Add support for SBAT

All releases need to be updated including Hirsute.

Hirsute has fwupd 1.5.7 which contains sbat support, but had a mistake with the wrong character ('.' vs '-'). See https://github.com/fwupd/fwupd/pull/3070 for more context.

for focal, SRU to version 1.4.7 and add SBAT patch is tracked in lp:1920723

Hirsute/fwupd with sbat patch now in proposed.

This bug was fixed in the package fwupd - 1.5.8-0ubuntu1

---------------
fwupd (1.5.8-0ubuntu1) hirsute; urgency=medium

  * New upstream version (1.5.8)
  * Backport a patch to fix SBAT (LP: #1921539)
  * Drop all other patches, upstream.

 -- Mario Limonciello <email address hidden> Fri, 26 Mar 2021 14:07:35 -0500

Hello Mario, or anyone else affected,

Accepted fwupd into groovy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd/1.4.7-0~20.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-groovy to verification-done-groovy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-groovy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mario, or anyone else affected,

Accepted fwupd-signed into groovy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-signed/1.30.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-groovy to verification-done-groovy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-groovy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

given shim with sbat feature still not release (lp:1921134), this is more a pre-landing so that we can test as shim+sbat is there.

Give so, as long as there are not other regression, I plan to tag verification-done-groovy soon.

Ideally I would want us to split fwupd into fwupd-unsigned & fwupd-unsigned, like we did with grub.

That way
* fwupd will drop shipping .efi binaries
* fwupd-unsigned will only build and submit .efi binary for signing
* fwupd-signed will ship signed .efi binary

with fwupd-unsigned & fwupd-signed binary copied to all distributions, with relaxed dependencies to not depend on a strict version of fwupd userspace things.

Such that all releases share the very same build of fwupd.efi, just like all releases share the shim.efi and grub.efi nowadays.

New shim is available in hirsute-proposed now, and I guess since this is now available in groovy-proposed, we can copy shim into groovy-proposed to complete end to end testing with the new shim.

@xnox

Can you propose this idea to upstream fwupd? Unlike GRUB there is a stronger ABI between the EFI application and userspace.

So I think it would be better to make it an upstream decision and then mirror it in Ubuntu rather than Ubuntu having to chase the potential for an ABI disaster if fwupd userspace starts to change in the future.

I did the following test, the result is failed.

Machine: Dell Latitude 5300
BIOS: 1.10.4
Test case: download 1.10.4 bios cab from lfvs, and reinstall the bios using fwupd with the command "fwupdmgr install xxxx.cab --allow-reinstall"

Pass means: we can run BIOS re-install.
Failed means: we can't run BIOS re-install and we will see the error message on the screen. The error message is shown on the monitor in text with blue background.

shim and shim-signed 15.4-0-ubuntu1 + fwupd and fwupd-signed 1.4.5-1
        secure boot off: Pass

shim and shim-singed 15.4-0-ubuntu1 + fwupd and fwupd-signed 1.4.5-1
        secure boot on, failed msg: Verification failed: (0x1A) Security Violation

shim and shim-signed 15.4-0-ubuntu1 + fwupd and fwupd-signed 1.4.7-0~20.10.1
        secure boot on, failed msg: Verification failed: (0x1A) Security Violation

        The following pkg were install to do above test.
        fwupd_1.4.7-0~20.10.1_amd64.deb
        fwupd-signed_1.30.1+1.4.7-0~20.10.1_amd64.deb
        libfwupd2_1.4.7-0~20.10.1_amd64.deb
        libfwupdplugin1_1.4.7-0~20.10.1_amd64.deb

Is the test procedure wrong or need to install something else?

Bios 1.10.4 is not the most updated version on lvfs. However I think the new mechanism need to also work on old bios version.

does the newer shim + grub work?

@ycheng-twn securution/foundations would like to recheck fwupd.efi binaries.

we will not release new shim to groovy, until we know that fwupd.efi is compatible.

@mario, the "newer shim from hirsute" + the existing grub on groovy with secure boot on boot into OS as expected.

I'll try to test hirsute as I got the chance to.

Test passed on hirsute.

I use the same machine, install hirsute, apt upgrade everything, and confirm it have update shim and fwupd. Then turn on secure boot and do the same test, I found fwupd does upgrade bios fw as secure boot is on, so it's test passed.

