Update focal fwupd to 1.3.11 point release

Bug #1883568 reported by Mario Limonciello on 2020-06-15
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OEM Priority Project
High
Yuan-Chen Cheng
fwupd (Ubuntu)
Undecided
Unassigned
Focal
Undecided
Unassigned
fwupd-signed (Ubuntu)
Undecided
Unassigned
Focal
Undecided
Unassigned

Bug Description

[Impact]
 * Upstream has issued a 1.3.11 point release with the following fixes:
    - Actually reload the DFU device after upgrade has completed
    - Capture the dock SKU in report metadata
    - Correctly set the Logitech device protocol
    - Do not use shim for non-secure boot configurations
    - Ensure that the DeviceID is set for child devices
    - Fix an error when detaching MSP430
    - Fix the DeviceID set by GetDetails
    - Force the prometheus minor version from 0x02 to 0x01 to fix updates
    - Parse the CSR firmware as a DFU file
    - Prevent dell-dock updates to occur via synaptics-mst plugin
    - Rather than hardcoding thunderbolt to PCI slot numbers, use domain in GUID
    - Remove a dock device from the whitelist that is never going to be updated
    - Validate that gpgme_op_verify_result() returned at least one signature
    - Wait for the cxaudio device to reboot after writing firmware
    - Add more module types for the Dell dock
    - Fix the TPM PCR0 calculation
    - Check for free space after cleaning up ESP
 * All but 1 of the patches carried on top of 1.3.9 in Ubuntu focal are also included in 1.3.11 and can be dropped.

 * Per the firmware update policy described in https://wiki.ubuntu.com/StableReleaseUpdates#fwupd_and_fwupdate and https://wiki.ubuntu.com/firmware-updates we should jump to point release not backport patches

[Test Case]

 * On a device supporting updates, either install a new firmware upgrade (fwupdmgr update) or reinstall (fwupdmgr reinstall)

 * verify the update works properly

[Regression Potential]

 * Regressions are unlikely as these are all bug fixes that were prompted by users reporting problems.
 * There are no new features.
 * If a regression was to pop up it's likely to be very specific to a user's configuration.

CVE References

Mario Limonciello (superm1) wrote :

I've uploaded 1.3.10 fwupd to proposed but haven't uploaded fwupd-signed yet since there is a security vulnerability upload being sorted out right now (LP: #1883545). Once that's out of proposed I'll upload fwupd-signed here as well.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in fwupd (Ubuntu):
status: New → Confirmed
Changed in fwupd-signed (Ubuntu):
status: New → Confirmed
tags: added: oem-priority
Changed in oem-priority:
assignee: nobody → Yuan-Chen Cheng (ycheng-twn)
status: New → Confirmed
Mario Limonciello (superm1) wrote :

The security issue was sorted in LP: #1883595, so I've uploaded fwupd-signed as well.

Changed in oem-priority:
importance: Undecided → High
Mario Limonciello (superm1) wrote :

FYI I've adjusted this bug to 1.3.11 because two more high priority issues were identified and fixed and a new point release was spun to include these. They were related to a TPM PCR0 calculation error and an error encountered updating non-TBT Dell docks.
Given the 1.3.10 was not yet accepted into focal proposed, I feel it's better to include both of those fixes at the same time.

So ~ubuntu-sru or ~ubuntu-archive team member that reviews this, please reject fwupd 1.3.10 from unapproved queue and instead please take 1.3.11~focal1.

summary: - Update focal fwupd to 1.3.10 point release
+ Update focal fwupd to 1.3.11 point release
description: updated
tags: added: focal groovy
Changed in fwupd (Ubuntu Focal):
status: New → Confirmed
Changed in fwupd (Ubuntu):
status: Confirmed → Fix Committed
Changed in fwupd-signed (Ubuntu):
status: Confirmed → Fix Committed
Changed in fwupd-signed (Ubuntu Focal):
status: New → Confirmed
Yuan-Chen Cheng (ycheng-twn) wrote :

Status:
 fwupd | 1.3.10-1 | groovy | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
 fwupd | 1.3.11-1 | groovy-proposed | source, ppc64el, riscv64, s390x

Mario Limonciello (superm1) wrote :

