Public bug reported:

Title: UEFI dbx updates always fail with "no images in firmware" on
snapd TPM-FDE systems (regression in db-update-snapd-bad-request.patch)

Package: fwupd (Ubuntu, noble)
Affected version: 2.0.20-1ubuntu2~24.04.1 (noble-updates) — bug also present in 
2.0.20-1ubuntu2~24.04.2 (noble-proposed, patch unchanged)

## Summary

On Ubuntu 24.04 systems using snapd-managed TPM-backed full-disk
encryption, every UEFI dbx update fails with:

    failed to write-firmware: no images in firmware

The failure is caused by the Ubuntu-specific patch debian/patches/db-
update-snapd-bad-request.patch (introduced in 2.0.19-1ubuntu2 via LP:
#2139611, shipped to noble in 2.0.20-1ubuntu2~24.04.1 via LP: #2142578).
The patch makes it impossible to install any dbx update on exactly the
systems the snapd integration is meant to protect. This blocks
urgency=High security updates (dbx 20241101/20250507/20250902/20260402,
covering CVE-2024-7344, CVE-2025-3052, CVE-2025-47827, CVE-2026-8863).

## Steps to reproduce

1. Ubuntu 24.04 installed with hardware-backed (TPM) full-disk encryption 
(snapd FDE, ubuntu-data-enc/ubuntu-save-enc LUKS volumes, ubuntu-fde tokens).
2. fwupd 2.0.20-1ubuntu2~24.04.1, current dbx 20230501.
3. Run: fwupdmgr update (or fwupdmgr install <dbx-device-id> 20250902, or the 
Firmware Updater GUI — all frontends fail identically).

## Expected result

The dbx update is written (with snapd notified beforehand so it can
reseal FDE keys against the new PCR 7 state).

## Actual result

    └─UEFI dbx:
      │   Previous version:   20230501
      │   Update State:       Failed
      │   Update Error:       failed to write-firmware: no images in firmware

Reproduced with both the 20260402 and 20250902 releases from LVFS. The
write phase aborts before anything touches the dbx EFI variable. (LVFS
failure report was uploaded from the affected machine.)

## Root cause

db-update-snapd-bad-request.patch rewrites
fu_snapd_uefi_plugin_composite_peek_firmware() (plugins/snapd-uefi/fu-
snapd-uefi-plugin.c) to branch on the number of child images in the
FuFirmware container:

    images = fu_firmware_get_images(firmware);
    if (images->len == 1) {
        /* single payload: fu_firmware_get_bytes(firmware, ...) */
    } else if (images->len > 1) {
        /* composite: "payloads":[...] array */
    } else {
        g_set_error(error, FWUPD_ERROR, FWUPD_ERROR_INTERNAL,
                    "no images in firmware");
        return FALSE;
    }

However, the UEFI dbx device's prepare_firmware vfunc (plugins/uefi-
dbx/fu-uefi-dbx-device.c, fu_uefi_dbx_device_prepare_firmware) returns a
plain fu_firmware_new() container with the payload set as bytes and ZERO
child images — it parses a FuEfiSignatureList only transiently for the
ESP safety check and deliberately returns the raw blob for the
authenticated variable write. This is unchanged upstream through 2.1.1.

Therefore images->len == 0 for every dbx update, the new else-branch
fires unconditionally, composite_peek_firmware() returns FALSE, and
fu_engine_write_firmware() aborts with "failed to write-firmware: no
images in firmware" before the snapd prepare request is even sent.

The pre-patch code (upstream 2.0.20) handled this fine: it called
fu_firmware_get_bytes(firmware) directly, which returns the payload
bytes regardless of child image count. The upstream version of this
change (commit 703e2fd / PR fwupd/fwupd#9870, refactored in 2.1.x) also
has no fatal zero-images branch — which matches LVFS test reports
showing these same dbx releases installing successfully on Ubuntu
25.10/26.04 with fwupd 2.1.x.

Effect of the branch conditions in the shipped patch:
- db/KEK updates (FuEfiSignatureList with >= 1 child image): work — this is 
what the SRU verification in LP: #2142578 tested.
- dbx updates (flat blob, 0 child images): always fail. This case appears not 
to have been covered by the SRU verification.

## Suggested fix

Treat images->len == 0 as the single-payload case (fall back to
fu_firmware_get_bytes(firmware) on the container, as both the pre-patch
code and upstream do), instead of erroring. I.e. change the first
condition to images->len <= 1, and drop the fatal else-branch.

## Impact

All Ubuntu 24.04 (and presumably jammy/questing, which received the same
backport per LP: #2142578) machines with snapd TPM-FDE cannot apply any
UEFI dbx security update. Non-FDE machines are unaffected (snapd-uefi
plugin inactive). Since 2.0.20-1ubuntu2~24.04.2 in noble-proposed still
contains the unmodified patch, the regression will survive the pending
SRU unless fixed there.

## Additional context

- The now-dropped fwupdmgr-fde-verify-snapd-recovery-key.patch (LP:
#2156480) compounded the problem on the same systems: the interactive
prompt rejected a recovery key that was verified correct directly
against the LUKS keyslots (cryptsetup open --test-passphrase with the
key's raw 16-byte form). Its removal in ~24.04.2 is appreciated; noting
it here because both patches mis-handle the same snapd FDE code paths
and the recovery-key check may deserve a regression test before any
reintroduction.

## Environment

- Ubuntu 24.04.x, kernel 6.8.0-124-generic
- fwupd 2.0.20-1ubuntu2~24.04.1 (deb, noble-updates), fwupd-signed 1.52+1.4-1
- snapd 2.75.2+ubuntu24.04
- Lenovo ThinkPad (21NQ), Secure Boot enabled, dbx 20230501, staged db (UEFI CA 
2011→2023) update pending reboot
- snapd FDE: LUKS2 ubuntu-data-enc + ubuntu-save-enc, ubuntu-fde TPM tokens + 
ubuntu-fde-recovery keyslot

ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: fwupd 2.0.20-1ubuntu2~24.04.1
ProcVersionSignature: Ubuntu 6.8.0-124.124-generic 6.8.12
Uname: Linux 6.8.0-124-generic x86_64
ApportVersion: 2.28.1-0ubuntu3.8
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Fri Jul  3 21:43:31 2026
ProcEnviron:
 LANG=en_US.UTF-8
 PATH=(custom, no user)
 SHELL=/bin/bash
 TERM=xterm-256color
 XDG_RUNTIME_DIR=<set>
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: fwupd
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.fwupd.fwupd.conf: [inaccessible: [Errno 13] Permission 
denied: '/etc/fwupd/fwupd.conf']

** Affects: fwupd (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug noble wayland-session

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2159556

Title:
  UEFI dbx updates always fail with "no images in firmware" on snapd
  TPM-FDE systems (regression in db-update-snapd-bad-request.patch)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/2159556/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to