** Changed in: oem-priority
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539
Title:
Add support for SBAT
To manage notifications about this bug go to
This bug was fixed in the package fwupd - 1.2.14-0~18.04.2
---
fwupd (1.2.14-0~18.04.2) bionic; urgency=medium
* debian/rules: catch up to generate sbat section.
fwupd (1.2.14-0~18.04.1) bionic; urgency=medium
* New upstream version (1.2.14) (LP: #1884788)
* Bug fixes:
- F
This bug was fixed in the package fwupd-signed - 1.10~ubuntu18.04.6
---
fwupd-signed (1.10~ubuntu18.04.6) bionic; urgency=medium
* Build depends on fwupd version 1.2.14-0~18.04.2. (LP: #1921539)
fwupd-signed (1.10~ubuntu18.04.5) bionic; urgency=medium
* Build depends on fwupd ve
fwupd 1.2.14-0~18.04.2 from the bionic-proposed channel
+ fwupd-signed + shim from the bionic-proposed channel.
+ secure boot on.
test nvme firmware re-install
wd19sc docking firmware upgrade (ref: lp:1921544)
wd19tb docking firmware reinstall
(fwupdmgr install --allow-reinstall
4e3f12fc1901c0
Test to upgrade bios with secure boot on + fwupd 1.2.14-0~18.04.2/fwupd-
signed/shim from the bionic-proposed channel, it works just fine.
Upgrade bios from gnome-software test passed.
AI: test more like NVME, Docking, etc.
--
You received this bug notification because you are a member of Ubunt
Hello Mario, or anyone else affected,
Accepted fwupd into bionic-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/fwupd/1.2.14-0~18.04.2
in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki
debdiff for fwupd-signed against the one in the proposed channel.
** Patch added: "fwupd-signed_1.10~ubuntu18.04.6.debdiff"
https://bugs.launchpad.net/oem-priority/+bug/1921539/+attachment/5521864/+files/fwupd-signed_1.10~ubuntu18.04.6.debdiff
--
You received this bug notification because yo
Did test the one in proposed, it does failed with new shim + sb on.
I prepare a ppa with updated fwupd.
sudo add-apt-repository ppa:ycheng-twn/fwupd-bionic-sbat-3
the unsigned-efi does have a sbat section:
---
~# objdump -h /usr/lib/fwupd/efi/fwupdx64.efi
/usr/lib/fwupd/efi/fwupdx64.efi:
> if we do want to support secure boot on bionic
Yes, this is non-negotiable. In fact, publication of the updated shim
to bionic has been held up because of concerns over regressing fwupd-
signed, which exists specifically *for* support under SecureBoot.
So, I'm going to mark this verification-f
per check fwupd-signed in the bionic-proposed channel, it does not have sbat
section.
if we do want to support secure boot on bionic, we need the refine the
debian/rules
and rolling the deb again. Are we going to do that? If yes, you can ping me to
work
the debdiff. If not, you also can ping me
Hello Mario, or anyone else affected,
Accepted fwupd-signed into bionic-proposed. The package will build now
and be available at https://launchpad.net/ubuntu/+source/fwupd-
signed/1.10~ubuntu18.04.5 in a few hours, and then in the -proposed
repository.
Please help us by testing this new package.
Hello Mario, or anyone else affected,
Accepted fwupd into bionic-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/fwupd/1.2.14-0~18.04.1
in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki
This bug was fixed in the package fwupd - 1.5.11-0ubuntu1~20.04.2
---
fwupd (1.5.11-0ubuntu1~20.04.2) focal; urgency=medium
* force to use libjcat >= 0.1.3, or signature verification will
failed.
fwupd (1.5.11-0ubuntu1~20.04.1) focal; urgency=medium
* New upstream version (1.5.1
** Changed in: fwupd-signed (Ubuntu Focal)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539
Title:
Add support for SBAT
To manage notifications abou
According to bug 1934209:
Verification passed on Focal
Secure boot on
shim-signed: 1.40.6+15.4-0ubuntu7 (proposed channel, sbat applied)
fwupd: 1.5.11-0ubuntu1~20.04.2 (propsoed channel, sbat applied)
** Tags removed: verification-needed verification-needed-focal
** Tags added: verification-done
** Changed in: oem-priority
Status: Confirmed => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539
Title:
Add support for SBAT
To manage notifications about this bug go to:
h
Hello Mario, or anyone else affected,
Accepted fwupd into focal-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/fwupd/1.5.11-0ubuntu1~20.04.1 in a
few hours, and then in the -proposed repository.
