groovy / focal fwupd sbat support

Bug #1926011 reported by Yuan-Chen Cheng
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OEM Priority Project
High
Yuan-Chen Cheng
fwupd (Ubuntu)
High
Unassigned
Focal
High
Unassigned
Groovy
High
Unassigned
fwupd-signed (Ubuntu)
High
Unassigned
Focal
High
Unassigned
Groovy
High
Unassigned

Bug Description

this is a follow-up bug for

https://bugs.launchpad.net/oem-priority/+bug/1921539/comments/23

[Impact]
Future releases of shim will require that EFI binaries that are chainloaded include an SBAT region. fwupd in bionic does not currently contain this region.

[Test Case]
Verify that a shim that checks for sbat region can boot the fwupd with sbat region.

[Regression Potential]
This is moving to a new stable release in each of the series which is in bug fix only mode. The sbat region is the only "feature" that has been backported to this series in over a year.

information type: Proprietary → Public
Changed in fwupd (Ubuntu):
status: New → Confirmed
Revision history for this message
Mario Limonciello (superm1) wrote :

xnox had a suggestion in previous issue that we should split the UEFI package from userland package and then only build and sign UEFI package one time.

This change has happened upstream, and now there is a separate fwupd-efi repository with it's own release.
https://github.com/fwupd/fwupd-efi with release 1.0 here: https://github.com/fwupd/fwupd-efi/releases/tag/1.0

The userland packages all picked up a patch that allows skipping the build of the UEFI binary as well.

So my suggestion is that when impish opens we get the split package uploaded and working there, and then we do binary pocket copies to bring fwupd-efi and fwupd-efi-signed back to older releases.

Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

This patch shall be able to add sbat in current groovy deb.

A test ppa (without fwupd-signed) is currently build in https://launchpad.net/~ycheng-twn/+archive/ubuntu/fwupd-groovy.

Note: per double check, both efi in fwupd and fwupd-signed do not have the sbat part there.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "fwupd-groovy-sbat.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote : Re: groovy fwupd sbat support

the efi in the ppa have the sbat section

# objdump -h /usr/libexec/fwupd/efi/fwupdx64.efi

/usr/libexec/fwupd/efi/fwupdx64.efi: file format pei-x86-64

Sections:
Idx Name Size VMA LMA File off Algn
  0 .text 000075bb 0000000000004000 0000000000004000 00000400 2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .reloc 0000000a 000000000000c000 000000000000c000 00007a00 2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .data 00002d68 000000000000d000 000000000000d000 00007c00 2**5
                  CONTENTS, ALLOC, LOAD, DATA
  3 .sbat 000000ed 0000000000010000 0000000000010000 0000aa00 2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  4 .dynamic 00000150 0000000000011000 0000000000011000 0000ac00 2**3
                  CONTENTS, ALLOC, LOAD, DATA
  5 .rela 00000e70 0000000000012000 0000000000012000 0000ae00 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .rela.plt 00000018 0000000000012e70 0000000000012e70 0000be70 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  7 .dynsym 00000288 0000000000013000 0000000000013000 0000c200 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA

summary: - fwupd sbat support
+ groovy fwupd sbat support
Rex Tsai (chihchun)
tags: added: oem-priority
Mathew Hodson (mhodson)
Changed in fwupd (Ubuntu):
importance: Undecided → High
Changed in fwupd (Ubuntu Groovy):
importance: Undecided → High
summary: - groovy fwupd sbat support
+ groovy / focal fwupd sbat support
Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

@Mario, Given the efi / user space split, how the fwupd userspace app report the metadata back to lvfs?

The point is: with the split, even if the fwupd efi is upgraded, and the user space app is not, will the version in the metadata bump version? If not, we still need to SRU the user space app.

Ref: Metadata section in https://wiki.ubuntu.com/firmware-updates

Revision history for this message
Mario Limonciello (superm1) wrote :

I'm not sure how strong of a problem this is anymore. It definitely was problematic early in fwupd's development, but fwupd-efi hasn't had any "ABI" impacting changes for a while now.

Interesting point. There is a fwupd-efi.pc that will represent UEFI executable version (https://github.com/fwupd/fwupd-efi/blob/main/meson.build#L118). This is only used at build time in fwupd 1.6.0, and not consumed at runtime. So it was going to be installed into a build-deps only package fwupd-unsigned-dev (https://github.com/fwupd/fwupd-efi/blob/main/contrib/debian/fwupd-unsigned-dev.install)

If there is a need to represent this from runtime, it would probably mean we need to actually install at runtime too (place in fwupd-unsigned instead).

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

dbxupdate got published on uefi.org website. I would be happy to sponsor the fwupd debdiff for groovy now. To unblock roll-outs of the new shim.

The split to have standalone fwupd-efi should happen as it is a good idea - it will enable shipping newer fwupd user-space tooling in the snap / OEM archives / PPAs at an accelerated pace without impacting signed UEFI binary. But at least we don't need to rush the split.

Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

@mario, could you review #2 if anything else is missing?

Mathew Hodson (mhodson)
Changed in fwupd-signed (Ubuntu):
importance: Undecided → High
Changed in fwupd-signed (Ubuntu Groovy):
importance: Undecided → High
Revision history for this message
Mario Limonciello (superm1) wrote :

#8:
Would you please submit it to upstream? It will then be included in reference packaging for that release 1.4.x release stream. I think that the

+ dh_auto_configure -- $$UEFI $$DELL $$FLASHROM $$CI -Dplugin_dummy=true -Dgtkdoc=true $(CONFARGS)

Needs to remove all the $$UERI and $$DELL etc. When using $(CONFARGS) all the args should be included in that. You can reference master.
https://github.com/fwupd/fwupd/blob/master/contrib/debian/rules#L61

Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

per check upstream git 1.4.x branch, the change already there.

