fwupd has dbx plugin enabled but shouldn't
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
fwupd (Ubuntu) |
Expired
|
Undecided
|
Unassigned | ||
Focal |
Expired
|
Undecided
|
Unassigned | ||
Impish |
Expired
|
Undecided
|
Unassigned | ||
Jammy |
Expired
|
Undecided
|
Unassigned | ||
Kinetic |
Expired
|
Undecided
|
Unassigned |
Bug Description
In discussion with the Security Team, I've learned that the dbx plugin in fwupd is enabled by default. Prior to 22.04 release I had conversations about the fact that we should not be using fwupd to deliver dbx updates by default, but these don't seem to have resulted in changes to the packaging. We may in the future want to use fwupd to deliver dbx updates, but in the meantime there is a concern that delivery of dbx updates needs to be coordinated with the OS (we have the secureboot-db package seeded across all products in support of this), and there is not coordination between fwupd and the OS package manager.
We need to update fwupd to disable the dbx plugin by default (DisabledPlugins= in /etc/fwupd/
This affects both jammy and focal, where fwupd has been SRUed.
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: fwupd 1.7.5-3
ProcVersionSign
Uname: Linux 5.15.0-27-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.11-0ubuntu82
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: ubuntu:GNOME
Date: Fri May 6 11:04:01 2022
InstallationDate: Installed on 2019-12-23 (864 days ago)
InstallationMedia: Ubuntu 19.10 "Eoan Ermine" - Release amd64 (20191017)
RebootRequiredPkgs: Error: path contained symlinks.
SourcePackage: fwupd
UpgradeStatus: Upgraded to jammy on 2022-04-15 (20 days ago)
Changed in fwupd (Ubuntu Kinetic): | |
status: | New → Incomplete |
Changed in fwupd (Ubuntu Jammy): | |
status: | New → Incomplete |
Changed in fwupd (Ubuntu Impish): | |
status: | New → Incomplete |
Changed in fwupd (Ubuntu Focal): | |
status: | New → Incomplete |
Before making a change to packaging can we discuss the "why"? Dbx updates coming this way are mutually exclusive with packaged updates. They would just enable users to "opt in" to them even if they turned off security updates from packages.
I also want to remind you that dbx updates can come from BIOS too which users can opt into installation already as well.