upgrade fwupd/focal to 1.4.x

ppa for fwupd/focal 1.4.5-1~ubuntu20.04.1.

Note that fwupd/focal 1.4.5-1~ubuntu20.04.1 is a no-change rebuild from the one in groovy.

https://launchpad.net/~ycheng-twn/+archive/ubuntu/f2

Where problems could occur -> is incomplete.

There are a lot less users on groovy, and a lot less people applying fwupd updates in groovy.

What has changed/fixed? Which plugins/machines/skus are affected?

Also note that this fwupd will not work with the next shim, due to lack of sbat sections.

fwupd 1.4.5 was tagged in upstream git on Jul 30, 2020.
fwupd 1.4.6 was tagged in upstream git on Sep 7, 2020.
fwupd 1.3.11 was tagged in upstream git on Jun 18, 2020.
 (current focal/fwupd is 1.3.11-1~focal1)

For SBAT, the current fwupd in focal also does not have lots of sbat patches existing in the master branch.

Per compare git log in master and 1.4.n, none of existing 1.4.n release has all the patches containing sbat keyword in the log from the master branch. If we want to fix all those issues at once, we will need to use the next 1.4.n release.

AI:
 1. to ask for help on refining potential problems.
 2. to check the sbat/shim timeline and possible full sbat support fwupd version.

SBAT support was merged into 1.5.7 release that is present in Hirsute. It is also backported to 1_4_X, 1_3_X, and 1_2_X branches however those have not had point releases created yet.
I've filed this to request it: https://github.com/fwupd/fwupd/issues/3057. Feel free to add more color.

Does anyone know the timeline of sbat shim?
Given above info, there are two possible paths:

One:
 1. upgrade groovy fwupd from 1.4.5 to 1.4.7
 2. SRU focal fwupd from 1.3.11 to 1.4.7

Two:
 1. SRU focal fwupd from 1.3.11 to 1.4.5 (the current fwupd in groovy)
 2. Wait Groovy EOL.
 3. Upgrade focal fwupd from 1.4.5 to 1.4.7 to make sbat work.

It's hard to say which one will be more efficient per my understanding. Feel free to comment on this.

for path Two, it could also be:

 1. SRU focal fwupd from 1.3.11 to 1.4.5
 2. Upgrade fwupd in both focal and groovy from 1.4.5 to 1.4.7 to make sbat work if SBAT is landed before groovy EOL.

All the releases with SBAT came out today:

1.4.7: https://github.com/fwupd/fwupd/releases/tag/1.4.7
1.3.12: https://github.com/fwupd/fwupd/releases/tag/1.3.12
1.2.14: https://github.com/fwupd/fwupd/releases/tag/1.2.14

Per current agreed upon policy at https://wiki.ubuntu.com/firmware-updates bionic should take 1.2.14, focal should take 1.3.12 and groovy 1.4.7.

Deviating from that agreed policy will need extra approval from SRU team.

One thing that I think is worth considering - there may be value in unifying single release version across all the LTS releases (similar to what is done with shim).

Features 1.3.11 (current focal version) to 1.4.7:

Add a re-implementation of the rhboot dbxtool
Add commands to fwupdtool for interacting with the ESP
Add support for the LabTop Mk IV
Add support for the Realtek RTD21XX I²C protocol
Add X-Configuration category to use for dbx updates
Allow blocking specific firmware releases by checksum
Allow plugins to set remove delay only on the child
Allow updating the dbx, validating it is safe to apply
Support download of large DFU firmware
Support polling the status from device in dfuManifest state
Add dual-image feature for VL103 backup firmware
Add more CCGX hybrid dock support
Add support for a delayed activation flow for Thunderbolt
Allow firmware to require specific features from front-end clients
Modernize the thunderbolt plugin for future hardware
Support LVFS::UpdateImage in GUI clients
Add support for HP DMC dock devices
Allow adding a device 'proxy' device that can do actions on it
Allow specifying the device on the command line by GUID
Add 'firmware-convert' subcommand to fwupdtool
Add fu_device_retry() API
Add FuHidDevice abstraction
Add plugin for CPU microcode
Add plugin for Cypress CCGX hardware
Add plugin for EP963x hardware
Add 'reinstall' command to fu-tool
Allow server metadata to set the device name and version format
Export the device state as part of the D-Bus interface
Export the release creation time and urgency
Introduce a new VersionFormat of 'hex'
Use Jcat files in firmware archives and for metadata

