** Description changed: + [ Impact ] + + The bug leads to a scenario where users multibooting other systems with + TPM FDE (such as Windows BitLocker) are prompted for a snapd recovery key + even though the currently running system is not using snapd FDE. + + Consequently these users are not able to perform firmware upgrades as + there is no recovery key to verify. + + This upload tightens the associated patch's TPM FDE detection to strictly rely + on the booted system, rather than purely basing it on fwupd's detection + which considers the additional systems as well. + + [ Test Plan ] + + On a machine that exhibits the detailed behavior, such as a system dual-booted + with a BitLocker encrypted Windows, attempt to perform an upgrade affecting + UEFI using fwupdmgr. Before the fix, fwupdmgr incorrectly prompts for a snapd + recovery key. After the fix, the update should continue without prompting + for a recovery key. + + [ Where problems could occur ] + + There is a risk that the introduced changes do not propagate glib errors + correctly. This could show itself as crashes after sending an EOF signal using + CTRL + D, rather than gracefully exiting. + + [ Original description ] + When running `fwupdmgr update` I see these messages: $ sudo fwupdmgr update - [sudo: authenticate] Password: + [sudo: authenticate] Password: WARNING: UEFI capsule updates not available or enabled in firmware setup See https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported for more information. ╔══════════════════════════════════════════════════════════════════════════════╗ ║ Upgrade UEFI CA from 2011 to 2023? ║ ╠══════════════════════════════════════════════════════════════════════════════╣ ║ This updates the 3rd Party UEFI Signature Database (the "db") to the latest ║ ║ release from Microsoft.It also adds the latest OptionROM UEFI Signature ║ ║ Database update. ║ ║ ║ ║ UEFI CA and all connected devices may not be usable while updating. ║ ╚══════════════════════════════════════════════════════════════════════════════╝ Perform operation? [Y|n]: y ╔══════════════════════════════════════════════════════════════════════════════╗ ║ Full Disk Encryption Detected ║ ╠══════════════════════════════════════════════════════════════════════════════╣ ║ Some of the platform secrets may be invalidated when updating this ║ ║ firmware. Please ensure you have the volume recovery key before continuing. ║ ║ ║ ║ See https://github.com/fwupd/fwupd/wiki/Full-Disk-Encryption-Detected for ║ ║ more details. ║ ╚══════════════════════════════════════════════════════════════════════════════╝ Please enter your volume recovery key: - My Ubuntu system does not use the TPM for encryption. The required recovery key does not match the Windows Recovery Key format: The Windows Recovery key has 8 groups of 6 digits each. But the input field wants 8 groups of 5 digits each. - --- + --- ProblemType: Bug ApportVersion: 2.34.0-0ubuntu1 Architecture: amd64 CasperMD5CheckResult: pass CurrentDesktop: KDE DistroRelease: Ubuntu 26.04 InstallationDate: Installed on 2021-07-01 (1747 days ago) InstallationMedia: Kubuntu 21.04 "Hirsute Hippo" - Release amd64 (20210420) Package: fwupd 2.1.1-1ubuntu2 PackageArchitecture: amd64 ProcVersionSignature: Ubuntu 7.0.0-13.13-generic 7.0.0-rc7 Tags: resolute third-party-packages Uname: Linux 7.0.0-13-generic x86_64 UpgradeStatus: Upgraded to resolute on 2026-01-04 (99 days ago) UserGroups: N/A _MarkForUpload: True modified.conffile..etc.apport.crashdb.conf: [modified] mtime.conffile..etc.apport.crashdb.conf: 2026-04-13T14:38:52.526997
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2148183 Title: [SRU] fwupdmgr asks for recovery key To manage notifications about this bug go to: https://bugs.launchpad.net/fwupd/+bug/2148183/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