@ycheng-twn:

In your groovy tests from one run to another was secure boot on from the moment you initiated the FW update? Or did you just turn it on after the reboot and pick "Linux Firmware Updater" entry?

I ask because fwupd will examine the state of secure boot at the time the update is attempted from in Ubuntu. If it's off, the non-signed UEFI binary is placed on the ESP. If it's on at that time, the signed binary is placed on the ESP. If you subverted the flow by changing secure boot "in-between" that could be the reason for the failure with SB on.

@mario, I turn secure boot on, and boot into OS, then run the fwupdmgr install command, then reboot, then I saw the failure.

One more thing, for new shim + groovy grub, I found the same failure happens if I use groovy/grub
1.155+2.04-1ubuntu35 as boot into OS (so I can't boot into OS with this grub), however if I use groovy/grub 1.167+2.04-1ubuntu44 from the update channel, then I can boot into OS.

Feel free to ask questions if anyone wants to reproduce and doesn't know certain steps in detail, or you want to know my steps in more detail as reviewing.

A full running session is here:

root@u-Latitude-5300:~# sh run.sh ; exit
+ dpkg -l
+ grep shim
ii shim 15.4-0ubuntu1 amd64 boot loader to chain-load signed boot loaders under Secure Boot
ii shim-signed 1.46+15.4-0ubuntu1 amd64 Secure Boot chain-loading bootloader (Microsoft-signed binary)
+ + grep fwupd
echo please run reboot 1.4.7-0~20.10.1 amd64 Firmware update daemon
ii fwupd-signed 1.30.1+1.4.7-0~20.10.1 amd64 Linux Firmware Updater EFI signed binary
ii libfwupd2:amd64 1.4.7-0~20.10.1 amd64 Firmware update daemon library
ii libfwupdplugin1:amd64 1.4.7-0~20.10.1 amd64 Firmware update daemon plugin library
+ fwupdmgr install 9da74134678173a97e2d3eb4a79f0beba0e43e85155777e040396bad6b70d0b4-firmware.cab --allow-reinstall
Decompressing… [***************************************]
Authenticating… [***************************************]
Installing on System Firmware… / ]
Scheduling… [***************************************]
Successfully installed firmware

An update requires a reboot to complete. Restart now? [y|N]: n
+ md5sum /usr/libexec/fwupd/efi/fwupdx64.efi.signed /boot/efi/EFI/ubuntu/fwupdx64.efi
e3a387f8f87852e670d105145cb96168 /usr/libexec/fwupd/efi/fwupdx64.efi.signed
e3a387f8f87852e670d105145cb96168 /boot/efi/EFI/ubuntu/fwupdx64.efi
+ mokutil --sb
SecureBoot enabled
+ echo please run reboot
please run reboot

@xnox was there some sort of signing rotation or anything? could fwupdx64.efi in groovy have gotten signed prematurely to said rotation?

today I use the same machine, install debian 10.9 in text mode, and install

fwupd / fwupd-signed: 1.2.13-3+deb10u2
existing shim-signed: 1.33+15+1533136590.3beb971-7

I found I also need to install policykit-1.

Then I did the same test with secure boot on. The test is passed.

$ wget http://archive.ubuntu.com/ubuntu/dists/groovy-proposed/main/uefi/fwupd-amd64/1.4.7-0~20.10.1/fwupdx64.efi.signed

$ md5sum fwupdx64.efi.signed
e3a387f8f87852e670d105145cb96168 fwupdx64.efi.signed

$ objdump -h ./fwupdx64.efi.signed

./fwupdx64.efi.signed: file format pei-x86-64

Sections:
Idx Name Size VMA LMA File off Algn
  0 .text 000075c0 0000000000004000 0000000000004000 00000400 2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .reloc 0000000a 000000000000c000 000000000000c000 00007a00 2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .data 00002d68 000000000000d000 000000000000d000 00007c00 2**5
                  CONTENTS, ALLOC, LOAD, DATA
  3 .dynamic 00000150 0000000000010000 0000000000010000 0000aa00 2**3
                  CONTENTS, ALLOC, LOAD, DATA
  4 .rela 00000e70 0000000000011000 0000000000011000 0000ac00 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  5 .rela.plt 00000018 0000000000011e70 0000000000011e70 0000bc70 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .dynsym 00000270 0000000000012000 0000000000012000 0000c000 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA

The binary clearly does not have .sbat section, thus it will not be trusted or booted by new shim in hirsute.

fwupd in hirsute does have .sbat section.

