[Bug 1921539] Re: Add support for SBAT

Yuan-Chen Cheng 1921539 at bugs.launchpad.net
Thu Apr 15 10:19:47 UTC 2021 

I did the following test, the result is failed.

Machine: Dell Latitude 5300
BIOS: 1.10.4
Test case: download 1.10.4 bios cab from lfvs, and reinstall the bios using fwupd with the command "fwupdmgr install xxxx.cab --allow-reinstall"

Pass means: we can run BIOS re-install.
Failed means: we can't run BIOS re-install and we will see the error message on the screen. The error message is shown on the monitor in text with blue background.

shim and shim-signed 15.4-0-ubuntu1 + fwupd and fwupd-signed 1.4.5-1
        secure boot off: Pass

shim and shim-singed 15.4-0-ubuntu1 + fwupd and fwupd-signed 1.4.5-1
        secure boot on, failed msg: Verification failed: (0x1A) Security Violation

shim and shim-signed 15.4-0-ubuntu1 + fwupd and fwupd-signed 1.4.7-0~20.10.1
        secure boot on, failed msg: Verification failed: (0x1A) Security Violation

        The following pkg were install to do above test.
        fwupd_1.4.7-0~20.10.1_amd64.deb
        fwupd-signed_1.30.1+1.4.7-0~20.10.1_amd64.deb
        libfwupd2_1.4.7-0~20.10.1_amd64.deb
        libfwupdplugin1_1.4.7-0~20.10.1_amd64.deb

Is the test procedure wrong or need to install something else?

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fwupd-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

Status in OEM Priority Project:
  Confirmed
Status in fwupd package in Ubuntu:
  Fix Released
Status in fwupd-signed package in Ubuntu:
  Fix Released
Status in fwupd source package in Bionic:
  In Progress
Status in fwupd-signed source package in Bionic:
  In Progress
Status in fwupd source package in Focal:
  In Progress
Status in fwupd-signed source package in Focal:
  In Progress
Status in fwupd source package in Groovy:
  Fix Committed
Status in fwupd-signed source package in Groovy:
  Fix Committed
Status in fwupd source package in Hirsute:
  Fix Released
Status in fwupd-signed source package in Hirsute:
  Fix Released

Bug description:
  [Impact]
  Future releases of shim will require that EFI binaries that are chainloaded include an SBAT region.  fwupd in bionic does not currently contain this region.

  [Test Case]
  Verify that a shim that checks for sbat region can boot the fwupd with sbat region.

  [Regression Potential]
  This is moving to a new stable release in each of the series which is in bug fix only mode.  The sbat region is the only "feature" that has been backported to this series in over a year.

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

More information about the foundations-bugs mailing list