RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2128349 - fwupd fails to apply Secure Boot dbx update on systems
Summary: fwupd fails to apply Secure Boot dbx update on systems
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: fwupd
Version: CentOS Stream
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Richard Hughes
QA Contact: Oliver Gutiérrez
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-09-20 13:08 UTC by pj
Modified: 2023-09-04 15:11 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-09-04 15:11:04 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-134811 0 None None None 2022-09-23 21:32:22 UTC

Internal Links: 2128384

Description pj 2022-09-20 13:08:00 UTC 
Description of problem:
fwupd can not update Secure Boot dbx to latest security release.

Version-Release number of selected component (if applicable):
fwupd-1.7.4-2.el8.x86_64

How reproducible:
fwupdmgr update
...
reboot
Secure Boot dbx fails to apply

Steps to Reproduce:
1.fwupdmgr update
2.reboot
3.update to dbx fails

Actual results:
Secure Boot dbx fails to apply

Expected results:
Fully security updated system

Additional info:
fwupd issue tracker regarding this issue: https://github.com/fwupd/fwupd/issues/5035
Comment 4 pj 2022-10-06 13:21:12 UTC 
Any ETA for the updated fwupd to make it to repos?
Comment 5 pj 2022-10-26 11:54:29 UTC 
Any time frame for this fwupd update that has security related repercussions?
Comment 6 Richard Hughes 2022-10-26 20:07:33 UTC 
> Any time frame for this fwupd update

I can certainly accelerate things if you have a Red Hat RHEL subscription -- is this something that applies to you?
Comment 7 pj 2022-10-31 18:42:33 UTC 
(In reply to Richard Hughes from comment #6)
> > Any time frame for this fwupd update
> 
> I can certainly accelerate things if you have a Red Hat RHEL subscription --
> is this something that applies to you?

(Not sure why, but my email reply from 10/26 did not seem to make it into the ticket. Here it is:)

Yes, we have RHEL Server subscription.
About a month ago it was noted as a WIP and almost done (https://github.com/fwupd/fwupd/issues/5035#issuecomment-1260937922). Just looking to see if there is an issue now? It sounded like this affected a fair number of people and concerns security (or inability to process security updates).
Thank you very much for the reply and certainly appreciate what is going on behind the scenes to make this happen. Maybe I just got a little impatient.
Regards
PJ
Comment 12 pj 2022-12-09 15:30:43 UTC 
Any time frame for the fwupd updates to be released?
If I have missed providing any information, please let me know.
Thank you in advance for any relevant information.
Comment 13 pj 2022-12-28 18:37:57 UTC 

Any time frame for the fwupd updates to be released?
If I have missed providing any information, please let me know.
Thank you in advance for any relevant information.
Comment 14 pj 2023-01-09 12:12:59 UTC 
Any time frame for the fwupd updates to be released?
If I have missed providing any information, please let me know.
Thank you in advance for any relevant information.
Comment 15 Richard Hughes 2023-01-09 14:15:09 UTC 
Last week I pushed the new fwupd with all the fixes to Fedora for testing. I'm going to be much more comfortable backporting the fixes to RHEL when we know they actually work and don't cause regressions.
Comment 16 pj 2023-01-09 14:17:48 UTC 
Perfect! Thank you very much for the update.
Comment 19 pj 2023-02-02 18:56:07 UTC 
Thank you for the progress on the el9 version. Is there the same progress for el8 version here?
Comment 20 Richard Hughes 2023-02-02 20:49:41 UTC 
I don't have any plan to backport the fixes to RHEL-8 unfortunately (we are a very very small team). A rebase isn't possible due to missing deps. We're aiming for 9.2 now, sorry.
Comment 27 Richard Hughes 2023-09-04 15:11:04 UTC 
I think RHEL 9 and Fedora are in good shape now. We don't have plans to fix this in RHEL-8 -- the backport would be too invasive and a rebase wouldn't be approved -- sorry. You can of course use dbxtool to update systems manually, although please test carefully as the missing checks in fwupd obviously won't be performed.
Note You need to log in before you can comment on or make changes to this bug.