[Bug 1921539] Re: Add support for SBAT

[Yuan-Chen Cheng]

per check fwupd-signed in the bionic-proposed channel, it does not have sbat section.
if we do want to support secure boot on bionic, we need the refine the debian/rules
and rolling the deb again. Are we going to do that? If yes, you can ping me to work
the debdiff. If not, you also can ping me and I can do the verification for it.

# objdump -h /usr/lib/fwupd/efi/fwupdx64.efi.signed

/usr/lib/fwupd/efi/fwupdx64.efi.signed:     file format pei-x86-64

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
  0 .text         00007a30  0000000000004000  0000000000004000  00000400  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .reloc        0000000a  000000000000c000  000000000000c000  00008000  2**0
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .data         00002ea8  000000000000d000  000000000000d000  00008200  2**5
                  CONTENTS, ALLOC, LOAD, DATA
  3 .dynamic      00000150  0000000000010000  0000000000010000  0000b200  2**3
                  CONTENTS, ALLOC, LOAD, DATA
  4 .rela         00000e70  0000000000011000  0000000000011000  0000b400  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  5 .rela.plt     00000018  0000000000011e70  0000000000011e70  0000c470  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .dynsym       00000270  0000000000012000  0000000000012000  0000c800  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fwupd-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

Status in OEM Priority Project:
  In Progress
Status in fwupd package in Ubuntu:
  Fix Released
Status in fwupd-signed package in Ubuntu:
  Fix Released
Status in fwupd source package in Bionic:
  Fix Committed
Status in fwupd-signed source package in Bionic:
  Fix Committed
Status in fwupd source package in Focal:
  Fix Released
Status in fwupd-signed source package in Focal:
  Fix Committed
Status in fwupd source package in Groovy:
  Fix Released
Status in fwupd-signed source package in Groovy:
  Fix Released
Status in fwupd source package in Hirsute:
  Fix Released
Status in fwupd-signed source package in Hirsute:
  Fix Released

Bug description:
  [Impact]
  Future releases of shim will require that EFI binaries that are chainloaded include an SBAT region.  fwupd in bionic does not currently contain this region.

  [Test Case]
  Verify that a shim that checks for sbat region can boot the fwupd with sbat region.

  [Regression Potential]
  This is moving to a new stable release in each of the series which is in bug fix only mode.  The sbat region is the only "feature" that has been backported to this series in over a year.

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions