Package: release.debian.org Severity: normal fwupd plays a sometimes non-obvious but crucial role in the story for supporting systems with UEFI secure boot.
The Microsoft CA associated with the signing of shim is about to expire. Microsoft and the shim community have been working to prepare the ecosystem for this change. It involves being able to update the trust chain in the UEFI 'db'. This change is to be pushed via a signed update to the Linux Vendor Firmware Service (LVFS), but in order to accept the change a newer fwupd is needed. The minimum version of fwupd required is 2.0.12, for which neither bookworm nor trixie are new enough. This issue is demonstrated here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1138871 Due to update safety checks introduced in the fwupd engine, it is not feasible to backport just this functionality. It would actually be significantly more risky to do such a change because of how error prone and large such a backport would be. On the otherhand 2.0.20 is well tested, and even downstream distributions like Ubuntu are adopting it across all their LTS releases. Here is their tracker: https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/2142578 So I would like to do the following in Debian: 1) Update Trixie to 2.0.20 fwupd release. 2.0.20 is already in trixie-backports. Basically bump the upload in backports to a new changelog entry to target stable. I have the proposal for this done here already: https://salsa.debian.org/efi-team/fwupd/-/tree/trixie?ref_type=heads 2) Update Bookworm's libxmlb (0.3.10-2) to trixie's version of libxmlb (0.3.22-1) This is needed for a build dependency of fwupd 2.0.20. 3) Update Bookworm's libjcat (0.1.9-1) to trixie's version of libjcat (0.2.3-1) This is needed for a build dependency of fwupd 2.0.20. 4) Update Bookworm to 2.0.20 fwupd release. This requires some slight changes from the trixie backport. This is mostly because of changes to gobject introspection in newer glib versions. I have the proposal for this staged on this branch: https://salsa.debian.org/efi-team/fwupd/-/tree/bookworm?ref_type=heads --- I realize this is a very big ask and unusual for a stable update; but ensuring the boot process for systems utilizing UEFI secure boot continues to work and is secure is paramount IMO.