Bug fix from 1.3.11 (current focal version) to 1.4.7:

Add SBAT metadata to the fwupd EFI binary
Check returned volumes before accessing them
Correct a Thunderbolt assertion if kernel failed FW read
Do not dedupe NVMe devices
Do not match all HIDRAW\VEN_06CB devices
Don't allow device updates while needing activation
Fix adding multiple flags to devices
Fix critical warning regression with 'fwupdate -a'
Fix probe warning for the Logitech Unifying device
Fix the quirk key name for the Lenovo HDMI with power
Make TPM more optional
Make udisks2 errors more apparent
Only set the version format for ESRT entries
Remove the Hughski public key
Restore recognizing gpg and pkcs7 types still
Wait a few ms for the Logitech hardware to settle after detach
Add missing Synaptics Prometheus GUIDs for ConfigId
Allow DFU device to attach to runtime without a bus reset
Be more careful doing multiple writes to the same device
Cancel the file monitor before disposal to avoid a potential deadlock
Correctly label the vebdor for more NVMe devices
Specify a remove delay for Poly USB Cameras
Use newer libxmlb features to properly display more AppStream markup
Be more defensive when remotes are missing required keys
Check all AppStream components when verifying
Only show UpdateMessage when state is success
Read the modem vendor ID correctly
Set the runtime version to 0.0.0 for pre-1.0.0 Thelio Io firmware
Support compiling libqmi-glib 1.26.0 and later
Use the GPIOB reset for the MiniDock VL103
Wait for the root device to be replugged when updating the MSP430
Fix refreshing when checking for downgraded metadata
Always enforce the metadata signature has a valid timestamp
Check the device requirements when returning from GetDetails
Add several more ATA OUI quirks
Avoid communicating with DFU devices when bitManifestationTolerant is off
Correct the display of final calculated PCRs
Delay activation for Dell Thunderbolt updates
Do not use synaptics-rmi on the Dell K12A
Fix switching wacom-raw to bootloader mode
Switch the default of EnumerateAllDevices to false
Use GPIOB to reset the VL817 found in two Lenovo products
Add a device quirk that forces an explicit device-id match
Allow a device to set the logical or physical ID during ->setup()
Correctly format firmware version of Dynabook X30 and X40
Do not show safe mode errors for USB4 host controllers
Do not show the USB 2 VLI recovery devices for USB 3 hubs
Make the EP963X plugin actually work on real hardware
Make the tss2-esys dep conditional for RHEL 8
Only update the FW2 partition of the ThinkPad USB-C Dock Gen2
Prefer to update the child device first if the order is unspecified
Refresh device name and format before setting supported flag
Reset the progressbar time estimate if the percentage is invalid
Set the CCGX device name and summary from quirk files
Add a lot of missing metadata about wacom-usb devices
Add a way to set the device timeout from a quirk
Add STM32F745 DfuSe version quirk
Allow waiting for the parent device when replugging
Apply version format to releases and devices at same time
Check the firmware requirements before adding 'SUPPORTED'
Correctly attach VL103 after a firmware update
Do not allow device...

Given we want to include SBAT, we need that to land in hirsute first, then groovy and focal. And that's tracked in lp:1921539.

For focal/fwupd 1.3.x to 1.4.x,

Per

https://bugs.launchpad.net/ubuntu/+source/fwupd-signed/+bug/1900935/comments/3

and

https://bugs.launchpad.net/ubuntu/+source/fwupd-signed/+bug/1900935/comments/4

Could you please share your comment on whether we are ok to go?

The false error "TPM PCR0 differs from reconstruction" is another reason to push out the next version;

https://github.com/fwupd/fwupd/issues/3204

now we are going to upgrade fwupd to 1.5.11. It's in focal-proposed.

we've SRU focal/fwupd to 1.5.11, so close this one.