Ubuntu
ubuntu-release-upgrader package

fwupdate-signed doesn't get installed on upgrade

Bug #1571679 reported by Mario Limonciello
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-release-upgrader (Ubuntu)
Fix Released
Undecided
Dimitri John Ledkov

Bug Description

This machine was upgraded from Ubuntu 14.04 installed in UEFI mode. After upgrading fwupdate gets installed (as it's Recommends for ubuntu-desktop) but fwupdate-signed isn't installed. The net results is that even though this machine now supports firmware updates (in 16.04), upon upgrading they can't be used when secure boot is turned on.

Ubuntu 16.04 fresh install behavior is to install fwupdate-signed if the machine is running in UEFI mode so that firmware support will work if the machine supports it.

So the update process should query whether installed in UEFI mode and if so also mark fwupdate-signed for installation.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: ubuntu-release-upgrader-core 1:16.04.11
ProcVersionSignature: Ubuntu 4.4.0-18.34-generic 4.4.6
Uname: Linux 4.4.0-18-generic x86_64
ApportVersion: 2.20.1-0ubuntu2
Architecture: amd64
CrashDB: ubuntu
CurrentDesktop: Unity
Date: Mon Apr 18 09:18:10 2016
DistributionChannelDescriptor:
 # This is a distribution channel descriptor
 # For more information see http://wiki.ubuntu.com/DistributionChannelDescriptor
 canonical-oem-somerville-trusty-amd64-osp1-20150720-0
InstallationDate: Installed on 2016-04-03 (14 days ago)
InstallationMedia: Ubuntu 14.04 "Trusty" - Build amd64 LIVE Binary 20150720-04:06
PackageArchitecture: all
SourcePackage: ubuntu-release-upgrader
Symptom: ubuntu-release-upgrader
UpgradeStatus: Upgraded to xenial on 2016-04-18 (0 days ago)

Revision history for this message
Mario Limonciello (superm1) wrote :
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Yes, I have hit this bug with my laptop during xenial release sprint. My understanding was that we have agreed to make -signed to be installed by default, however naive approach was shut-down due to dependency cycle (can't remember exactly now). At the time I have manually installed -signed to get the fwupdates working. But we should be install -signed by default. Similar to how installers no longer make destinction between signed/unsigned installs -> we always install both, as one can flip between signed and unsigned boot throughout the lifetime of the machine.

Changed in ubuntu-release-upgrader (Ubuntu):
assignee: nobody → Dimitri John Ledkov (xnox)
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

No I think we have fixed it:

ubuntu-meta (1.361) xenial; urgency=medium

  * Refreshed dependencies
  * Added fwupdate-signed to desktop-recommends [amd64 arm64 armhf i386]
  * Added ubuntu-software to desktop-recommends
  * Added unity to desktop [s390x]
  * Removed gnome-software from desktop-recommends

 -- Iain Lane <email address hidden> Tue, 19 Apr 2016 21:15:56 +0100

Is ubuntu-desktop package installed on your machine?

Changed in ubuntu-release-upgrader (Ubuntu):
status: New → Incomplete
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

I now realise that this bug was filed _before_ we fixed it at the release sprint. Marking as fixed.

Changed in ubuntu-release-upgrader (Ubuntu):
status: Incomplete → Fix Released
Revision history for this message
Mario Limonciello (superm1) wrote :

So that said, this fix that was put in place was a bit heavy handed wasn't it? With the luxury of time, is it worth adjusting it now to do as I was recommending?

Ubiquity already has code to make an educated decision about when to install fwupdate-signed so that it's not needlessly added to systems installed in legacy mode.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

We have people flipping between uefi <-> legacy boot too. because they can in firmware =) granted they need to extra steps to get that to work. I don't think it is heavy-handed, instead it is forward-looking =) and doing it at package level, catches "apt full-upgrade" installation too - as a few people don't use release-upgrader.

Another suggestion is to split the tool, efi, signed-efi into separate pacakges.

Maybe even migrate to ubuntu-drivers infrastructure to pull in fwupdate on known machines. As far as I understand, my UEFI desktop will never receive fwupdate based updates, because board manufacturer doesn't provide things like that.

Revision history for this message
Mario Limonciello (superm1) wrote :

Ubiquity doesn't today install both an MBR and UEFI bootloader, so making that work does require extra planning and effort.

The tool, efi and signed-efi are actually all separate packages. fwupdate-signed depends upon fwupdate. fwupd provides the userspace tool.

It's hard to predict what machines will be getting UEFI capsule updates from LVFS and install from ubuntu-drivers because a manufacturer can start using it at any time. That would mean ubuntu-drivers would need to download the metadata daily, compare the ESRT and only install if your machine is applicable. At that point it definitely is easier if the tools are just "there" already.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.