[Bug 2011804] Re: [SRU] [HWE] gnu-efi 3.0.15
Julian Andres Klode
2011804 at bugs.launchpad.net
Thu Mar 16 09:45:47 UTC 2023
** Summary changed:
- [SRU] gnu-efi 3.0.15
+ [SRU] [HWE] gnu-efi 3.0.15
** Description changed:
[Impact]
gnu-efi 3.0.15 is required for fwupd-efi 1.4 to work correctly on firmware requiring NX memory in boot stack.
[Regression potential]
To my knowledge, fwupd-efi is the only supported component in the archive that uses gnu-efi. Some more binaries are built with gnu-efi and might regress, e.g. systemd.
[Test plan]
We can't test the NX support yet as we do not have a shim with NX support. Test that fwupd-efi 1.4 builds and systemd doesn't FTBFS.
+
+ We will test NX support when we work on the NX supported shim.
** Also affects: gnu-efi (Ubuntu Kinetic)
Importance: Undecided
Status: New
** Changed in: gnu-efi (Ubuntu)
Status: New => Fix Released
** Description changed:
[Impact]
gnu-efi 3.0.15 is required for fwupd-efi 1.4 to work correctly on firmware requiring NX memory in boot stack.
+
+ We are only building boot assets on the latest stable release, so will
+ SRU that only to kinetic. Rebuilding the boot assets in older stable
+ releases should still work though, they do not technically require gnu-
+ efi 3.0.15 for building (fwupd-efi actually doesn't build due to
+ debhelper 13 dependency).
[Regression potential]
To my knowledge, fwupd-efi is the only supported component in the archive that uses gnu-efi. Some more binaries are built with gnu-efi and might regress, e.g. systemd.
[Test plan]
We can't test the NX support yet as we do not have a shim with NX support. Test that fwupd-efi 1.4 builds and systemd doesn't FTBFS.
We will test NX support when we work on the NX supported shim.
** Description changed:
[Impact]
gnu-efi 3.0.15 is required for fwupd-efi 1.4 to work correctly on firmware requiring NX memory in boot stack.
+
+ Updating gnu-efi also ensures that all our fwupd-efi 1.4 binaries ship
+ the same code which makes it easier to reason about security
+ vulnerabilities.
We are only building boot assets on the latest stable release, so will
SRU that only to kinetic. Rebuilding the boot assets in older stable
releases should still work though, they do not technically require gnu-
efi 3.0.15 for building (fwupd-efi actually doesn't build due to
debhelper 13 dependency).
[Regression potential]
To my knowledge, fwupd-efi is the only supported component in the archive that uses gnu-efi. Some more binaries are built with gnu-efi and might regress, e.g. systemd.
[Test plan]
We can't test the NX support yet as we do not have a shim with NX support. Test that fwupd-efi 1.4 builds and systemd doesn't FTBFS.
We will test NX support when we work on the NX supported shim.
** Also affects: gnu-efi (Ubuntu Jammy)
Importance: Undecided
Status: New
** Also affects: gnu-efi (Ubuntu Focal)
Importance: Undecided
Status: New
** Also affects: gnu-efi (Ubuntu Bionic)
Importance: Undecided
Status: New
** Changed in: gnu-efi (Ubuntu Focal)
Status: New => Won't Fix
** Changed in: gnu-efi (Ubuntu Jammy)
Status: New => Won't Fix
** Changed in: gnu-efi (Ubuntu Bionic)
Status: New => Won't Fix
** Description changed:
[Impact]
gnu-efi 3.0.15 is required for fwupd-efi 1.4 to work correctly on firmware requiring NX memory in boot stack.
Updating gnu-efi also ensures that all our fwupd-efi 1.4 binaries ship
the same code which makes it easier to reason about security
vulnerabilities.
- We are only building boot assets on the latest stable release, so will
- SRU that only to kinetic. Rebuilding the boot assets in older stable
- releases should still work though, they do not technically require gnu-
- efi 3.0.15 for building (fwupd-efi actually doesn't build due to
- debhelper 13 dependency).
