Ubuntu
fwupd-efi package

[SRU] [HWE] fwupd-efi/1:1.4-0ubuntu0.1 tracker

Bug #2011808 reported by Julian Andres Klode
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
fwupd-efi (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Kinetic
Fix Released
Undecided
Unassigned
Lunar
Fix Released
Undecided
Unassigned
fwupd-signed (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Unassigned
Focal
Fix Released
Undecided
Unassigned
Jammy
Fix Released
Undecided
Unassigned
Kinetic
Fix Released
Undecided
Unassigned
Lunar
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
fwupd-efi 1.4 fixes issues with firmware updates on some hardware and is the first release with the NX bit set.

[[Release Notes]]
## 1.3

This release fixes the following bugs:

Fix a regression when applying updates on an HP M60
Fix the ARM system crt0 name
Show the version when starting fwupd-efi

## 1.4

This release fixes the following bugs:

Add additional checks for incompatible CRT0
Align sections to 512 bytes
Generate images that are NX compatible
Use manual symbols mode on ARM32
Use objcopy to build arm/aarch64 binaries for new binutils

[Workflow]
fwupd-efi is built in ppa:ubuntu-uefi-team/ubuntu/ppa against the security pocket in kinetic only and then binary copied following the in-progress signed boot asset workflow. fwupd-signed are built in the signing PPA in each release separately.

[Test plan]
- Boot it in the VM
- Boot it on real hardware (Julian can check built binary on ThinkPad T14 G3 AMD)

[Where problems could occur]
fwupd efi binary could regress on some platforms if there's bugs, preventing people on those platforms from upgrading their firmware.

[See also]
bug 2011804 for the related gnu-efi update.

[Other info]
We branched kinetic fwupd-signed packaging off a bit, and hence the versioning is now 1.51.1 (lunar is at 1.52), and it is that 1.51.1 that gets also backported to older releases (reuploaded with ~22.04.1 and similar).

Some changes were needed for the SRUs due to the fwupd-unsigned build-dep being to strong in 1.52, and having to install binaries to /usr/lib on bionic.

This brings it in line with grub2-signed., which also maintains one devel series and one stable series.

See original description
Julian Andres Klode (juliank)
description: updated
description: updated
Changed in fwupd-efi (Ubuntu Lunar):
status: New → Fix Released
description: updated
description: updated
Julian Andres Klode (juliank)
summary: - [SRU] [HWE] fwupd-efi 1.4
+ [SRU] [HWE] fwupd-efi/1:1.4-0ubuntu0.1 tracker
Julian Andres Klode (juliank)
description: updated
description: updated
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Julian, or anyone else affected,

Accepted fwupd-efi into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-efi/1:1.4-0ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in fwupd-efi (Ubuntu Kinetic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-kinetic
Changed in fwupd-efi (Ubuntu Jammy):
status: New → Fix Committed
tags: added: verification-needed-jammy
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted fwupd-efi into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-efi/1:1.4-0ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in fwupd-efi (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted fwupd-efi into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-efi/1:1.4-0ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted fwupd-signed into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-signed/1.51.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in fwupd-signed (Ubuntu Kinetic):
status: New → Fix Committed
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted fwupd-efi into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-efi/1:1.4-0ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted fwupd-signed into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-signed/1.51.1~22.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in fwupd-signed (Ubuntu Jammy):
status: New → Fix Committed
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted fwupd-efi into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-efi/1:1.4-0ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in fwupd-signed (Ubuntu Focal):
status: New → Fix Committed
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Julian, or anyone else affected,

Accepted fwupd-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-signed/1.51.1~20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Julian, or anyone else affected,

Accepted fwupd-efi into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-efi/1:1.4-0ubuntu0.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in fwupd-efi (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed-bionic
Changed in fwupd-signed (Ubuntu Bionic):
status: New → Fix Committed
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Julian, or anyone else affected,

Accepted fwupd-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-signed/1.51.1~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Julian Andres Klode (juliank) wrote :

I have checked that fwupd-signed 1.51.1~18.04.1 successfully starts with both old and new shim.

tags: added: verification-done verification-done-kinetic
removed: verification-needed verification-needed-kinetic
tags: added: verification-done-bionic verification-needed verification-needed-kinetic
removed: verification-done verification-done-kinetic verification-needed-bionic
Revision history for this message
Julian Andres Klode (juliank) wrote (last edit ):

I have checked that fwupd-signed 1.51.1~20.04.1 successfully boots (with the current shim, not with the previous one, but the shim binaries are the same anyhow as I validated independently in the VM earlier).

By upgrading the same system to focal, removing the boot entry, running fwupdmgr update, removing the capsule files to prevent the update from actually installing (pre-release firmware would break), and then rebooting into working fwupd failing to find the capsule (which is expected).

I previously when started working on this, independently verified the executable can actually install an update on my main machine which has working updates :D

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Julian Andres Klode (juliank) wrote :

I have successfully performed the same checks in jammy with 1.51.1~22.04.1

tags: added: verification-done-jammy
removed: verification-needed-jammy
Revision history for this message
Julian Andres Klode (juliank) wrote (last edit ):

Finally, I have successfully performed the same checks in kinetic with 1.51.1

And that's all SRUs verified.

tags: added: verification-done verification-done-kinetic
removed: verification-needed verification-needed-kinetic
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fwupd-efi - 1:1.4-0ubuntu0.1

---------------
fwupd-efi (1:1.4-0ubuntu0.1) kinetic; urgency=medium

  * Stable release series backport (LP: #2011808)
  * Remove i386 from list of architectures, we do not build on there in
    the target build release. armhf will continue to receive unsigned
    updates.

fwupd-efi (1:1.4-1) unstable; urgency=medium

  [ Mario Limonciello ]
  * New upstream release.
  * Notable changes:
    - Enforces NX by default.
    - Improvements for aarch64 builds.

