[Bug 1931213] Re: fwupd installs without shim if secure boot is disabled
Mario Limonciello
1931213 at bugs.launchpad.net
Tue Jun 8 16:35:06 UTC 2021
> leading to different code paths being taken on non-secureboot systems,
and fwupd being broken if you intercept the reboot and turn on secure
boot.
This is intentional behavior based upon:
1. If there are shim bugs with chainloading firmware updates are TOTALLY broken if you always rely upon shim for the upgrade path. With the way things are done right now, users can turn off secure boot, re-run the update and it works.
(Cough https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1929471)
2. Other than during development, it's unlikely that users will be
turning on/off secure boot in the middle of a firmware update.
To me this seems like a bullet point in a wiki page on how to test new
shim releases properly with fwupd is what's needed.
For GRUB support, please open https://github.com/fwupd/fwupd/discussions
for discussing the merits and risks of it.
** Changed in: fwupd (Ubuntu)
Status: New => Opinion
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fwupd in Ubuntu.
https://bugs.launchpad.net/bugs/1931213
Title:
fwupd installs without shim if secure boot is disabled
Status in fwupd package in Ubuntu:
Opinion
Bug description:
[Impact]
fwupd currently configures the boot entry without shim if secure boot is disabled, leading to different code paths being taken on non-secureboot systems, and fwupd being broken if you intercept the reboot and turn on secure boot.
This makes verifying changes harder.
[Test plan]
Run fwupdmgr reinstall or similar on a system without secure boot and ensure that shim is present in the boot entry created. Check old version to ensure it was broken before
[Where problems could occur]
shim in hirsute+ currently is unable to load fwupd, and it's not the first time this has happened. We need to get better at this, it's not clear how this happened, but maybe this is precisely where testing that bit went wrong?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1931213/+subscriptions
More information about the foundations-bugs
mailing list