This SRU claims to add .sbat for the first time in groovy, but actually does not. So it is ok to release this SRU in groovy, but we need a follow up SRU to add sbat section for real.

Per #23, create another bug for groovy sbat SRU in lp:1926011

Per #23, change to verified done in groovy.

This bug was fixed in the package fwupd - 1.4.7-0~20.10.1

---------------
fwupd (1.4.7-0~20.10.1) groovy; urgency=medium

  * new upstream version (1.4.7)
  * Bug fixes:
    - Check returned volumes before accessing them
    - Correct a Thunderbolt assertion if kernel failed FW read
    - Do not dedupe NVMe devices
    - Do not match all HIDRAW\VEN_06CB devices
    - Don't allow device updates while needing activation
    - Fix adding multiple flags to devices
    - Fix critical warning regression with 'fwupdate -a'
    - Fix probe warning for the Logitech Unifying device
    - Fix the quirk key name for the Lenovo HDMI with power
    - Make TPM more optional
    - Make udisks2 errors more apparent
    - Only set the version format for ESRT entries
    - Remove the Hughski public key
    - Restore recognizing gpg and pkcs7 types still
    - Wait a few ms for the Logitech hardware to settle after detach
  * New features
    - Add support for SBAT. (LP: #1921539)
    - Adds support for Synaptics fingerprinter reader (LP:# 1900935)
  * Fixes TPM PCR0 reading failures if all characters are 0.
    (LP: #1909734)
  * Fixes Synaptics RMI probe causing touchscreen failures
    (LP: #1886912)
  * Backport a patch from upstream 1_4_X branch to fix SBAT character.
  * Backport a patch from upstream 1_4_X branch to fix vendor-id requirement
    error on Dell WD19 (LP: #1921544)

 -- Mario Limonciello <email address hidden> Fri, 26 Mar 2021 13:45:02 -0500

This bug was fixed in the package fwupd-signed - 1.30.1

---------------
fwupd-signed (1.30.1) groovy; urgency=medium

  * Build depend on fwupd 1.4.7-0~20.10.1
    - LP: #1921544
    - LP: #1921539
    - LP: #1909734
    - LP: #1886912
    - LP: #1900935

 -- Mario Limonciello <email address hidden> Fri, 26 Mar 2021 14:04:01 -0500

The verification of the Stable Release Update for fwupd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

the one mario uploaded to bionic queue missing the debian/rules change.

I put one with those change in https://launchpad.net/~ycheng-twn/+archive/ubuntu/fwupd-bionic-sbat-1

per quick check, the major diff from current one in debian buster are the two arm patch:

0010-uefi-capsule-Sync-linker-scripts-with-latest-used-by.patch
0011-uefi-capsule-Include-crt0-for-arm-and-aarch64-that-a.patch

juliank think we don't need those, so I didn't include them.

follow up #29, per the built un-signed fwupdx64.efi, it does have the sbat section.

$ objdump -h ./fwupdx64.efi

./fwupdx64.efi: file format pei-x86-64

Sections:
Idx Name Size VMA LMA File off Algn
  0 .text 00007a2b 0000000000004000 0000000000004000 00000400 2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .reloc 0000000a 000000000000c000 000000000000c000 00008000 2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .data 00002ea8 000000000000d000 000000000000d000 00008200 2**5
                  CONTENTS, ALLOC, LOAD, DATA
  3 .sbat 000000ec 0000000000010000 0000000000010000 0000b200 2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  4 .dynamic 00000150 0000000000011000 0000000000011000 0000b400 2**3
                  CONTENTS, ALLOC, LOAD, DATA
  5 .rela 00000e70 0000000000012000 0000000000012000 0000b600 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .rela.plt 00000018 0000000000012e70 0000000000012e70 0000c670 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  7 .dynsym 00000288 0000000000013000 0000000000013000 0000ca00 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA

I think we can re-use the fwupd-sign that Mario uploaded, since the version number is not changed.