+ [Target releases]
+ We are only building boot assets on the latest stable release, so will SRU that only to kinetic. Rebuilding the boot assets in older stable releases should still work though, they do not technically require gnu-efi 3.0.15 for building (fwupd-efi actually doesn't build due to debhelper 13 dependency).
+
+ The tasks have been set to Won't Fix on older releases to make this
+ clear, but this is not a hard decision, if we fix fwupd-efi to build on
+ those releases and it turns out we need gnu-efi 3.0.15 anyhow, we can
+ still upload it, but of course this increases regression potential for
+ those releases.
[Regression potential]
To my knowledge, fwupd-efi is the only supported component in the archive that uses gnu-efi. Some more binaries are built with gnu-efi and might regress, e.g. systemd.
[Test plan]
We can't test the NX support yet as we do not have a shim with NX support. Test that fwupd-efi 1.4 builds and systemd doesn't FTBFS.
We will test NX support when we work on the NX supported shim.
** Description changed:
[Impact]
gnu-efi 3.0.15 is required for fwupd-efi 1.4 to work correctly on firmware requiring NX memory in boot stack.
Updating gnu-efi also ensures that all our fwupd-efi 1.4 binaries ship
the same code which makes it easier to reason about security
vulnerabilities.
+
+ [Workflow]
+ gnu-efi is built in ppa:ubuntu-uefi-team/ubuntu/ppa against the security pocket only following the in-progress signed boot asset workflow.
[Target releases]
We are only building boot assets on the latest stable release, so will SRU that only to kinetic. Rebuilding the boot assets in older stable releases should still work though, they do not technically require gnu-efi 3.0.15 for building (fwupd-efi actually doesn't build due to debhelper 13 dependency).
The tasks have been set to Won't Fix on older releases to make this
clear, but this is not a hard decision, if we fix fwupd-efi to build on
those releases and it turns out we need gnu-efi 3.0.15 anyhow, we can
still upload it, but of course this increases regression potential for
those releases.
[Regression potential]
To my knowledge, fwupd-efi is the only supported component in the archive that uses gnu-efi. Some more binaries are built with gnu-efi and might regress, e.g. systemd.
[Test plan]
We can't test the NX support yet as we do not have a shim with NX support. Test that fwupd-efi 1.4 builds and systemd doesn't FTBFS.
We will test NX support when we work on the NX supported shim.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnu-efi in Ubuntu.
https://bugs.launchpad.net/bugs/2011804
Title:
[SRU] [HWE] gnu-efi 3.0.15
Status in gnu-efi package in Ubuntu:
Fix Released
Status in gnu-efi source package in Bionic:
Won't Fix
Status in gnu-efi source package in Focal:
Won't Fix
Status in gnu-efi source package in Jammy:
Won't Fix
Status in gnu-efi source package in Kinetic:
Triaged
Bug description:
[Impact]
gnu-efi 3.0.15 is required for fwupd-efi 1.4 to work correctly on firmware requiring NX memory in boot stack.
Updating gnu-efi also ensures that all our fwupd-efi 1.4 binaries ship
the same code which makes it easier to reason about security
vulnerabilities.
[Workflow]
gnu-efi is built in ppa:ubuntu-uefi-team/ubuntu/ppa against the security pocket only following the in-progress signed boot asset workflow.
[Target releases]
We are only building boot assets on the latest stable release, so will SRU that only to kinetic. Rebuilding the boot assets in older stable releases should still work though, they do not technically require gnu-efi 3.0.15 for building (fwupd-efi actually doesn't build due to debhelper 13 dependency).
The tasks have been set to Won't Fix on older releases to make this
clear, but this is not a hard decision, if we fix fwupd-efi to build
on those releases and it turns out we need gnu-efi 3.0.15 anyhow, we
can still upload it, but of course this increases regression potential
for those releases.
[Regression potential]
To my knowledge, fwupd-efi is the only supported component in the archive that uses gnu-efi. Some more binaries are built with gnu-efi and might regress, e.g. systemd.
[Test plan]
We can't test the NX support yet as we do not have a shim with NX support. Test that fwupd-efi 1.4 builds and systemd doesn't FTBFS.
We will test NX support when we work on the NX supported shim.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnu-efi/+bug/2011804/+subscriptions
More information about the foundations-bugs
mailing list