Please help us by testing this new package. See
https:
I think we can re-use the fwupd-sign that Mario uploaded, since the
version number is not changed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539
Title:
Add support for SBAT
To manage notifi
follow up #29, per the built un-signed fwupdx64.efi, it does have the
sbat section.
$ objdump -h ./fwupdx64.efi
./fwupdx64.efi: file format pei-x86-64
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 7a2b 4000 00
the one mario uploaded to bionic queue missing the debian/rules change.
I put one with those change in https://launchpad.net/~ycheng-
twn/+archive/ubuntu/fwupd-bionic-sbat-1
per quick check, the major diff from current one in debian buster are
the two arm patch:
0010-uefi-capsule-Sync-linker-scr
This bug was fixed in the package fwupd-signed - 1.30.1
---
fwupd-signed (1.30.1) groovy; urgency=medium
* Build depend on fwupd 1.4.7-0~20.10.1
- LP: #1921544
- LP: #1921539
- LP: #1909734
- LP: #1886912
- LP: #1900935
-- Mario Limonciello Fri, 26 Mar 2021
1
This bug was fixed in the package fwupd - 1.4.7-0~20.10.1
---
fwupd (1.4.7-0~20.10.1) groovy; urgency=medium
* new upstream version (1.4.7)
* Bug fixes:
- Check returned volumes before accessing them
- Correct a Thunderbolt assertion if kernel failed FW read
- Do no
** Tags removed: verification-needed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539
Title:
Add support for SBAT
To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-p
Per #23, change to verified done in groovy.
** Tags removed: verification-needed-groovy
** Tags added: verification-done-groovy
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539
Title:
Add supp
Per #23, create another bug for groovy sbat SRU in lp:1926011
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539
Title:
Add support for SBAT
To manage notifications about this bug go to:
https:/
$ wget http://archive.ubuntu.com/ubuntu/dists/groovy-proposed/main/uefi
/fwupd-amd64/1.4.7-0~20.10.1/fwupdx64.efi.signed
$ md5sum fwupdx64.efi.signed
e3a387f8f87852e670d105145cb96168 fwupdx64.efi.signed
$ objdump -h ./fwupdx64.efi.signed
./fwupdx64.efi.signed: file format pei-x86-64
Sectio
today I use the same machine, install debian 10.9 in text mode, and
install
fwupd / fwupd-signed: 1.2.13-3+deb10u2
existing shim-signed: 1.33+15+1533136590.3beb971-7
I found I also need to install policykit-1.
Then I did the same test with secure boot on. The test is passed.
--
You received th
@xnox was there some sort of signing rotation or anything? could
fwupdx64.efi in groovy have gotten signed prematurely to said rotation?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539
Title:
@mario, I turn secure boot on, and boot into OS, then run the fwupdmgr
install command, then reboot, then I saw the failure.
One more thing, for new shim + groovy grub, I found the same failure happens if
I use groovy/grub
1.155+2.04-1ubuntu35 as boot into OS (so I can't boot into OS with this g
@ycheng-twn:
In your groovy tests from one run to another was secure boot on from the
moment you initiated the FW update? Or did you just turn it on after
the reboot and pick "Linux Firmware Updater" entry?
I ask because fwupd will examine the state of secure boot at the time
the update is attem
Test passed on hirsute.
I use the same machine, install hirsute, apt upgrade everything, and
confirm it have update shim and fwupd. Then turn on secure boot and do
the same test, I found fwupd does upgrade bios fw as secure boot is on,
so it's test passed.
--
You received this bug notification b
I'll try to test hirsute as I got the chance to.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539
Title:
Add support for SBAT
To manage notifications about this bug go to:
https://bugs.launchp
@mario, the "newer shim from hirsute" + the existing grub on groovy with
secure boot on boot into OS as expected.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539
Title:
Add support for SBAT
T
@ycheng-twn securution/foundations would like to recheck fwupd.efi
binaries.
we will not release new shim to groovy, until we know that fwupd.efi is
compatible.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.ne
does the newer shim + grub work?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539
Title:
Add support for SBAT
To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-prior
Bios 1.10.4 is not the most updated version on lvfs. However I think the
new mechanism need to also work on old bios version.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539
Title:
Add support
I did the following test, the result is failed.
