It is a binary copy of rebuild in a PPA with the questing-security pocket enabled only, without questing-updates.
This way it can be eventually copied to the security pocket, this is because we want to release this as "security updates" eventually to prepare for shim in security requiring the new CA. Mate On Tue, Mar 31, 2026 at 12:45 PM Mario Limonciello <[email protected]> wrote: > > What exactly is the point of the questing bump? It looks like purely > changelog only. > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/2142578 > > Title: > [SRU] fwupd backports for KEK and db updates > > Status in fwupd package in Ubuntu: > Invalid > Status in gnome-software package in Ubuntu: > Invalid > Status in libjcat package in Ubuntu: > Invalid > Status in libxmlb package in Ubuntu: > Invalid > Status in plasma-discover package in Ubuntu: > Invalid > Status in fwupd source package in Jammy: > Fix Committed > Status in gnome-software source package in Jammy: > New > Status in libjcat source package in Jammy: > Fix Committed > Status in libxmlb source package in Jammy: > Fix Committed > Status in plasma-discover source package in Jammy: > New > Status in fwupd source package in Noble: > Fix Committed > Status in gnome-software source package in Noble: > New > Status in libjcat source package in Noble: > Fix Committed > Status in libxmlb source package in Noble: > Fix Committed > Status in plasma-discover source package in Noble: > New > Status in fwupd source package in Questing: > Fix Committed > Status in gnome-software source package in Questing: > New > Status in libjcat source package in Questing: > In Progress > Status in libxmlb source package in Questing: > In Progress > Status in plasma-discover source package in Questing: > New > > Bug description: > [ Impact ] > > * Every device running Ubuntu on UEFI with Secure Boot enabled is > impacted. > > * Ubuntu currently ships a shim bootloader signed by the Microsoft 3rd > party > UEFI CA 2011. This Certificate Authority (CA) allows Ubuntu to boot on a > wide variety of devices that ship from the factory with Microsoft's > trust. > However, this CA, and its corresponding Key Exchange Key (KEK) CA used > for > signing revocations, is set to expire in July 2026. After this date, it > cannot be used to sign any further bootloader updates or security > revocations. > > * To retain the ability to ship future shim security updates and process > future > UEFI revocations, Ubuntu as an OS must roll out updates to the code > signing > and KEK infrastructure. All major Linux distributions and hardware > vendors > supporting Linux have aligned on using fwupd and the Linux Vendor > Firmware > Service (LVFS) as the mechanism to do so. > > * Only fwupd 2.x.x supports installing these specific CA updates. > Thus, we have decided to backport the latest fwupd release to ensure > users > can receive these critical certificates before the 2026 deadline. > > * Those firmware updates no longer supported by old fwupd will also > now be available, potentially resolving critical security issues in > the firmware. > > [ Test Plan ] > > * Smoke test fwupd still retains basic functionality after the > update. > > * Verify on an empty virtual machine with only the 2011 UEFI CA installed > that fwupd is capable of installing the 2023 CAs. > > * Canonical Certifications team should test the fwupd updates on certified > device: > 1. Test their to update UEFI db and KEK CA; > 2. Ensure that devices with firmware updates available do not lose the > ability to update firmware. > > [ Where problems could occur ] > > * This is a major upstream update being pushed to multiple stable Ubuntu > releases; as a result, there is obvious regression potential. > > * However, not having the CA updates installable on devices running Ubuntu > stable releases will have much larger consequences. As a result, the > reporter believes that making these updates is the lesser of two evils > and absolutely critical for future boot security updates. > > * Fwupd versions before 1.9.x are no longer supported, and not necessarily > able to download and install updates anymore, so regressing on this > ability > on those branches is no longer a real concern. > > * This update does not automatically change any enrolled keys, it updates > fwupd package to make available the ability to install key updates. > db update is signed by Microsoft's old KEK, KEK updates needs to be > signed > by every OEM with their PK. > Firmware internally verifies the cryptographic authenticity of these > updates, > fwupd merely acts as a conduit for passing the appropriate updates to the > firmware. > > [ Other Info ] > > * We are additionally backporting libxmlb and libjcat which are direct > dependencies from the same author. These libraries are heavily > intertwined > with fwupd and rarely used outside of it; backporting newer versions is > deemed to be the least disruptive way to ensure fwupd is functional. > > * This is a very large hammer and goes beyond the usual scope of an SRU, > but the resolution of this issue is absolutely critical for the future > functionality of stable Ubuntu in the face of the Microsoft 2011 CA > expiry. > > * Alternative options such as backporting only the db and KEK update > mechanism > of fwupd were explored and discarded due to fragility. > > * The current version of fwupd in 22.04 LTS is no longer supported upstream > in any case. > > * These updates are built in a PPA with only the security pocket enabled > and will be copied to the main archive. > This is done with the express purpose of being able to easily copy them > to the security pocket at any time. > > * The jammy backport disables support for modem manager and updating modem > firmware due to jammy's out of date modem manager not being compatible > with > new fwupd. > > * Resolute added some patches for notifying snapd of db update in order to > be able to do TPM FDE resealing. These patches remain in the backports > due to > TPM FDE availability in Noble. The snapd side of the story should > automatically be available via snapd update. > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/2142578/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-software in Ubuntu. https://bugs.launchpad.net/bugs/2142578 Title: [SRU] fwupd backports for KEK and db updates To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/2142578/+subscriptions -- desktop-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
