[Bug 1921539] Re: Add support for SBAT

Launchpad Bug Tracker 1921539 at bugs.launchpad.net
Tue Sep 7 08:19:56 UTC 2021 

This bug was fixed in the package fwupd - 1.2.14-0~18.04.2

---------------
fwupd (1.2.14-0~18.04.2) bionic; urgency=medium

  * debian/rules: catch up to generate sbat section.

fwupd (1.2.14-0~18.04.1) bionic; urgency=medium

  * New upstream version (1.2.14) (LP: #1884788)
  * Bug fixes:
    - Fixes crashes on fwupdaa64.efi on startup (LP: #1858590)
    - Check version was updated by checking version
    - Correctly import PKCS-7 remote metadata
    - Decrease minimum battery requirement to 10%
    - Disable the battery percentage checks if UPower is unavailable
    - Do not do semver conversion in fu_common_vercmp()
    - Fix the DeviceID set by GetDetails
    - Force the synaptics-prometheus minor version from 0x02 to 0x01
    - Prevent Dell updates to occur via synaptics-mst
    - Read all releases and convert versions when comparing
    - Use the correct timeout for unifying IO channel writes
    - Validate that gpgme_op_verify_result() returned at least one signature
    - Avoid checking for bolt support when not required
    - Correct HWID support in wacom-raw
    - Fix offset of vendor id of hidraw devices
    - Make loading vendor/product/serial strings non-fatal
    - Only check the vendor ID if the device has one set
    - Use more systemd directives for directories
    - Actually write the new device path if different than before
    - Add a SynapticsMSTBoardID for a few Lenovo docks
    - Add the counterpart GUID for the DW5821e
    - Be more accepting when trying to recover a failed database migration
    - Do not ask the user to upload a report if ReportURI is not set
    - Do not segfault when trying to quit the downgrade selection
    - Fix a crash when stopping the fwupd service
    - Never show AppStream markup on the console
    - Relax the certificate time checks in the self tests for the legacy certificate
    - Reload metadata store when configuration changes
    - Remove replug flag after the device comes back from reboot
    - Update device_modified in sql database during updates
    - Work properly with ICL thunderbolt controller
  * New features:
    - Add support for tpm2-tools 4.X
    - Allow specifying a firmware GUID to check any version exists
    - Add SBAT region support (LP: #1921539)
  * Don't cleanup /var/cache/fwupdate anymore
  * Drop upstreamed patches:
    - 0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch
    - 0001-trivial-libfwupd-skip-tests-if-machine-id-is-empty-t.patch
    - 0001-Allows-confined-snaps-to-activate-fwupd-via-D-Bus.patch
    - 0001-Only-check-the-vendor-ID-if-the-device-has-one-set.patch
    - 0001-efi-use-a-wildcard-section-copy-for-final-EFI-genera.patch
    - CVE-2020-10759.patch
  * Remaining changes:
    - meson-0.45-bc.patch: Fix build with meson 0.45
    - Drop added Recommends: on bolt which is not in flavor seeds and adds a
      new service.
  * Backport a patch from upstream 1_2_X branch to fix SBAT character.
  * Backport a patch from upstream 1_2_X branch to fix vendor-id requirement
    error on Dell WD19 (LP: #1921544)

 -- Yuan-Chen Cheng <yc.cheng at canonical.com>  Tue, 31 Aug 2021 15:58:09
+0800

** Changed in: fwupd (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-10759

** Changed in: fwupd-signed (Ubuntu Bionic)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fwupd-signed in Ubuntu.
https://bugs.launchpad.net/bugs/1921539

Title:
  Add support for SBAT

Status in OEM Priority Project:
  In Progress
Status in fwupd package in Ubuntu:
  Fix Released
Status in fwupd-signed package in Ubuntu:
  Fix Released
Status in fwupd source package in Bionic:
  Fix Released
Status in fwupd-signed source package in Bionic:
  Fix Released
Status in fwupd source package in Focal:
  Fix Released
Status in fwupd-signed source package in Focal:
  Fix Released
Status in fwupd source package in Groovy:
  Fix Released
Status in fwupd-signed source package in Groovy:
  Fix Released
Status in fwupd source package in Hirsute:
  Fix Released
Status in fwupd-signed source package in Hirsute:
  Fix Released

Bug description:
  [Impact]
  Future releases of shim will require that EFI binaries that are chainloaded include an SBAT region.  fwupd in bionic does not currently contain this region.

  [Test Case]
  Verify that a shim that checks for sbat region can boot the fwupd with sbat region.

  [Regression Potential]
  This is moving to a new stable release in each of the series which is in bug fix only mode.  The sbat region is the only "feature" that has been backported to this series in over a year.

To manage notifications about this bug go to:
https://bugs.launchpad.net/oem-priority/+bug/1921539/+subscriptions

More information about the foundations-bugs mailing list