[Bug 2138609] [NEW] Patch fwupdmgr to verify recovery key with snapd API for TPM/FDE
Simon Johnsson
2138609 at bugs.launchpad.net
Mon Jan 19 09:01:34 UTC 2026
Public bug reported:
Currently the firmware-updater GUI verifies the recovery key on updates
affecting TPM/FDE state using a synchronous POST call to the
"/v2/system-volumes" endpoint of snapd. This is for the purpose of
ascertaining the availability of the recovery key before reboot in order
to prevent locking the user out of the system.
A proposal was made upstream (see
https://github.com/fwupd/fwupd/issues/9744) to generalize this
verification by moving it into fwupd itself and communicating the
verification to the possible frontends using the system DBus. However
after some discussion it was concluded that this had considerable
security implications and the proposal was discontinued.
Still, firmware-updater has the behavior of verifying the recovery key,
and as such we should reflect this behavior in the fwupdmgr CLI
frontend. In the future we should consider not requiring the user to
input the recovery key upon predictable reboots, which means that this
is likely best maintained as a temporary patched delta in the meantime.
** Affects: fwupd (Ubuntu)
Importance: Undecided
Status: New
** Description changed:
Currently the firmware-updater GUI verifies the recovery key on updates
affecting TPM/FDE state using a synchronous POST call to the
"/v2/system-volumes" endpoint of snapd. This is for the purpose of
ascertaining the availability of the recovery key before reboot in order
to prevent locking the user out of the system.
A proposal was made upstream (see
https://github.com/fwupd/fwupd/issues/9744) to generalize this
verification by moving it into fwupd itself and communicating the
verification to the possible frontends using the system DBus. However
after some discussion it was concluded that this had considerable
security implications and the proposal was discontinued.
- Still, firmware-updater still has the behavior of verifying the recovery
- key, and as such we should reflect this behavior in the fwupdmgr CLI
+ Still, firmware-updater has the behavior of verifying the recovery key,
+ and as such we should reflect this behavior in the fwupdmgr CLI
frontend. In the future we should consider not requiring the user to
input the recovery key upon predictable reboots, which means that this
is likely best maintained as a temporary patched delta in the meantime.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fwupd in Ubuntu.
https://bugs.launchpad.net/bugs/2138609
Title:
Patch fwupdmgr to verify recovery key with snapd API for TPM/FDE
Status in fwupd package in Ubuntu:
New
Bug description:
Currently the firmware-updater GUI verifies the recovery key on
updates affecting TPM/FDE state using a synchronous POST call to the
"/v2/system-volumes" endpoint of snapd. This is for the purpose of
ascertaining the availability of the recovery key before reboot in
order to prevent locking the user out of the system.
A proposal was made upstream (see
https://github.com/fwupd/fwupd/issues/9744) to generalize this
verification by moving it into fwupd itself and communicating the
verification to the possible frontends using the system DBus. However
after some discussion it was concluded that this had considerable
security implications and the proposal was discontinued.
Still, firmware-updater has the behavior of verifying the recovery
key, and as such we should reflect this behavior in the fwupdmgr CLI
frontend. In the future we should consider not requiring the user to
input the recovery key upon predictable reboots, which means that this
is likely best maintained as a temporary patched delta in the
meantime.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/2138609/+subscriptions
More information about the foundations-bugs
mailing list