[Bug 2003365] Re: 2022v1 resigning

Julian Andres Klode 2003365 at bugs.launchpad.net
Fri Jan 27 14:15:41 UTC 2023 

SRU verification (the SRUs are binary copies, so verification will
remain valid once it lands in proposed).

I have downloaded the fwupd-signed from the signing PPA as well as
proposed new shim and old shim for all releases:

Downloads/fwupd-signed_1.51_20.04.1+1.2-3ubuntu0.2_amd64.deb
Downloads/fwupd-signed_1.51_20.04.1+1.2-3ubuntu0.2_arm64.deb
Downloads/fwupd-signed_1.51_22.04.1+1.2-3ubuntu0.2_amd64.deb
Downloads/fwupd-signed_1.51_22.04.1+1.2-3ubuntu0.2_arm64.deb
Downloads/fwupd-signed_1.51_22.10.1+1.2-3ubuntu0.2_amd64.deb
Downloads/fwupd-signed_1.51_22.10.1+1.2-3ubuntu0.2_arm64.deb
Downloads/shim-signed_1.52_ppa7+15.7-0ubuntu1_amd64.deb
Downloads/shim-signed_1.52_ppa7+15.7-0ubuntu1_arm64.deb

I extracted the debs into a directory, renamed the files around a bit for easy testing, and then
I spawned VMS for both amd64 and arm64 and for each release ran

fwupdx64.efi.signed # this failed because not loaded by shim (showing secure boot works)
shimx64.efi.signed.latest fwupdx64.efi.signed
shimx64.efi.signed.previous fwupdx64.efi.signed

from the EFI shell.  This always worked fine, the fwupd loaded
successfully.

Here are some example runs from arm64; the serial console output in qemu
is a bit garbled,  so it's not all of it.

FS0:\> shimaa64.efi.signed.latest fwupd-arm64-focal.efi
WARNING: No updates to process, exiting in 10 seconds.
start_image() returned Invalid Parameter, falling back to default loader
Failed to open \grubaa64.efi - Not Found
FS0:\> shimaa64.efi.signed.previous fwupd-arm64-focal.efi
WARNING: No updates to process, exiting in 10 seconds.
start_image() returned Invalid Parameter, falling back to default loader
Failed to open \grubaa64.efi - Not Found
FS0:\> shimaa64.efi.signed.previous fwupd-arm64-focal.efi
WARNING: No updates to process, exiting in 10 seconds.
start_image() returned Invalid Parameter, falling back to default loader
Failed to open \grubaa64.efi - Not Found
FS0:\> shimaa64.efi.signed.previous fwupd-arm64-jammy.efi
WARNING: No updates to process, exiting in 10 seconds.
start_image() returned Invalid Parameter, falling back to default loader
Failed to open \grubaa64.efi - Not Found
FS0:\> shimaa64.efi.signed.previous fwupd-arm64-kinetic.efi
WARNING: No updates to process, exiting in 10 seconds.
start_image() returned Invalid Parameter, falling back to default loader
Failed to open \grubaa64.efi - Not Found
FS0:\> shimaa64.efi.signed.latest fwupd-arm64-kinetic.efi  
WARNING: No updates to process, exiting in 10 seconds.
start_ishimaa64.efi.signed.latest fwupd-arm64-jammy.efi   default loader
WARNING: No updates to process, exiting in 10 seconds.
start_image() returned Invalid Parameter, falling back to default loader
Failed to open \grubaa64.efi - Not Found


** Tags added: verification-done verification-done-focal verification-
done-jammy verification-done-kinetic

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fwupd-signed in Ubuntu.
https://bugs.launchpad.net/bugs/2003365

Title:
  2022v1 resigning

Status in fwupd-signed package in Ubuntu:
  Fix Committed
Status in fwupd-signed source package in Bionic:
  In Progress
Status in fwupd-signed source package in Focal:
  In Progress
Status in fwupd-signed source package in Jammy:
  In Progress
Status in fwupd-signed source package in Kinetic:
  In Progress
Status in fwupd-signed source package in Lunar:
  Fix Committed

Bug description:
  [Impact]
  Resign with new 2022v1 key, as the old key is revoked in shim 15.7-0ubuntu1.

  [Test plan]
  Check that fwupd.efi can be started from old and new shim.

  [Where problems could occur]
  We're building one signed binary for stable releases in kinetic now and copying it back. We last built it in jammy, there may be toolchain related regressions.

  [Other info]
  We have backported 1.51 wholesale. This matters mostly for focal as it had different version numbers so far, but the content was otherwise identical to 1.42.

  This makes it clear that 1.51 is version signed with the new key and
  where it is available, and saves a lot of time vs changing changelogs
  to incorporate separate focal history in those ~20 uploads we do for
  the rotation.

  fwupd-efi was built in kinetic in the ppa:ubuntu-uefi-team/ppa and
  then signed with the 2022v1 signing key, copied to ppa:ubuntu-uefi-
  team/proposed and then copied (--unembargo) into ppa:ubuntu-uefi-
  team/proposed-step before being copied to the main queues. The final
  proposed-public should allow sensible SRU review.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwupd-signed/+bug/2003365/+subscriptions

More information about the foundations-bugs mailing list