Hello, I am writing to ask for feedback on a proposed major version update to fwupd, libxmlb, and libjcat in our stable releases (mainly 22.04 LTS and 24.04 LTS).
As many of you are likely aware, the Microsoft 3rd Party UEFI CA 2011 is set to expire in July 2026. This CA starts the Secure Boot chain for the vast majority of Ubuntu devices. To prevent devices from failing to upgrade to newer bootloader security updates or losing the ability to process revocations after this date, we must roll out the new 2023 UEFI CA and KEK. The industry-standard mechanism for delivering these DB/KEK updates on Linux is via fwupd and LVFS. However, the versions of fwupd currently in our stable releases are too old to support this specific update mechanism. To address this, I am proposing a backport of the latest stable fwupd version (along with its tight dependencies libxmlb and libjcat). I realize this "large hammer" approach deviates from the usual Stable Release Update (SRU) regarding major version bumps. However, I have evaluated alternative options, such as backporting only the DB/KEK update logic, and found them excessively fragile and difficult to maintain. Given the critical nature of the CA expiry, I believe ensuring users can easily transition to the new trust outweighs the regression risks of a version update. Beyond SRU, this will eventually need to be copied to security pockets, so that devices running only security updates can receive a new shim when necessary. I have a work-in-progress bug here: https://bugs.launchpad.net/ubuntu/+source/libxmlb/+bug/2142578 I would appreciate any feedback or concerns regarding this approach before proceeding further. Thanks, Mate Kukri -- Ubuntu-release mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-release
