[Bug 2142578] Re: [SRU] fwupd backports for KEK and db updates

Julian Andres Klode 2142578 at bugs.launchpad.net
Wed Feb 25 10:29:31 UTC 2026 

** Also affects: gnome-software (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: plasma-discover (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fwupd in Ubuntu.
https://bugs.launchpad.net/bugs/2142578

Title:
  [SRU] fwupd backports for KEK and db updates

Status in fwupd package in Ubuntu:
  Invalid
Status in gnome-software package in Ubuntu:
  New
Status in libjcat package in Ubuntu:
  Invalid
Status in libxmlb package in Ubuntu:
  Invalid
Status in plasma-discover package in Ubuntu:
  New
Status in fwupd source package in Jammy:
  In Progress
Status in gnome-software source package in Jammy:
  New
Status in libjcat source package in Jammy:
  New
Status in libxmlb source package in Jammy:
  New
Status in plasma-discover source package in Jammy:
  New
Status in fwupd source package in Noble:
  In Progress
Status in gnome-software source package in Noble:
  New
Status in libjcat source package in Noble:
  New
Status in libxmlb source package in Noble:
  New
Status in plasma-discover source package in Noble:
  New
Status in fwupd source package in Questing:
  In Progress
Status in gnome-software source package in Questing:
  New
Status in libjcat source package in Questing:
  New
Status in libxmlb source package in Questing:
  New
Status in plasma-discover source package in Questing:
  New

Bug description:
  [ Impact ]

   * Every device running Ubuntu on UEFI with Secure Boot enabled is
  impacted.

   * Ubuntu currently ships a shim bootloader signed by the Microsoft 3rd party
     UEFI CA 2011. This Certificate Authority (CA) allows Ubuntu to boot on a
     wide variety of devices that ship from the factory with Microsoft's trust.
     However, this CA, and its corresponding Key Exchange Key (KEK) CA used for
     signing revocations, is set to expire in July 2026. After this date, it
     cannot be used to sign any further bootloader updates or security revocations.

   * To retain the ability to ship future shim security updates and process future
     UEFI revocations, Ubuntu as an OS must roll out updates to the code signing
     and KEK infrastructure. All major Linux distributions and hardware vendors
     supporting Linux have aligned on using fwupd and the Linux Vendor Firmware
     Service (LVFS) as the mechanism to do so.

   * Only recent versions of fwupd support installing these specific CA updates.
     Thus, we have decided to backport the latest fwupd release to ensure users
     can receive these critical certificates before the 2026 deadline.

  [ Test Plan ]

   * Smoke test fwupd still retains basic functionality after the
  update.

   * Verify on an empty virtual machine with only the 2011 UEFI CA installed
     that fwupd is capable of installing the 2023 CAs.

  [ Where problems could occur ]

   * This is a major upstream update being pushed to multiple stable Ubuntu
     releases; as a result, there is obvious regression potential.

   * However, not having the CA updates installable on devices running Ubuntu
     stable releases will have much larger consequences. As a result, the
     reporter believes that making these updates is the lesser of two evils
     and absolutely critical for future boot security updates.

  [ Other Info ]

   * We are additionally backporting libxmlb and libjcat which are direct
     dependencies from the same author. These libraries are heavily intertwined
     with fwupd and rarely used outside of it; backporting newer versions is
     deemed to be the least disruptive way to ensure fwupd is functional.

   * This is a very large hammer and goes beyond the usual scope of an SRU,
     but the resolution of this issue is absolutely critical for the future
     functionality of stable Ubuntu in the face of the Microsoft 2011 CA
     expiry.

   * Alternative options such as backporting only the db and KEK update mechanism
     of fwupd were explored and discarded due to fragility.

   * The current version of fwupd in 22.04 LTS is no longer supported upstream
     in any case.

   * These updates are built in a PPA with only the security pocket enabled
     and will be copied to the main archive.
     This is done with the express purpose of being able to easily copy them
     to the security pocket at any time.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/2142578/+subscriptions

More information about the foundations-bugs mailing list