Machine: Dell Latitude 5300
BIOS: 1.10.4
Test case: download 1.10.4 bios cab from lfvs, and reinstall the bios using
fwupd with the command "fwupdmgr install .cab --allow-reinstall"
Pass means: we can run BIOS re-install.
Failed means: we can't
@xnox
Can you propose this idea to upstream fwupd? Unlike GRUB there is a
stronger ABI between the EFI application and userspace.
So I think it would be better to make it an upstream decision and then
mirror it in Ubuntu rather than Ubuntu having to chase the potential for
an ABI disaster if fwu
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539
Title:
Add support for SBAT
To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions
-
New shim is available in hirsute-proposed now, and I guess since this is
now available in groovy-proposed, we can copy shim into groovy-proposed
to complete end to end testing with the new shim.
** Changed in: fwupd-signed (Ubuntu Hirsute)
Status: In Progress => Fix Released
--
You receiv
Ideally I would want us to split fwupd into fwupd-unsigned & fwupd-
unsigned, like we did with grub.
That way
* fwupd will drop shipping .efi binaries
* fwupd-unsigned will only build and submit .efi binary for signing
* fwupd-signed will ship signed .efi binary
with fwupd-unsigned & fwupd-signed
given shim with sbat feature still not release (lp:1921134), this is
more a pre-landing so that we can test as shim+sbat is there.
Give so, as long as there are not other regression, I plan to tag
verification-done-groovy soon.
--
You received this bug notification because you are a member of Ub
Hello Mario, or anyone else affected,
Accepted fwupd into groovy-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/fwupd/1.4.7-0~20.10.1
in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See
https://wiki.
This bug was fixed in the package fwupd - 1.5.8-0ubuntu1
---
fwupd (1.5.8-0ubuntu1) hirsute; urgency=medium
* New upstream version (1.5.8)
* Backport a patch to fix SBAT (LP: #1921539)
* Drop all other patches, upstream.
-- Mario Limonciello Fri, 26 Mar 2021
14:07:35 -0500
Hirsute/fwupd with sbat patch now in proposed.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539
Title:
Add support for SBAT
To manage notifications about this bug go to:
https://bugs.launchpad
** Tags added: sbat
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539
Title:
Add support for SBAT
To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921
** Changed in: oem-priority
Importance: Undecided => High
** Changed in: oem-priority
Status: New => Confirmed
** Tags added: fwupd
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539
Ti
for focal, SRU to version 1.4.7 and add SBAT patch is tracked in
lp:1920723
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921539
Title:
Add support for SBAT
To manage notifications about this bug
** Also affects: oem-priority
Importance: Undecided
Status: New
** Changed in: oem-priority
Assignee: (unassigned) => Yuan-Chen Cheng (ycheng-twn)
** Tags added: oem-priority
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubu
** Changed in: fwupd (Ubuntu Focal)
Status: New => In Progress
** Changed in: fwupd (Ubuntu Groovy)
Status: New => In Progress
** Changed in: fwupd (Ubuntu Hirsute)
Status: New => In Progress
** Changed in: fwupd-signed (Ubuntu Bionic)
Status: New => In Progress
** C
** Changed in: fwupd (Ubuntu Bionic)
Status: New => In Progress
** Changed in: fwupd (Ubuntu Bionic)
Assignee: (unassigned) => Mario Limonciello (superm1)
** Changed in: fwupd-signed (Ubuntu Bionic)
Assignee: (unassigned) => Mario Limonciello (superm1)
--
You received this bug
All releases need to be updated including Hirsute.
Hirsute has fwupd 1.5.7 which contains sbat support, but had a mistake
with the wrong character ('.' vs '-'). See
https://github.com/fwupd/fwupd/pull/3070 for more context.
** Also affects: fwupd-signed (Ubuntu)
Importance: Undecided
S
52 matches
Mail list logo
