Ubuntu
fwupdate package

Possibly demote fwupdate to universe?

Bug #1787254 reported by Mario Limonciello
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Invalid
Undecided
Unassigned
fwupdate (Ubuntu)
Fix Released
Undecided
Unassigned
fwupdate-signed (Ubuntu)
Fix Released
Undecided
Unassigned
snapd (Ubuntu)
Invalid
Undecided
John Lenton

Bug Description

In cosmic there has been a major transition in the firmware updating stack. fwupdate's library and EFI application were subsumed into fwupd 1.1.0+.

fwupd will manage the installation of the EFI binary now at runtime. fwupdate is still around as a reference implementation that doesn't use glib or support CAB packaged files.

As such should fwupdate be dropped down to universe and fwupdate-signed be dropped from the archive?

I'm hesitant to say yes because it's used in system-image seed and installed into ubuntu core. I don't know how this will affect Ubuntu core.

If it is decided to demote to universe and drop the signed package then the packaging needs to be configured to strip the generation of the EFI signing archive too.

Related branches

~xnox/ubuntu-seeds:eoan
Ubuntu Core Development Team: Pending requested
Diff: 2171 lines (+1831/-0) (has conflicts)
48 files modified
STRUCTURE (+31/-0)
boot (+3/-0)
build-essential (+3/-0)
cloud-image (+11/-0)
desktop (+65/-0)
desktop-default-languages (+17/-0)
desktop-minimal (+169/-0)
desktop-minimal-default-languages (+17/-0)
desktop.minimal-remove (+190/-0)
development (+85/-0)
doc/langpacks.txt (+17/-0)
installer (+3/-0)
lamp-server (+13/-0)
languages/STRUCTURE (+16/-0)
languages/desktop-de (+24/-0)
languages/desktop-en (+27/-0)
languages/desktop-es (+20/-0)
languages/desktop-fr (+19/-0)
languages/desktop-it (+19/-0)
languages/desktop-minimal-de (+11/-0)
languages/desktop-minimal-en (+7/-0)
languages/desktop-minimal-es (+11/-0)
languages/desktop-minimal-fr (+11/-0)
languages/desktop-minimal-it (+11/-0)
languages/desktop-minimal-pt (+11/-0)
languages/desktop-minimal-ru (+11/-0)
languages/desktop-minimal-zh (+23/-0)
languages/desktop-pt (+24/-0)
languages/desktop-ru (+16/-0)
languages/desktop-zh (+9/-0)
live (+35/-0)
mail-server (+17/-0)
minimal (+3/-0)
openssh-server (+10/-0)
print-server (+15/-0)
required (+3/-0)
samba-server (+17/-0)
server (+65/-0)
server-ship (+277/-0)
server-ship-live (+45/-0)
ship (+69/-0)
ship-live (+35/-0)
standard (+3/-0)
supported (+212/-0)
supported-desktop-extra (+62/-0)
supported-kiosk (+6/-0)
system-image (+46/-0)
wsl (+17/-0)
Revision history for this message
Mario Limonciello (superm1) wrote :
Download full text (8.3 KiB)

Here is the IRC transcript that prompted this bug:

<superm1> hi can an AA remove and block these from syncing https://launchpad.net/ubuntu/+source/fwupdate-amd64-signed https://launchpad.net/ubuntu/+source/fwupdate-arm64-signed https://launchpad.net/ubuntu/+source/fwupdate-i386-signed ? They're causing problems with https://launchpad.net/ubuntu/+source/fwupdate-signed/1.20
<slangasek> superm1: hi! I had noticed things going on there and wanted to ask why both fwupd and fwupdate are now producing artifacts for EFI signing
<slangasek> maybe that's all resolved now and we only need to handle the -signed packages now
<superm1> slangasek, i sent some mail to sil2100 to explain it all
<superm1> but i guess that didn't float around to everyone that needs to know
<slangasek> yes, emailing an individual has that effect :)
<superm1> heh. so basically starting with fwupd 1.1.0 the library and EFI binaries were subsumed into the fwupd project
<superm1> they are installed dynamically at runtime now
<superm1> lots of various reasons for this, but the general expectation is that due to this change less bugs, better control on the process, easier to support problems
<superm1> the fwupdate project still exists and can be treated as a simple reference implementation of EFI firmware updates if you don't care about all the other stuff
<superm1> in my mind fwupdate and fwupdate-signed should move to universe in cosmic
<slangasek> superm1: http://archive.ubuntu.com/ubuntu/dists/cosmic-proposed/main/uefi/fwupdate-amd64/current/fwupx64.efi.signed http://archive.ubuntu.com/ubuntu/dists/cosmic-proposed/main/uefi/fwupd-amd64/1.1.1-1/fwupdx64.efi.signed why are there two of these?
<superm1> see above two comments
<slangasek> so
<superm1> I unseeded fwupdate for this purpose on the next meta upload: https://git.launchpad.net/~ubuntu-core-dev/ubuntu-seeds/+git/platform/commit/?id=e44246ad2a65dacc3e816715d0df7bd86cd9a2ac
<slangasek> we shouldn't be signing two streams of EFI binaries
<slangasek> we shouldn't be signing something that's just a "reference implementation"
<cyphermox> moo?
<superm1> Moo
<slangasek> and it's regrettable if sil2100 accepted these for signing on the basis of your conversation
<slangasek> we should instead drop the signing request bits from the package
<superm1> Debian is still going to sign both of them
<slangasek> I'm not responsible for Debian's EFI keys :)
<superm1> and let folks decide if they want to use one or the other
<cyphermox> oh my
<superm1> Sledge told me that infinity and cjwatson had interest in Debian's EFI signing system as well and are going to look into it. If Ubuntu adopts something akin to it it will be more difficult to drop the signed bits only from Ubuntu for fwupdate
<slangasek> sorry, if Ubuntu adopts something akin to what?
<superm1> the signing process for EFI binaries
<slangasek> ok
<superm1> right now what happens in Debian is that template packages are created and go itno the archive as binary packages
<slangasek> so, regardless, my expectation is that the set of objects signed with the EFI key will be gated on archive admin signoff
<superm1> a signing service runs and installs these template packages and produ...

Read more...

Revision history for this message
Steve Langasek (vorlon) wrote :

As an archive admin I've said that we should not be signing two parallel streams of EFI binaries implementing this functionality. If fwupd is considered the preferred implementation upstream and Ubuntu is going to adopt this, then we should remove fwupdate-signed entirely from the archive and stop producing artifacts from fwupdate source package for EFI signing.

If there are design reasons why Ubuntu Core should prefer fwupx64.efi over fwupdx64.efi going forward, then we should clarify what these are and evaluate whether Ubuntu classic should follow suit. Otherwise, we should drop fwupdate-signed from the archive, adjust the fwupdate source package to not generate EFI artifacts for signing, and ensure that snapd migrates to fwupd by 20.04.

John, I suggested your name to Mario as a possible first contact for this on the Snappy side, but please escalate this as appropriate.

NB I can't see anywhere in the snapd code or in the pc gadget snap where fwupx64.efi is ever installed to the ESP, so it's entirely unclear to me how this currently works on Ubuntu Core either.

Changed in snapd (Ubuntu):
assignee: nobody → John Lenton (chipaca)
Revision history for this message
Steve Langasek (vorlon) wrote :

Based on the analysis in the previous comment, I'm going to go ahead and delete fwupdate-signed now from cosmic (and blacklist it). If at a later date it is determined that Ubuntu Core does need fwupdate in Ubuntu 20.04 we can reintroduce it, but in the meantime we shouldn't carry on producing and signing EFI executables in the archive that we don't expect to be used.

Revision history for this message
Mario Limonciello (superm1) wrote :

Thanks Steve. I've made the matching change in packaging so any future fwupdate uploads to Debian that sync won't try to make signed packages again.

https://salsa.debian.org/efi-team/fwupdate/commit/104e1e86d9b318fd9831ecc16112d3d3c060426e

Changed in fwupdate (Ubuntu):
status: New → Fix Committed
Revision history for this message
Steve Langasek (vorlon) wrote :

Removing packages from cosmic:
 fwupdate-signed 1.18 in cosmic
  fwupdate-amd64-signed 1.18+10-3 in cosmic amd64
  fwupdate-arm64-signed 1.18+10-3 in cosmic arm64
  fwupdate-armhf-signed 1.18+10-3 in cosmic armhf
  fwupdate-i386-signed 1.18+10-3 in cosmic i386
  fwupdate-signed 1.18+10-3 in cosmic amd64
  fwupdate-signed 1.18+10-3 in cosmic arm64
  fwupdate-signed 1.18+10-3 in cosmic armhf
  fwupdate-signed 1.18+10-3 in cosmic i386
Comment: Superseded by fwupdx64.efi from fwupd source; LP: #1787254
1 package successfully removed.
Removing packages from cosmic-proposed:
 fwupdate-signed 1.20 in cosmic
  fwupdate-armhf-signed 1.20+12-3 in cosmic armhf
  fwupdate-signed 1.20+12-3 in cosmic armhf
Comment: Superseded by fwupdx64.efi from fwupd source; LP: #1787254
1 package successfully removed.

Changed in fwupdate-signed (Ubuntu):
status: New → Fix Released
Revision history for this message
Mario Limonciello (superm1) wrote :

As also found by this, the signing source packages from debian need to be blocked too. That's filed here: https://bugs.launchpad.net/ubuntu/+source/fwupdate-amd64-signed/+bug/1787315

Revision history for this message
John Lenton (chipaca) wrote :

I don't know much about this, but I'm asking different people and I'll answer here as I find out.

We don't have fwupdate in ubuntu core itself:

    $ find EFI -type f
    EFI/boot/grubx64.efi
    EFI/boot/bootx64.efi
    EFI/ubuntu/grubenv
    EFI/ubuntu/grub.cfg

it is used in some _customer_ images of ubuntu core. I'll be asking field engineering about whether and why they prefer one over the other (and whether this decision affects them in any way).

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

I can confirm that in core18 we also don't have fwupdate. The system-image seed is used during ubuntu-base builds that are used as the base of core18, but fwupdate is not part of it - and it is not installed separately either.

Revision history for this message
Steve Langasek (vorlon) wrote :

I have swapped fwupdate for fwupd in the system-image seeds so that fwupdate can be demoted to universe for disco. Since it does not appear that either fwupd or fwupdate are actually used as part of the core18 build today, we should at least be referring to the *right* unused implementation.

Override component to universe
fwupdate 12-3ubuntu2 in disco: main/misc -> universe
fwupdate 12-3ubuntu2 in disco amd64: main/admin/optional/100% -> universe
fwupdate 12-3ubuntu2 in disco arm64: main/admin/optional/100% -> universe
fwupdate 12-3ubuntu2 in disco armhf: main/admin/optional/100% -> universe
fwupdate 12-3ubuntu2 in disco i386: main/admin/optional/100% -> universe
fwupdate-amd64-signed-template 12-3ubuntu2 in disco amd64: universe/libs/optional/100% -> universe
fwupdate-arm64-signed-template 12-3ubuntu2 in disco arm64: universe/libs/optional/100% -> universe
fwupdate-armhf-signed-template 12-3ubuntu2 in disco armhf: universe/libs/optional/100% -> universe
fwupdate-i386-signed-template 12-3ubuntu2 in disco i386: universe/libs/optional/100% -> universe
libfwup-dev 12-3ubuntu2 in disco amd64: universe/libdevel/optional/100% -> universe
libfwup-dev 12-3ubuntu2 in disco arm64: universe/libdevel/optional/100% -> universe
libfwup-dev 12-3ubuntu2 in disco armhf: universe/libdevel/optional/100% -> universe
libfwup-dev 12-3ubuntu2 in disco i386: universe/libdevel/optional/100% -> universe
libfwup1 12-3ubuntu2 in disco amd64: main/libs/optional/100% -> universe
libfwup1 12-3ubuntu2 in disco arm64: main/libs/optional/100% -> universe
libfwup1 12-3ubuntu2 in disco armhf: main/libs/optional/100% -> universe
libfwup1 12-3ubuntu2 in disco i386: main/libs/optional/100% -> universe
fwupdate-amd64-signed-template 12-3ubuntu2 in disco amd64 remained the same
fwupdate-arm64-signed-template 12-3ubuntu2 in disco arm64 remained the same
fwupdate-armhf-signed-template 12-3ubuntu2 in disco armhf remained the same
fwupdate-i386-signed-template 12-3ubuntu2 in disco i386 remained the same
libfwup-dev 12-3ubuntu2 in disco amd64 remained the same
libfwup-dev 12-3ubuntu2 in disco arm64 remained the same
libfwup-dev 12-3ubuntu2 in disco armhf remained the same
libfwup-dev 12-3ubuntu2 in disco i386 remained the same
9 publications overridden; 8 publications remained the same.

And unsubscribing ubuntu-archive.

Changed in fwupdate (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Michael Vogt (mvo) wrote :

I'm closing the snapd task because it looks like we don't need fwupdate for uc20. If it turns out I was wrong this needs to be reopened.

Changed in snapd:
status: New → Invalid
Changed in snapd (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.