Hello Mario, or anyone else affected,

Accepted fwupd into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd/1.5.11-0ubuntu1~20.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mario, or anyone else affected,

Accepted fwupd into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd/1.5.11-0ubuntu1~20.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

According to bug 1934209:

Verification passed on Focal

Secure boot on
shim-signed: 1.40.6+15.4-0ubuntu7 (proposed channel, sbat applied)
fwupd: 1.5.11-0ubuntu1~20.04.2 (propsoed channel, sbat applied)

This bug was fixed in the package fwupd - 1.5.11-0ubuntu1~20.04.2

---------------
fwupd (1.5.11-0ubuntu1~20.04.2) focal; urgency=medium

  * force to use libjcat >= 0.1.3, or signature verification will failed.

fwupd (1.5.11-0ubuntu1~20.04.1) focal; urgency=medium

  * New upstream version (1.5.11) to support Dell dock USB4 module.
    (LP: #1934209)
  * Drop all patches upstream.
  * Downgrade libgusb from 0.3.5 to 0.3.4 which used in focal after
    checking through all commits between.

fwupd (1.5.8-0ubuntu1) hirsute; urgency=medium

  * New upstream version (1.5.8)
  * Backport a patch to fix SBAT (LP: #1921539)
  * Drop all other patches, upstream.

fwupd (1.5.7-3) unstable; urgency=medium

  * Backport a patch to fix regression in fwupdtool activate
  * Backport a patch to fix activatable devices getting stuck in an update loop
  * Rebuild to pick up new signing keys.

fwupd (1.5.7-2) unstable; urgency=medium

  * Backport a patch to fix FTBFS on armhf for SBAT

fwupd (1.5.7-1) unstable; urgency=medium

  * New upstream version (1.5.7)
    - Fixes issues with SBAT on UEFI.
  * Fixes dependencies for -dev packages:
    Closes: #980691, #980684

fwupd (1.5.6-1) unstable; urgency=medium

  [ Steve McIntyre ]
  * Fix up Uploaders for the -signed packages - remove Jared, add Matthias

  [ Mario Limonciello ]
  * New upstream version (1.5.6)
  * drop all upstream patches

fwupd (1.5.5-2) unstable; urgency=medium

  * fwupd.postinst: Adjust to read /etc/os-release instead of `/etc/lsb-release`

fwupd (1.5.5-1) unstable; urgency=medium

  * New upstream version (1.5.5)
  * trivial: debian: migrate uefi->uefi_capsule in uefi.conf
  * trivial: debian: fix modules-load.d directory
  * trivial: debian: add dbus to recommends (Closes: #980049)
  * Backport 2 patches for continual "Unknown" message on new connections
  * trivial: debian: read /etc/lsb-release instead of dpkg-dev (Closes: #977860, #977861, #970783)

fwupd (1.5.3-2) unstable; urgency=medium

  * trivial: debian: only install fwupd-msr.conf if needed

fwupd (1.5.3-1) unstable; urgency=medium

  * New upstream version (1.5.3)
  * Drop all patches (upstream)
  * Follow defaults for nvme and redfish plugins (don't need efivar now)
  * debian/control:
    - Drop libsoup build dependency
    - Add libcurl build dependency
    - Add systemd build dependency
  * Migrate debian/fwupd.preinst content to debian/fwupd.maintscript

fwupd (1.5.1-5) unstable; urgency=medium

  * Backport patch to fix ppc64el autopkgtest failure

fwupd (1.5.1-4) unstable; urgency=medium

  * trivial: debian: disable downloading from LVFS in autopkgtest

fwupd (1.5.1-3) unstable; urgency=medium

  * Add breaks for fwupdate 12-7 (Closes: #960688)
  * trivial: debian: add git to fwupdate-tests dependencies

fwupd (1.5.1-2) unstable; urgency=medium

  [ Mario Limonciello ]
  * Backport a patch to indicate if packages are supported or not
  * backport a patch to fix autopkgtests on ppc64el
  * trivial: debian: don't hardcode paths in libexec
  * trivial: debian: disable msr plugin on all !x86

  [ Jessica Clarke ]
  * debian: Check DEB_HOST_ARCH_CPU not DEB_HOST_ARCH for MSR plugin
  * debian: Prefer Makefile substitutio...

Hello Mario, or anyone else affected,

Accepted fwupd into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd/1.2.14-0~18.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mario, or anyone else affected,

Accepted fwupd-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-signed/1.10~ubuntu18.04.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

per check fwupd-signed in the bionic-proposed channel, it does not have sbat section.
if we do want to support secure boot on bionic, we need the refine the debian/rules
and rolling the deb again. Are we going to do that? If yes, you can ping me to work
the debdiff. If not, you also can ping me and I can do the verification for it.