#6:
Yes, groovy is waiting for someone in ~ubuntu-archive to accept for UEFI signing.
focal is waiting in unapproved queue at the moment (https://launchpad.net/ubuntu/focal/+queue?queue_state=1&queue_text=)

Changed in fwupd (Ubuntu):
status: Fix Committed → Fix Released
Changed in fwupd-signed (Ubuntu):
status: Fix Committed → Fix Released

Hello Mario, or anyone else affected,

Accepted fwupd into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd/1.3.11-1~focal1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in fwupd (Ubuntu Focal):
status: Confirmed → Fix Committed
tags: added: verification-needed verification-needed-focal
Brian Murray (brian-murray) wrote :

Hello Mario, or anyone else affected,

Accepted fwupd-signed into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-signed/1.27.1ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in fwupd-signed (Ubuntu Focal):
status: Confirmed → Fix Committed
Mario Limonciello (superm1) wrote :

@brian murray:

Can you please release them to fwupd-signed can finish building? UEFI archives need to be signed.

Mario Limonciello (superm1) wrote :

It still hasn't published to be tested, setting verification-failed-focal tag.

tags: added: verification-failed-focal
removed: verification-needed-focal
Łukasz Zemczak (sil2100) wrote :

Hey Mario! So I found the signed bits and approved them from Unapproved. Should we switch the tag back to verification-needed?

tags: added: verification-needed-focal
removed: verification-failed-focal
Mario Limonciello (superm1) wrote :

I tested reinstalling uefi firmware on my SUT.

$ fwupdmgr --version
client version: 1.3.11
compile-time dependency versions
        gusb: 0.3.4
        efivar: 37
daemon version: 1.3.11
$ sudo fwupdmgr reinstall
Choose a device:
0. Cancel
1. 008789c06313b7d4f0b633201febd50d9e1eba67 (Package level of Dell dock)
2. dbe8848490bf5e095a25b43d554dfe7eeebdbd82 (RTS5413 in Dell dock)
3. 537d091d8c75b154e773b245775927230ba23807 (RTS5487 in Dell dock)
4. c2f90c79db3fc6ff9b1dac0038deb519650a3660 (VMM5331 in Dell dock)
5. 6f5d391ae5ab8a40cb3544fa4020b66af0ee437a (WD19)
6. b6c08fb9e5384d9d101853cc1ca20cf0ce2df2e2 (System Firmware)
6
XPS 13 7390 must remain plugged into a power source for the duration of the update to avoid damage. Continue with update? [Y|n]: y
Downloading 1.5.1 for System Firmware...
Fetching firmware https://fwupd.org/downloads/21d4d04eedcc6d827af0787b2b667318e5b06aed0848b69a15873beb88ffda81-7390%20System%20BIOS_Ver.1.5.1.cab
Downloading… [***************************************]
Decompressing… [***************************************]
Authenticating… [***************************************]
Installing on System Firmware…\ ]
Scheduling… [***************************************]
Successfully installed firmware

An update requires a reboot to complete. Restart now? [y|N]: y
$ fwupdmgr get-results
Choose a device:
0. Cancel
1. f78dd6bb609522e31f1ff2ff819827108606d18a (Thunderbolt Controller)
2. 008789c06313b7d4f0b633201febd50d9e1eba67 (Package level of Dell dock)
3. dbe8848490bf5e095a25b43d554dfe7eeebdbd82 (RTS5413 in Dell dock)
4. 537d091d8c75b154e773b245775927230ba23807 (RTS5487 in Dell dock)
5. c2f90c79db3fc6ff9b1dac0038deb519650a3660 (VMM5331 in Dell dock)
6. 6f5d391ae5ab8a40cb3544fa4020b66af0ee437a (WD19)
7. 58bd405f31c48e6eca290b425f530a94c91e955c (Event Log)
8. c6a0cfba7c7d81e253fce571e1d1e9f6003ae1c7 (PC601 NVMe SK hynix 512GB)
9. b6c08fb9e5384d9d101853cc1ca20cf0ce2df2e2 (System Firmware)
10. c6a80ac3a22083423992a3cb15018989f37834d6 (TPM 2.0)
11. b26933c085b020ecf84c490812458523aee710ac (Touchpad)
12. bbbf1ce3d1cf15550c3760b354592040292415bb (UHD Graphics)
9
System Firmware:
  Device ID: b6c08fb9e5384d9d101853cc1ca20cf0ce2df2e2
  Previous version: 1.5.1
  Update State: success
  Last modified: 2020-07-02 13:27
  GUID: cbe49cca-492b-93e8-b0f4-f693501f271b
  Device Flags: • Internal device
                         • Updatable
                         • Requires AC power
                         • Needs a reboot after installation
                         • Cryptographic hash verification is available
                         • Device is usable for the duration of the update