  [ Jelmer Vernooij ]
  * Specify branch in Vcs-Git/Vcs-Browser headers

 -- Julian Andres Klode <email address hidden> Mon, 20 Mar 2023 13:11:14 +0100

Changed in fwupd-efi (Ubuntu Kinetic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fwupd-signed - 1.51.1

---------------
fwupd-signed (1.51.1) kinetic; urgency=medium

  * Rebuild against fwupd-efi 1:1.4-0ubuntu0.1 (LP: #2011808)
  * Install binaries to /usr/lib/fwupd on bionic for compatibility with
    fwupd 1.2.

 -- Julian Andres Klode <email address hidden> Tue, 07 Mar 2023 13:32:57 +0100

Changed in fwupd-signed (Ubuntu Kinetic):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for fwupd-efi has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fwupd-signed - 1.51.1~22.04.1

---------------
fwupd-signed (1.51.1~22.04.1) jammy; urgency=medium

  * Rebuild against fwupd-efi 1:1.4-0ubuntu0.1 (LP: #2011808)
  * Install binaries to /usr/lib/fwupd on bionic for compatibility with
    fwupd 1.2.

 -- Julian Andres Klode <email address hidden> Tue, 07 Mar 2023 13:32:57 +0100

Changed in fwupd-signed (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fwupd-efi - 1:1.4-0ubuntu0.1

---------------
fwupd-efi (1:1.4-0ubuntu0.1) kinetic; urgency=medium

  * Stable release series backport (LP: #2011808)
  * Remove i386 from list of architectures, we do not build on there in
    the target build release. armhf will continue to receive unsigned
    updates.

fwupd-efi (1:1.4-1) unstable; urgency=medium

  [ Mario Limonciello ]
  * New upstream release.
  * Notable changes:
    - Enforces NX by default.
    - Improvements for aarch64 builds.

  [ Jelmer Vernooij ]
  * Specify branch in Vcs-Git/Vcs-Browser headers

 -- Julian Andres Klode <email address hidden> Mon, 20 Mar 2023 13:11:14 +0100

Changed in fwupd-efi (Ubuntu Jammy):
status: Fix Committed → Fix Released
Julian Andres Klode (juliank)
Changed in fwupd-signed (Ubuntu Lunar):
status: New → Fix Released
Changed in fwupd-signed (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fwupd-signed - 1.51.1~20.04.1

---------------
fwupd-signed (1.51.1~20.04.1) focal; urgency=medium

  * Rebuild against fwupd-efi 1:1.4-0ubuntu0.1 (LP: #2011808)
  * Install binaries to /usr/lib/fwupd on bionic for compatibility with
    fwupd 1.2.

 -- Julian Andres Klode <email address hidden> Tue, 07 Mar 2023 13:32:57 +0100

Changed in fwupd-efi (Ubuntu Focal):
status: Fix Committed → Fix Released
Changed in fwupd-signed (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fwupd-efi - 1:1.4-0ubuntu0.1

---------------
fwupd-efi (1:1.4-0ubuntu0.1) kinetic; urgency=medium

  * Stable release series backport (LP: #2011808)
  * Remove i386 from list of architectures, we do not build on there in
    the target build release. armhf will continue to receive unsigned
    updates.

fwupd-efi (1:1.4-1) unstable; urgency=medium

  [ Mario Limonciello ]
  * New upstream release.
  * Notable changes:
    - Enforces NX by default.
    - Improvements for aarch64 builds.

  [ Jelmer Vernooij ]
  * Specify branch in Vcs-Git/Vcs-Browser headers

 -- Julian Andres Klode <email address hidden> Mon, 20 Mar 2023 13:11:14 +0100

Changed in fwupd-efi (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fwupd-signed - 1.51.1~18.04.1

---------------
fwupd-signed (1.51.1~18.04.1) bionic; urgency=medium

  * Rebuild against fwupd-efi 1:1.4-0ubuntu0.1 (LP: #2011808)
  * Install binaries to /usr/lib/fwupd on bionic for compatibility with
    fwupd 1.2.

fwupd-signed (1.51) lunar; urgency=medium

  * Remove i386 and armhf from the architecture list
  * Check that we are signing the correct version of fwupd and it is not revoked

fwupd-signed (1.48) lunar; urgency=medium

  [ Julian Andres Klode ]
  * Rebuild for 2022v1 resigning (LP: #2003365)

  [ Andy Whitcroft ]
  * Fix signing artifact download when faced with an authenticated archive
    pool. Switch to using common download-signed from grub2/kernel.

fwupd-signed (1.44) jammy; urgency=medium

  * Built-Using must reference the source package, not binary packages.
  * Manually include the epoch in the version number for Built-Using,
    since for some reason this is not included in the version file published
    for the EFI binaries.

fwupd-signed (1.43) jammy; urgency=medium

  * remove fwupd-unsigned from Recommends of fwupd-signed deb. (LP: #1960783)

fwupd-signed (1.42) jammy; urgency=medium

  * Adjust dependency requirements. Since the package is decoupled from
    fwupd now, the version it needs to depend on doesn't need to match
    the package version.

fwupd-signed (1.41) jammy; urgency=medium

  * Build depends on fwupd-unsigned 1:1.1-3 (LP: #1955386)
  * Adjust download script to download candidate version instead of from
    "current" symlink

 -- Julian Andres Klode <email address hidden> Tue, 07 Mar 2023 13:32:57 +0100

Changed in fwupd-signed (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.