** Description changed:
[ Impact ]
* Every device running Ubuntu on UEFI with Secure Boot enabled is
impacted.
* Ubuntu currently ships a shim bootloader signed by the Microsoft 3rd party
UEFI CA 2011. This Certificate Authority (CA) allows Ubuntu to boot on a
wide variety of devices that ship from the factory with Microsoft's trust.
However, this CA, and its corresponding Key Exchange Key (KEK) CA used for
signing revocations, is set to expire in July 2026. After this date, it
cannot be used to sign any further bootloader updates or security
revocations.
* To retain the ability to ship future shim security updates and process
future
UEFI revocations, Ubuntu as an OS must roll out updates to the code signing
and KEK infrastructure. All major Linux distributions and hardware vendors
supporting Linux have aligned on using fwupd and the Linux Vendor Firmware
Service (LVFS) as the mechanism to do so.
* Only fwupd 2.x.x supports installing these specific CA updates.
Thus, we have decided to backport the latest fwupd release to ensure users
can receive these critical certificates before the 2026 deadline.
* Those firmware updates no longer supported by old fwupd will also now
be available, potentially resolving critical security issues in the
firmware.
[ Test Plan ]
* Smoke test fwupd still retains basic functionality after the update.
* Verify on an empty virtual machine with only the 2011 UEFI CA installed
that fwupd is capable of installing the 2023 CAs.
* Canonical Certifications team should test the fwupd updates on certified
device:
1. Test their to update UEFI db and KEK CA;
2. Ensure that devices with firmware updates available do not lose the
ability to update firmware.
[ Where problems could occur ]
* This is a major upstream update being pushed to multiple stable Ubuntu
releases; as a result, there is obvious regression potential.
* However, not having the CA updates installable on devices running Ubuntu
stable releases will have much larger consequences. As a result, the
reporter believes that making these updates is the lesser of two evils
and absolutely critical for future boot security updates.
* Fwupd versions before 1.9.x are no longer supported, and not necessarily
able to download and install updates anymore, so regressing on this ability
on those branches is no longer a real concern.
* This update does not automatically change any enrolled keys, it updates
fwupd package to make available the ability to install key updates.
db update is signed by Microsoft's old KEK, KEK updates needs to be signed
by every OEM with their PK.
Firmware internally verifies the cryptographic authenticity of these
updates,
fwupd merely acts as a conduit for passing the appropriate updates to the
firmware.
[ Other Info ]
* We are additionally backporting libxmlb and libjcat which are direct
dependencies from the same author. These libraries are heavily intertwined
with fwupd and rarely used outside of it; backporting newer versions is
deemed to be the least disruptive way to ensure fwupd is functional.
* This is a very large hammer and goes beyond the usual scope of an SRU,
but the resolution of this issue is absolutely critical for the future
functionality of stable Ubuntu in the face of the Microsoft 2011 CA
expiry.
* Alternative options such as backporting only the db and KEK update
mechanism
of fwupd were explored and discarded due to fragility.
* The current version of fwupd in 22.04 LTS is no longer supported upstream
in any case.
* These updates are built in a PPA with only the security pocket enabled
and will be copied to the main archive.
This is done with the express purpose of being able to easily copy them
to the security pocket at any time.
* The jammy backport disables support for modem manager and updating modem
firmware due to jammy's out of date modem manager not being compatible with
new fwupd.
- * Resolute added some patches for notifying snapd of db update in order to
- be able to do TPM FDE resealing. These patches remain in the backports due
to
- TPM FDE availability in Noble. The snapd side of the story should
- automatically be available via snapd update.
+ * Resolute added some patches for notifying snapd of db update in order to
+ be able to do TPM FDE resealing. These patches remain in the backports due
to
+ TPM FDE availability in Noble. The snapd side of the story should
+ automatically be available via snapd update.
+
+
+ ---------------------- gnome-software and plasma-discover
----------------------
+
+
+ [ Impact ]
+
+ * These packages (gnome-software and plasma-discover) fail to build
+ against the new libfwupd (due to library API changes).
+
+ * The library is used for the client implementation for the fwupd dbus
+ API for talking to the fwupd daemon.
+
+ * The base dbus API is the same is the same, the new only adds new
+ functionality.
+
+ [ Test Plan ]
+
+ * Ensure that both gnome-software and plasma-discover, on both jammy
+ and noble are still capable of discovering and installing updates.
+
+ [ Where problems could occur ]
+
+ * While the dbus API is the same, the daemon -in theory- could return
+ different data causing regressions.
+
+ * The backporting of the patches to gnome-software and plasma-discover
+ could contain regressions that cause degradation of functionality and/or
+ crashes.
** Changed in: plasma-discover (Ubuntu Questing)
Status: New => Invalid
** Changed in: gnome-software (Ubuntu Questing)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2142578
Title:
[SRU] fwupd backports for KEK and db updates
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/2142578/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
