Bug 2121069 - [RFE] remove shim-x64 dependency on fwupd (dbxtool) [NEEDINFO]
Summary: [RFE] remove shim-x64 dependency on fwupd (dbxtool)
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: shim
Version: 8.7
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Bootloader engineering team
QA Contact: Release Test Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-08-24 11:39 UTC by dbodnarc
Modified: 2022-11-15 15:52 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-10-14 14:59:25 UTC
Type: Bug
Target Upstream Version:
Embargoed:
peter.vreman: needinfo? (jaredz)
rmetrich: needinfo? (jaredz)
dbodnarc: needinfo? (raravind)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-132193 0 None None None 2022-08-24 12:03:39 UTC

Description dbodnarc 2022-08-24 11:39:16 UTC 
Description of problem:
fwupd package presence on any RHEL8 UEFI systems.
fwupd package is not mandatory for any UEFI setup but due to shim-x64 dependency on dbxtool it cannot be removed.

Version-Release number of selected component (if applicable):
shim-x64-15.6-1.el8.x86_64

How reproducible:
[root@fastvm-rhel-8-6-uefi-166 ~]# dnf deplist shim-x64-15.6-1.el8.x86_64
package: shim-x64-15.6-1.el8.x86_64
  dependency: dbxtool >= 0.6-3
   provider: dbxtool-8-5.el8_3.2.x86_64
   provider: fwupd-1.7.4-2.el8.x86_64
  dependency: efi-filesystem
   provider: efi-filesystem-3-3.el8.noarch
  dependency: mokutil >= 1:0.3.0-1
   provider: mokutil-1:0.3.0-11.el8_6.1.x86_64


[root@fastvm-rhel-8-6-uefi-166 ~]# dnf remove fwupd
Updating Subscription Management repositories.
Dependencies resolved.
==============================================================================
 Package                Arch       Version               Repository      Size
==============================================================================
Removing:
 fwupd                  x86_64     1.7.4-2.el8           @anaconda      8.2 M
Removing dependent packages:
 shim-x64               x86_64     15.5-2.el8            @anaconda      3.6 M
...

Actual results:
shim-x64 is dependent on fwupd [dbxtool]

Expected results:
shim-x64 is not dependent on fwupd [dbxtool]

Additional info:
Since the hypervisor solution is managing the virtual hardware for the instances on Public Cloud Azure, the fwupd package is not needed there.

The other concern is that fwupd service is writing errors/warnings "... failed to ...." in the log file during and after the sosreport is collected. Any kind of errors related to important topics like Firmware can be interpreted wrong.
Comment 6 Jared Dominguez 2022-10-14 14:59:25 UTC 
fwupd is used for the security-critical purpose of updating dbx in addition to firmware updates in general. dbxtool is deprecated, so using that instead defeats the purpose of maintaining strong platform security.
Comment 7 raravind 2022-10-19 10:48:29 UTC 
Clearing the needinfo based on comment#6
Comment 8 Peter Vreman 2022-10-20 08:06:26 UTC 
can you please elaborate how fwupd provides more security on cloud provideds like Azure that is using EFI?
Note You need to log in before you can comment on or make changes to this bug.