (consisting of multiple updates) fails. [ Test Plan ] 1. Reproduce with snapd deb < 2.74.1 Steps to reproduce: - - Download the daily resolute image from https://cdimages.ubuntu.com/ubuntu/daily-live/pending/. - - Install the iso in a VM and enable TPM-backed encryption, using swtpm and the OVMF vars provided by test-snapd-ovmf. - - Refresh firmware updates: - - fwupdmgr refresh - - Update firmware with "fwupdmgr update" - - On the update "UEFI CA from 2011 to 2023", choose "Y" and continue. - - snapd gives BadRequest + - Download the daily resolute image from https://cdimages.ubuntu.com/ubuntu/daily-live/pending/. + - Install the iso in a VM and enable TPM-backed encryption, using swtpm and the OVMF vars provided by test-snapd-ovmf. + - Refresh firmware updates: + - fwupdmgr refresh + - Update firmware with "fwupdmgr update" + - On the update "UEFI CA from 2011 to 2023", choose "Y" and continue. + - snapd gives BadRequest 2. Prove fixed with snapd deb 2.74.1 Some steps as above, but do not expect the bad request, update must succeed. - ---original--- Performing a db update on fwupdmgr results in a BadRequest response from snapd in the "Prepare" stage. Using snapd version 2.74 snapd logs the following error: (Prepare for external EFI DB update) failed: cannot perform initial reseal of keys for Secureboot Key Database update: cannot add EFI secure boot and boot manager policy profiles: cannot process host variable modifier 0 for initial branch 0: cannot compute signature database update 0: cannot decode EFI_VARIABLE_AUTHENTICATION_2 structure of update: cannot check WIN_CERTIFICATE_UEFI_GUID.Hdr: unexpected WIN_CERTIFICATE.Revision (0x0) Notably snapd versions prior to 2.74 do not handle db updates, however I would arguably see this as a regression. --- Steps to reproduce: 1. Download the daily resolute image from https://cdimages.ubuntu.com/ubuntu/daily-live/pending/. 2. Install the iso in a VM and enable TPM-backed encryption, using swtpm and the OVMF vars provided by test-snapd-ovmf. 3. Refresh firmware updates: $ fwupdmgr refresh 4. Update firmware: $ fwupdmgr update 5. On the update "UEFI CA from 2011 to 2023", choose "Y" and continue. 6. (snapd gives BadRequest) --- Machine specification: - Resolute Daily amd64 image (Pending, 2026-02-03 06:50) running on QEMU - swtpm with OVMF vars generated by test-snapd-ovmf version edk2-stable202411 (https://snapcraft.io/test-snapd-ovmf) + + + [SRU] fwupd 2.0.20-1ubuntu2~25.10.1 for questing - https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/2143688 + + [ Impact ] + For 2023 UEFI db update, fu-snapd-uefi-plugin sends to snapd a firmware that is zip containing both DBUpdate3P2023.bin and DBUpdateOROM2023.bin. However snapd expects a signature list here. The update will be failed. + + [ Test Plan ] + 1. On desktop or laptop with Ubuntu 25.10 installed + 2. Update the snapd to 2.74.1 + 3. Update the fwupd to the version mentioned in LP: #2143688 + 4. Refresh fwyod by $ fwupdmgr refresh + 5. Perform fwupd by $ fwupdmgr update + 6. On the update "UEFI CA from 2011 to 2023", choose "Y" and continue + 7. The update can be performed successfully + + [ Where problems could occur ] + Snapd needs to be given the firmware updates in the right order. The change of API will come in snapd 2.74.1 or 2.74.2. Though since giving the composite update at once as zip does not work on any version. So it is safe to just try to use the new API when multiple updates are to be applied. + + [ Additional information ] + The SRU denote the prerequisite for LP: #2143688, which needs to be performed for questing fwupd update.
** Description changed: [SRU] 2.74.1: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/2138629 [ Impact ] On FDE installation, an official firmware updated (consisting of multiple updates) fails. [ Test Plan ] 1. Reproduce with snapd deb < 2.74.1 Steps to reproduce: - Download the daily resolute image from https://cdimages.ubuntu.com/ubuntu/daily-live/pending/. - Install the iso in a VM and enable TPM-backed encryption, using swtpm and the OVMF vars provided by test-snapd-ovmf. - Refresh firmware updates: - fwupdmgr refresh - Update firmware with "fwupdmgr update" - On the update "UEFI CA from 2011 to 2023", choose "Y" and continue. - snapd gives BadRequest 2. Prove fixed with snapd deb 2.74.1 Some steps as above, but do not expect the bad request, update must succeed. ---original--- Performing a db update on fwupdmgr results in a BadRequest response from snapd in the "Prepare" stage. Using snapd version 2.74 snapd logs the following error: (Prepare for external EFI DB update) failed: cannot perform initial reseal of keys for Secureboot Key Database update: cannot add EFI secure boot and boot manager policy profiles: cannot process host variable modifier 0 for initial branch 0: cannot compute signature database update 0: cannot decode EFI_VARIABLE_AUTHENTICATION_2 structure of update: cannot check WIN_CERTIFICATE_UEFI_GUID.Hdr: unexpected WIN_CERTIFICATE.Revision (0x0) Notably snapd versions prior to 2.74 do not handle db updates, however I would arguably see this as a regression. --- Steps to reproduce: 1. Download the daily resolute image from https://cdimages.ubuntu.com/ubuntu/daily-live/pending/. 2. Install the iso in a VM and enable TPM-backed encryption, using swtpm and the OVMF vars provided by test-snapd-ovmf. 3. Refresh firmware updates: $ fwupdmgr refresh 4. Update firmware: $ fwupdmgr update 5. On the update "UEFI CA from 2011 to 2023", choose "Y" and continue. 6. (snapd gives BadRequest) --- Machine specification: - Resolute Daily amd64 image (Pending, 2026-02-03 06:50) running on QEMU - swtpm with OVMF vars generated by test-snapd-ovmf version edk2-stable202411 (https://snapcraft.io/test-snapd-ovmf) - - [SRU] fwupd 2.0.20-1ubuntu2~25.10.1 for questing - https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/2143688 + [SRU] fwupd 2.0.20-1ubuntu2~25.10.1 for questing - + https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/2143688 [ Impact ] For 2023 UEFI db update, fu-snapd-uefi-plugin sends to snapd a firmware that is zip containing both DBUpdate3P2023.bin and DBUpdateOROM2023.bin. However snapd expects a signature list here. The update will be failed. [ Test Plan ] 1. On desktop or laptop with Ubuntu 25.10 installed - 2. Update the snapd to 2.74.1 + 2. Update the snapd to 2.74.1 or later. 3. Update the fwupd to the version mentioned in LP: #2143688 - 4. Refresh fwyod by $ fwupdmgr refresh + 4. Refresh fwyod by $ fwupdmgr refresh 5. Perform fwupd by $ fwupdmgr update 6. On the update "UEFI CA from 2011 to 2023", choose "Y" and continue 7. The update can be performed successfully [ Where problems could occur ] Snapd needs to be given the firmware updates in the right order. The change of API will come in snapd 2.74.1 or 2.74.2. Though since giving the composite update at once as zip does not work on any version. So it is safe to just try to use the new API when multiple updates are to be applied. [ Additional information ] The SRU denote the prerequisite for LP: #2143688, which needs to be performed for questing fwupd update. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2139611 Title: snapd fails to prepare db update, giving BadRequest To manage notifications about this bug go to: https://bugs.launchpad.net/fwupd/+bug/2139611/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