tags: added: verification-passed verification-passed-focal
removed: verification-needed verification-needed-focal
Yuan-Chen Cheng (ycheng-twn) wrote :

I got a Precision-3541 that's running bios 1.5.1, and it have new bios 1.9.1

I install fwupd and fwupd-signed package from proposed channel with the following version

ii fwupd 1.3.11-1~focal1 amd64 Firmware update daemon
ii fwupd-signed 1.27.1ubuntu2+1.3.11-1~focal1 amd64 Linux Firmware Updater EFI signed binary

I click the button in "Updates" tab of "Ubuntu Software" app, and reboot. The bios is correctly upgrade from 1.5.1 to 1.9.1.

I config in fwupdmgr get-devies that the bios does upgraded.

├─System Firmware:
│ Device ID: 4a73cf8d37b14dd37091e22ef71007223fb9aa67
│ Current version: 1.9.1
│ Minimum Version: 1.9.1
│ Vendor: Dell Inc. (DMI:Dell Inc.)
│ GUID: 0eecff0c-95b8-4ade-9717-8f4f3edc9e09
│ Device Flags: • Internal device
│ • Updatable
│ • Requires AC power
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Cryptographic hash verification is available
│ • Device is usable for the duration of the update

Given so, the verification is passed.

tags: added: verification-done verification-done-focal
removed: verification-passed verification-passed-focal
Changed in oem-priority:
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fwupd - 1.3.11-1~focal1

---------------
fwupd (1.3.11-1~focal1) focal; urgency=medium

  * New upstream stable release: (LP: #1883568)
    - Actually reload the DFU device after upgrade has completed
    - Capture the dock SKU in report metadata
    - Correctly set the Logitech device protocol
    - Do not use shim for non-secure boot configurations
    - Ensure that the DeviceID is set for child devices
    - Fix an error when detaching MSP430
    - Fix the DeviceID set by GetDetails
    - Force the prometheus minor version from 0x02 to 0x01 to fix updates
    - Parse the CSR firmware as a DFU file
    - Prevent dell-dock updates to occur via synaptics-mst plugin
    - Rather than hardcoding thunderbolt to PCI slot numbers, use domain in GUID
    - Remove a dock device from the whitelist that is never going to be updated
    - Validate that gpgme_op_verify_result() returned at least one signature
    - Wait for the cxaudio device to reboot after writing firmware
    - Add more module types for the Dell dock
    - Fix the TPM PCR0 calculation
    - Check for free space after cleaning up ESP
  * Drop following patches, now incorporated upstream:
    - Thunderbolt: create correct GUID for dual controller devices
    - CSR: Fix parsing
    - Motd: Fix refresh target to be network.target
    - Logitech: Fix error in logs on unsigned devices and set protocol for
      signed devices properly.
    - Fix a FTBFS on empty /etc/machine-id in some buildd environments.
    - CVE-2020-10759

 -- Mario Limonciello <email address hidden> Thu, 18 Jun 2020 11:04:18 -0500

Changed in fwupd (Ubuntu Focal):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for fwupd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package fwupd-signed - 1.27.1ubuntu2

---------------
fwupd-signed (1.27.1ubuntu2) focal; urgency=medium

  * Build depend on fwupd version 1.3.11-1~focal1 (LP: #1883568)

 -- Mario Limonciello <email address hidden> Thu, 18 Jun 2020 11:18:16 -0500

Changed in fwupd-signed (Ubuntu Focal):
status: Fix Committed → Fix Released
Rex Tsai (chihchun) on 2020-08-15
Changed in oem-priority:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers