[SRU] [HWE] gnu-efi 3.0.15
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gnu-efi (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Won't Fix
|
Undecided
|
Unassigned | ||
Focal |
Won't Fix
|
Undecided
|
Unassigned | ||
Jammy |
Won't Fix
|
Undecided
|
Unassigned | ||
Kinetic |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
gnu-efi 3.0.15 is required for fwupd-efi 1.4 to work correctly on firmware requiring NX memory in boot stack.
Updating gnu-efi also ensures that all our fwupd-efi 1.4 binaries ship the same code which makes it easier to reason about security vulnerabilities.
[Workflow]
gnu-efi is built in ppa:ubuntu-
[Target releases]
We are only building boot assets on the latest stable release, so will SRU that only to kinetic. Rebuilding the boot assets in older stable releases should still work though, they do not technically require gnu-efi 3.0.15 for building (fwupd-efi actually doesn't build due to debhelper 13 dependency).
The tasks have been set to Won't Fix on older releases to make this clear, but this is not a hard decision, if we fix fwupd-efi to build on those releases and it turns out we need gnu-efi 3.0.15 anyhow, we can still upload it, but of course this increases regression potential for those releases.
[Test plan]
We can't test the NX support yet as we do not have a shim with NX support. Test that fwupd-efi 1.4 builds. Also test and fix any reverse build depends regressions in the archive.
We will test NX support when we work on the NX supported shim.
[Where problems could occur]
To my knowledge, fwupd-efi is the only supported component in the archive that uses gnu-efi. Some more binaries are built with gnu-efi and might regress, e.g. systemd.
summary: |
- [SRU] gnu-efi 3.0.15 + [SRU] [HWE] gnu-efi 3.0.15 |
description: | updated |
Changed in gnu-efi (Ubuntu): | |
status: | New → Fix Released |
description: | updated |
description: | updated |
Changed in gnu-efi (Ubuntu Focal): | |
status: | New → Won't Fix |
Changed in gnu-efi (Ubuntu Jammy): | |
status: | New → Won't Fix |
Changed in gnu-efi (Ubuntu Bionic): | |
status: | New → Won't Fix |
description: | updated |
description: | updated |
Changed in gnu-efi (Ubuntu Kinetic): | |
status: | New → Triaged |
description: | updated |
description: | updated |
description: | updated |
All rebuilds have succeeded.
Rolling rebuild test log:
Identified reverse build depends in main:
* sbsigntool: PASS/amd64 PASS/riscv64 PASS/arm64 PASS/armhf
* syslinux (amd64-only): PASS
* systemd: PASS/amd64 PASS/riscv64 PASS/arm64 PASS/armhf PASS/i386
Initial amd64 and riscv64 test rebuilds performed by autopkgtest in a podman container, everything except riscv64 was also rebuildt in
https:/ /launchpad. net/~ubuntu- uefi-team/ +archive/ ubuntu/ rebuild- ppa/+packages