2022v1 resigning
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
fwupd-efi (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Triaged
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
Kinetic |
Fix Released
|
Undecided
|
Unassigned | ||
Lunar |
Fix Released
|
Undecided
|
Unassigned | ||
fwupd-signed (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned | ||
Kinetic |
Fix Released
|
Undecided
|
Unassigned | ||
Lunar |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
Resign with new 2022v1 key, as the old key is revoked in shim 15.7-0ubuntu1.
[Test plan]
Check that fwupd.efi can be started from old and new shim.
[Where problems could occur]
We're building one signed binary for stable releases in kinetic now and copying it back. We last built it in jammy, there may be toolchain related regressions.
[Other info]
We have backported 1.51 wholesale. This matters mostly for focal as it had different version numbers so far, but the content was otherwise identical to 1.42.
This makes it clear that 1.51 is version signed with the new key and where it is available, and saves a lot of time vs changing changelogs to incorporate separate focal history in those ~20 uploads we do for the rotation.
fwupd-efi was built in kinetic in the ppa:ubuntu-
description: | updated |
description: | updated |
description: | updated |
Changed in fwupd-signed (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in fwupd-signed (Ubuntu Focal): | |
status: | New → In Progress |
Changed in fwupd-signed (Ubuntu Jammy): | |
status: | New → Incomplete |
status: | Incomplete → In Progress |
Changed in fwupd-signed (Ubuntu Kinetic): | |
status: | New → In Progress |
Changed in fwupd-signed (Ubuntu Lunar): | |
status: | New → Fix Committed |
Changed in fwupd-efi (Ubuntu Lunar): | |
status: | New → Fix Released |
no longer affects: | fwupd (Ubuntu Focal) |
no longer affects: | fwupd (Ubuntu Jammy) |
no longer affects: | fwupd (Ubuntu Kinetic) |
no longer affects: | fwupd (Ubuntu Lunar) |
Changed in fwupd-signed (Ubuntu Bionic): | |
status: | In Progress → Triaged |
Changed in fwupd-efi (Ubuntu Bionic): | |
status: | New → Triaged |
Changed in fwupd (Ubuntu Bionic): | |
status: | New → Triaged |
no longer affects: | fwupd (Ubuntu) |
no longer affects: | fwupd (Ubuntu Bionic) |
SRU verification (the SRUs are binary copies, so verification will remain valid once it lands in proposed).
I have downloaded the fwupd-signed from the signing PPA as well as proposed new shim and old shim for all releases:
Downloads/ fwupd-signed_ 1.51_20. 04.1+1. 2-3ubuntu0. 2_amd64. deb fwupd-signed_ 1.51_20. 04.1+1. 2-3ubuntu0. 2_arm64. deb fwupd-signed_ 1.51_22. 04.1+1. 2-3ubuntu0. 2_amd64. deb fwupd-signed_ 1.51_22. 04.1+1. 2-3ubuntu0. 2_arm64. deb fwupd-signed_ 1.51_22. 10.1+1. 2-3ubuntu0. 2_amd64. deb fwupd-signed_ 1.51_22. 10.1+1. 2-3ubuntu0. 2_arm64. deb shim-signed_ 1.52_ppa7+ 15.7-0ubuntu1_ amd64.deb shim-signed_ 1.52_ppa7+ 15.7-0ubuntu1_ arm64.deb
Downloads/
Downloads/
Downloads/
Downloads/
Downloads/
Downloads/
Downloads/
I extracted the debs into a directory, renamed the files around a bit for easy testing, and then
I spawned VMS for both amd64 and arm64 and for each release ran
fwupdx64.efi.signed # this failed because not loaded by shim (showing secure boot works) efi.signed. latest fwupdx64.efi.signed efi.signed. previous fwupdx64.efi.signed
shimx64.
shimx64.
from the EFI shell. This always worked fine, the fwupd loaded successfully.
Here are some example runs from arm64; the serial console output in qemu is a bit garbled, so it's not all of it.
FS0:\> shimaa64. efi.signed. latest fwupd-arm64- focal.efi efi.signed. previous fwupd-arm64- focal.efi efi.signed. previous fwupd-arm64- focal.efi efi.signed. previous fwupd-arm64- jammy.efi efi.signed. previous fwupd-arm64- kinetic. efi efi.signed. latest fwupd-arm64- kinetic. efi .efi.signed. latest fwupd-arm64- jammy.efi default loader
WARNING: No updates to process, exiting in 10 seconds.
start_image() returned Invalid Parameter, falling back to default loader
Failed to open \grubaa64.efi - Not Found
FS0:\> shimaa64.
WARNING: No updates to process, exiting in 10 seconds.
start_image() returned Invalid Parameter, falling back to default loader
Failed to open \grubaa64.efi - Not Found
FS0:\> shimaa64.
WARNING: No updates to process, exiting in 10 seconds.
start_image() returned Invalid Parameter, falling back to default loader
Failed to open \grubaa64.efi - Not Found
FS0:\> shimaa64.
WARNING: No updates to process, exiting in 10 seconds.
start_image() returned Invalid Parameter, falling back to default loader
Failed to open \grubaa64.efi - Not Found
FS0:\> shimaa64.
WARNING: No updates to process, exiting in 10 seconds.
start_image() returned Invalid Parameter, falling back to default loader
Failed to open \grubaa64.efi - Not Found
FS0:\> shimaa64.
WARNING: No updates to process, exiting in 10 seconds.
start_ishimaa64
WARNING: No updates to process, exiting in 10 seconds.
start_image() returned Invalid Parameter, falling back to default loader
Failed to open \grubaa64.efi - Not Found