fwupd / fwupd-efi split on version 1.7.x
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OEM Priority Project |
Fix Released
|
Critical
|
Yuan-Chen Cheng | ||
fwupd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Impish |
Fix Released
|
Undecided
|
Unassigned | ||
fwupd-efi (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
fwupd-signed (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Impish |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
[Impact]
As the current fwupd is 1.7.x and it's fwupd / fwupd-efi source pkg has been splited, we need a new way of packaging and landing those in ubuntu.
Likewise, on bionic we want to move to newer signed fwupd-efi binaries.
[Test plan]
Install fwupd-signed built from fwupd-efi and the new fwupd and check that it creates boot entry. We patched out building the UEFI binary only but kept the plugin, so we need to ensure the plugin still works correctly.
[Where problems could occur]
Could have messed up disabling the UEFI bits and then people can't do UEFI firmware upgrades anymore.
[Other info]
We do not have a task for fwupd-efi as it is binary copied and we can't add it to the changelog.
[[bionic]]
On bionic the implementation is as follows (which differs from later branches where we backported 1.7):
- src:fwupd continues to build unsigned binaries and installs them, but does not submit them for signing.
- src:fwupd-unsigned binaries are not installable together with fwupd, as fwupd < 1.7.7 is broken due to them locating the binaries in /usr/libexec. Hence they are only used as building input and not installed on end user systems. They don't have to be: insecure systems can continue to use the stub shipped in fwupd itself (previous point).
- fwupd-signed is no longer provided on i386 and armhf. It is built from the binary-copied fwupd-efi now.
How does this impact users?
- Users without fwupd-signed installed will continue to use the old EFI stub shipped by fwupd itself.
- Users on amd64 and arm64 with fwupd-signed installed will receive an upgrade to the fwupd-signed built from fwupd-efi 1.4. If secure boot is disabled, they'll continue to use fwupd's old EFI stub as fwupd only uses the .signed one if secure boot is enabled.
- Users on i386 and armhf with fwupd-signed installed will remain with their installed fwupd-signed version.
- Users on i386 and armhf installing fwupd freshly will pull in an older version of fwupd-signed from security until the new fwupd is released there. Not optimal. However, fwupd does not look for the .signed version if the boot was not secure.
Alternatives:
- We can add Breaks: fwupd-signed (<< 1.51) to fwupd, however this might be ill-advised: We want to make sure that the update to fwupd is actually being installed by apt upgrade and not kept back due to APT deciding keeping fwupd-signed installed is more important (on i386, armhf).
- We can make fwupd always use a .signed version if available. Possibly later versions do. Introduces unnnecessary regression potential.
Changed in oem-priority: | |
importance: | Undecided → Critical |
assignee: | nobody → Yuan-Chen Cheng (ycheng-twn) |
status: | New → In Progress |
Changed in fwupd-efi (Ubuntu): | |
status: | New → Fix Released |
Changed in fwupd-signed (Ubuntu): | |
status: | New → Fix Released |
tags: | added: oem-priority |
Changed in oem-priority: | |
status: | Fix Committed → Fix Released |
no longer affects: | fwupd-efi (Ubuntu Bionic) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
For current fwupd 1.5.x
- Source pkg: fwupd usr/libexec/ fwupd/efi/ fwupdx64. efi amd64-signed- template: usr/share/ doc/fwupd- amd64-signed- template/ copyright / changelog.z
- Binary pkg:
fwupd:
/
fwupd-
/
- Source pkg: fwupd-signed archive. ubuntu. com/ubuntu/ dists/focal- updates/ main/uefi/ fwupd-amd64/ current/ usr/libexec/ fwupd/efi/ fwupdx64. efi.signed usr/libexec/ fwupd/efi/ version usr/share/ doc/fwupd- signed/ *
How the EFI get signed: it downloads the properly signed EFI from
http://
There shall have something behind the scene to sign the EFI pkg and upload it there.
- Binary pkg: fwupd-signed
/
/
/