Given so, I just switch to it and build a deb in ppa, the sbat section is there as expected.

debdiff attached.

ppa: https://launchpad.net/~ycheng-twn/+archive/ubuntu/fwupd-groovy

Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

@superm1 please review again, thank you.

object dump for the efi in #10

Idx Name Size VMA LMA File off Algn
  0 .text 000075bb 0000000000004000 0000000000004000 00000400 2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .reloc 0000000a 000000000000c000 000000000000c000 00007a00 2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .data 00002d68 000000000000d000 000000000000d000 00007c00 2**5
                  CONTENTS, ALLOC, LOAD, DATA
  3 .sbat 000000ed 0000000000010000 0000000000010000 0000aa00 2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  4 .dynamic 00000150 0000000000011000 0000000000011000 0000ac00 2**3
                  CONTENTS, ALLOC, LOAD, DATA
  5 .rela 00000e70 0000000000012000 0000000000012000 0000ae00 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .rela.plt 00000018 0000000000012e70 0000000000012e70 0000be70 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  7 .dynsym 00000288 0000000000013000 0000000000013000 0000c200 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA

Timo Aaltonen (tjaalton)
no longer affects: oem-priority/focal
Changed in fwupd (Ubuntu):
status: Confirmed → Fix Released
Changed in fwupd-signed (Ubuntu):
status: New → Fix Released
Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

typo fix and add bug number in changelog.

this is more to make sure the sbat patch works in groovy (although it's close to EOL)

then we can move on to focal/bionic, etc.

Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

Need SRU team to kindly approve and copy to groovy proposed channel.
Note: I'd still to do the SRU to make sure it works well with the SBAT enable shim.
After this is done, next AI is to have a exception to SRU this to focal. Ref: lp:1920723

thanks to timo. fwupd (source) 1.4.7-0~20.10.2 live in groovy unapproved queue.

Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

debdiff for fwupd-signed

Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Yuan-Chen, or anyone else affected,

Accepted fwupd into groovy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd/1.4.7-0~20.10.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-groovy to verification-done-groovy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-groovy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in fwupd (Ubuntu Groovy):
status: New → Fix Committed
tags: added: verification-needed verification-needed-groovy
Changed in fwupd-signed (Ubuntu Groovy):
status: New → Fix Committed
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Yuan-Chen, or anyone else affected,

Accepted fwupd-signed into groovy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-signed/1.30.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-groovy to verification-done-groovy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-groovy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in oem-priority:
status: Confirmed → In Progress
Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

I install groovy the same machine as in lp:1921539, #12

Machine: Dell Latitude 5300
BIOS: 1.10.4

and install fwupd 1.4.7-0~20.10.2 / fwupd-signed 1.30.2+1.4.7-0~20.10.2
from the proposed channel.

sbat section exists in both fwupdx64.efi.signed and fwupdx64.efi by using command: objdump -h fwupdx64.efi.signed.

install shim 15.4-0ubuntu2 / shim-signed 1.47+15.4-0ubuntu2 from hirsute on the same machine, and turned on secure boot, then I use below command

fwupdmgr install 9da74134678173a97e2d3eb4a79f0beba0e43e85155777e040396bad6b70d0b4-firmware.cab --allow-reinstall

to re-install bios fw. I reply "Y" to reboot, and the machine reboots properly into fwupdx64.efi, then it flsh the bios and then reboots to ubuntu as expected!

Given the above verification result, the verification is passed.

tags: added: verification-done-groovy
removed: verification-needed-groovy
Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

One note: along the way of install shim from hirsute, it happened to me that the machine can't properly boot to grub or fwupdx64. It just stops at the vendor logo for quite a while.

I try to do more cross-test comparisons, however, it's not 100% reproducible.

It seems to me that:

1. it's something that happens as an upgrade shim from the previous shim version.
2. As it's upgraded, and properly boot, then all sub-sequence reboots just work fine.

I think what I saw could need more tests. Plan to do that as we SRU back to focal.

Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

also test the new fwupd with existing groovy/shim/shim-signed, and that works fine, too.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fwupd - 1.4.7-0~20.10.2

---------------
fwupd (1.4.7-0~20.10.2) groovy; urgency=medium

  * debian/rules: merge upstream sbat related change. (LP: #1926011)

 -- Yuan-Chen Cheng <email address hidden> Tue, 04 May 2021 07:05:41 +0800

Changed in fwupd (Ubuntu Groovy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fwupd-signed - 1.30.2

---------------
fwupd-signed (1.30.2) groovy; urgency=medium

  * Build depend on fwupd 1.4.7-0~20.10.2 (LP: #1926011)

 -- Yuan-Chen Cheng <email address hidden> Mon, 17 May 2021 12:22:51 +0000

Changed in fwupd-signed (Ubuntu Groovy):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for fwupd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Mathew Hodson (mhodson)
Changed in fwupd (Ubuntu Focal):
importance: Undecided → High
Changed in fwupd-signed (Ubuntu Focal):
importance: Undecided → High
tags: removed: verification-needed
Revision history for this message
Julian Andres Klode (juliank) wrote :

Can't seem to add bionic task, but also both kind of vital

no longer affects: oem-priority/focal
no longer affects: oem-priority/bionic
Revision history for this message
Yuan-Chen Cheng (ycheng-twn) wrote :

it depends on whether we want to track it here or lp:1921539

tags: added: fwupd
Revision history for this message
Julian Andres Klode (juliank) wrote :

Using other bug

Changed in fwupd (Ubuntu Focal):
status: New → Won't Fix
Changed in fwupd-signed (Ubuntu Focal):
status: New → Won't Fix
Changed in oem-priority:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers