[Bug 1921539] Re: Add support for SBAT

Yuan-Chen Cheng 1921539 at bugs.launchpad.net
Fri Apr 16 23:50:27 UTC 2021 

@mario, I turn secure boot on, and boot into OS, then run the fwupdmgr
install command, then reboot, then I saw the failure.

One more thing, for new shim + groovy grub, I found the same failure happens if I use groovy/grub 
1.155+2.04-1ubuntu35 as boot into OS (so I can't boot into OS with this grub), however if I use groovy/grub 1.167+2.04-1ubuntu44 from the update channel, then I can boot into OS.

Feel free to ask questions if anyone wants to reproduce and doesn't know
certain steps in detail, or you want to know my steps in more detail as
reviewing.

A full running session is here:

root at u-Latitude-5300:~# sh run.sh ; exit
+ dpkg -l
+ grep shim
ii  shim                                       15.4-0ubuntu1                       amd64        boot loader to chain-load signed boot loaders under Secure Boot
ii  shim-signed                                1.46+15.4-0ubuntu1                  amd64        Secure Boot chain-loading bootloader (Microsoft-signed binary)
+ + grep fwupd
echo please run reboot                         1.4.7-0~20.10.1                     amd64        Firmware update daemon
ii  fwupd-signed                               1.30.1+1.4.7-0~20.10.1              amd64        Linux Firmware Updater EFI signed binary
ii  libfwupd2:amd64                            1.4.7-0~20.10.1                     amd64        Firmware update daemon library
ii  libfwupdplugin1:amd64                      1.4.7-0~20.10.1                     amd64        Firmware update daemon plugin library
+ fwupdmgr install 9da74134678173a97e2d3eb4a79f0beba0e43e85155777e040396bad6b70d0b4-firmware.cab --allow-reinstall
Decompressing…           [***************************************]
Authenticating…          [***************************************]
Installing on System Firmware…        /                          ]
Scheduling…              [***************************************]
Successfully installed firmware

An update requires a reboot to complete. Restart now? [y|N]: n
+ md5sum /usr/libexec/fwupd/efi/fwupdx64.efi.signed /boot/efi/EFI/ubuntu/fwupdx64.efi
e3a387f8f87852e670d105145cb96168  /usr/libexec/fwupd/efi/fwupdx64.efi.signed
e3a387f8f87852e670d105145cb96168  /boot/efi/EFI/ubuntu/fwupdx64.efi
+ mokutil --sb
SecureBoot enabled
+ echo please run reboot
please run reboot

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fwupd-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

Status in OEM Priority Project:
  Confirmed
Status in fwupd package in Ubuntu:
  Fix Released
Status in fwupd-signed package in Ubuntu:
  Fix Released
Status in fwupd source package in Bionic:
  In Progress
Status in fwupd-signed source package in Bionic:
  In Progress
Status in fwupd source package in Focal:
  In Progress
Status in fwupd-signed source package in Focal:
  In Progress
Status in fwupd source package in Groovy:
  Fix Committed
Status in fwupd-signed source package in Groovy:
  Fix Committed
Status in fwupd source package in Hirsute:
  Fix Released
Status in fwupd-signed source package in Hirsute:
  Fix Released

Bug description:
  [Impact]
  Future releases of shim will require that EFI binaries that are chainloaded include an SBAT region.  fwupd in bionic does not currently contain this region.

  [Test Case]
  Verify that a shim that checks for sbat region can boot the fwupd with sbat region.

  [Regression Potential]
  This is moving to a new stable release in each of the series which is in bug fix only mode.  The sbat region is the only "feature" that has been backported to this series in over a year.

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

More information about the foundations-bugs mailing list