I am writing to ask for feedback on a proposed major version update to
fwupd, libxmlb, and libjcat in our stable releases (mainly 22.04 LTS
and 24.04 LTS).
As many of you are likely aware, the Microsoft 3rd Party UEFI CA 2011
is set to expire in July 2026. This CA starts the Secure Boot chain
for the vast majority of Ubuntu devices. To prevent devices from
failing to upgrade to newer bootloader security updates or losing the
ability to process revocations after this date, we must roll out the
new 2023 UEFI CA and KEK.
The industry-standard mechanism for delivering these DB/KEK updates on
Linux is via fwupd and LVFS. However, the versions of fwupd currently
in our stable releases are too old to support this specific update
mechanism.
To address this, I am proposing a backport of the latest stable fwupd
version (along with its tight dependencies libxmlb and libjcat).
I realize this "large hammer" approach deviates from the usual Stable
Release Update (SRU) regarding major version bumps. However, I have
evaluated alternative options, such as backporting only the DB/KEK
update logic, and found them excessively fragile and difficult to
maintain. Given the critical nature of the CA expiry, I believe
ensuring users can easily transition to the new trust outweighs the
regression risks of a version update. Beyond SRU, this will eventually
need to be copied to security pockets, so that devices running only
security updates can receive a new shim when necessary.
I have a work-in-progress bug here:
https://bugs.launchpad.net/ubuntu/+source/libxmlb/+bug/2142578
I would appreciate any feedback or concerns regarding this approach
before proceeding further.
Thanks,
Mate Kukri
--
ubuntu-devel mailing list
ubuntu-devel@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