# objdump -h /usr/lib/fwupd/efi/fwupdx64.efi.signed

/usr/lib/fwupd/efi/fwupdx64.efi.signed: file format pei-x86-64

Sections:
Idx Name Size VMA LMA File off Algn
  0 .text 00007a30 0000000000004000 0000000000004000 00000400 2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .reloc 0000000a 000000000000c000 000000000000c000 00008000 2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .data 00002ea8 000000000000d000 000000000000d000 00008200 2**5
                  CONTENTS, ALLOC, LOAD, DATA
  3 .dynamic 00000150 0000000000010000 0000000000010000 0000b200 2**3
                  CONTENTS, ALLOC, LOAD, DATA
  4 .rela 00000e70 0000000000011000 0000000000011000 0000b400 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  5 .rela.plt 00000018 0000000000011e70 0000000000011e70 0000c470 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .dynsym 00000270 0000000000012000 0000000000012000 0000c800 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA

> if we do want to support secure boot on bionic

Yes, this is non-negotiable. In fact, publication of the updated shim to bionic has been held up because of concerns over regressing fwupd-signed, which exists specifically *for* support under SecureBoot.

So, I'm going to mark this verification-failed since the sbat section is missing.

Please upload a fixed fwupd package with sbat support ASAP so that we can land the updated shim.

Did test the one in proposed, it does failed with new shim + sb on.

I prepare a ppa with updated fwupd.

sudo add-apt-repository ppa:ycheng-twn/fwupd-bionic-sbat-3

the unsigned-efi does have a sbat section:

---

~# objdump -h /usr/lib/fwupd/efi/fwupdx64.efi

/usr/lib/fwupd/efi/fwupdx64.efi: file format pei-x86-64

Sections:
Idx Name Size VMA LMA File off Algn
  0 .text 00007a2b 0000000000004000 0000000000004000 00000400 2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .reloc 0000000a 000000000000c000 000000000000c000 00008000 2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .data 00002ea8 000000000000d000 000000000000d000 00008200 2**5
                  CONTENTS, ALLOC, LOAD, DATA
  3 .sbat 000000ec 0000000000010000 0000000000010000 0000b200 2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  4 .dynamic 00000150 0000000000011000 0000000000011000 0000b400 2**3
                  CONTENTS, ALLOC, LOAD, DATA
  5 .rela 00000e70 0000000000012000 0000000000012000 0000b600 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .rela.plt 00000018 0000000000012e70 0000000000012e70 0000c670 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  7 .dynsym 00000288 0000000000013000 0000000000013000 0000ca00 2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA

debdiff for fwupd-signed against the one in the proposed channel.

Hello Mario, or anyone else affected,

Accepted fwupd into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd/1.2.14-0~18.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mario, or anyone else affected,

Accepted fwupd-signed into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/fwupd-signed/1.10~ubuntu18.04.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Test to upgrade bios with secure boot on + fwupd 1.2.14-0~18.04.2/fwupd-signed/shim from the bionic-proposed channel, it works just fine.

Upgrade bios from gnome-software test passed.

AI: test more like NVME, Docking, etc.

fwupd 1.2.14-0~18.04.2 from the bionic-proposed channel
+ fwupd-signed + shim from the bionic-proposed channel.
+ secure boot on.

test nvme firmware re-install
wd19sc docking firmware upgrade (ref: lp:1921544)
wd19tb docking firmware reinstall
  (fwupdmgr install --allow-reinstall 4e3f12fc1901c05790ab17ff2223a79631477aa87979498874c4c262cfafc144-WD19FirmwareUpdateLinux_01.00.21.cab)

all passed.

---

log:

$ fwupdmgr install --allow-reinstall 4e3f12fc1901c05790ab17ff2223a79631477aa87979498874c4c262cfafc144-WD19FirmwareUpdateLinux_01.00.21.cab
Decompressing… [***************************************]
Authenticating… [***************************************]
Installing on Package level of Dell dock… ]
Restarting device… [***************************************]
Installing on RTS5413 in Dell dock… ]
Restarting device… [***************************************] Less than one minute remaining…
Installing on RTS5487 in Dell dock…******************************]
Restarting device… [***************************************] Less than one minute remaining…
Installing on Thunderbolt controller in Dell dock…***************]
Restarting device… [***************************************] Less than one minute remaining…
Installing on WD19TB…
Idle… [***************************************]
Installing on VMM5331 in Dell dock…
Idle… [***************************************]
Restarting device… [***************************************] Less than one minute remaining…
Installing on WD19TB… [************************************** ]
Restarting device… [***************************************] Less than one minute remaining…
Tool version updates to address security vulnerabilities.

This bug was fixed in the package fwupd - 1.2.14-0~18.04.2

---------------
fwupd (1.2.14-0~18.04.2) bionic; urgency=medium

  * debian/rules: catch up to generate sbat section.

fwupd (1.2.14-0~18.04.1) bionic; urgency=medium

  * New upstream version (1.2.14) (LP: #1884788)
  * Bug fixes:
    - Fixes crashes on fwupdaa64.efi on startup (LP: #1858590)
    - Check version was updated by checking version
    - Correctly import PKCS-7 remote metadata
    - Decrease minimum battery requirement to 10%
    - Disable the battery percentage checks if UPower is unavailable
    - Do not do semver conversion in fu_common_vercmp()
    - Fix the DeviceID set by GetDetails
    - Force the synaptics-prometheus minor version from 0x02 to 0x01
    - Prevent Dell updates to occur via synaptics-mst
    - Read all releases and convert versions when comparing
    - Use the correct timeout for unifying IO channel writes
    - Validate that gpgme_op_verify_result() returned at least one signature
    - Avoid checking for bolt support when not required
    - Correct HWID support in wacom-raw
    - Fix offset of vendor id of hidraw devices
    - Make loading vendor/product/serial strings non-fatal
    - Only check the vendor ID if the device has one set
    - Use more systemd directives for directories
    - Actually write the new device path if different than before
    - Add a SynapticsMSTBoardID for a few Lenovo docks
    - Add the counterpart GUID for the DW5821e
    - Be more accepting when trying to recover a failed database migration
    - Do not ask the user to upload a report if ReportURI is not set
    - Do not segfault when trying to quit the downgrade selection
    - Fix a crash when stopping the fwupd service
    - Never show AppStream markup on the console
    - Relax the certificate time checks in the self tests for the legacy certificate
    - Reload metadata store when configuration changes
    - Remove replug flag after the device comes back from reboot
    - Update device_modified in sql database during updates
    - Work properly with ICL thunderbolt controller
  * New features:
    - Add support for tpm2-tools 4.X
    - Allow specifying a firmware GUID to check any version exists
    - Add SBAT region support (LP: #1921539)
  * Don't cleanup /var/cache/fwupdate anymore
  * Drop upstreamed patches:
    - 0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch
    - 0001-trivial-libfwupd-skip-tests-if-machine-id-is-empty-t.patch
    - 0001-Allows-confined-snaps-to-activate-fwupd-via-D-Bus.patch
    - 0001-Only-check-the-vendor-ID-if-the-device-has-one-set.patch
    - 0001-efi-use-a-wildcard-section-copy-for-final-EFI-genera.patch
    - CVE-2020-10759.patch
  * Remaining changes:
    - meson-0.45-bc.patch: Fix build with meson 0.45
    - Drop added Recommends: on bolt which is not in flavor seeds and adds a
      new service.
  * Backport a patch from upstream 1_2_X branch to fix SBAT character.
  * Backport a patch from upstream 1_2_X branch to fix vendor-id requirement
    error on Dell WD19 (LP: #1921544)

 -- Yuan-Chen Cheng <email address hidden> Tue, 31 Aug 2021 15:58:09 +0800

This bug was fixed in the package fwupd-signed - 1.10~ubuntu18.04.6

---------------
fwupd-signed (1.10~ubuntu18.04.6) bionic; urgency=medium

  * Build depends on fwupd version 1.2.14-0~18.04.2. (LP: #1921539)

fwupd-signed (1.10~ubuntu18.04.5) bionic; urgency=medium

  * Build depends on fwupd version 1.2.14-0~18.04.1
    - LP: #1921544
    - LP: #1921539
    - LP: #1884788
    - LP: #1858590

 -- Yuan-Chen Cheng <email address hidden> Tue, 31 Aug 2021 17:50:22 +0800