snapd

[uc20] snapd needs a way to incorporate firmware update with fwupd

Bug #1892392 reported by Woodrow Shen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
snapd
Incomplete
Wishlist
Unassigned

Bug Description

For now, the actual EFI vfat partition is covered by ubuntu-seed which is mounted at /run/mnt/ubuntu-seed, and /boot/efi is not used. This will result in uefi-fw-tools (confined fwupd) can’t update firmware due to failing to search for ESP path. The fwupd daemon will find these paths in
order:

/boot/efi
/boot/EFI
/efi

The initial idea is that snapd can do bind mount for /boot/efi -> /run/mnt/ubuntu-seed. Once /boot/efi is mounted in the host, the profile “snap-update-ns.uefi-fw-tools” should get the benefit of doing rbind to /boot from /var/lib/snapd/hostfs/boot in the snap namespace.

However, the critical issue after that is that updating firmware also impacts TPM measurement, so that snapd/initramfs may fail to unseal the encryption, unless the system enters recovery mode to reseal the encrypted disk. We need to have more discussions about how snapd deals with the case of PCRs changing.

Paweł Stołowski (stolowski)
Changed in snapd:
status: New → Triaged
Revision history for this message
Michael Vogt (mvo) wrote :

A PR for this is proposed in https://github.com/snapcore/core-initrd/pull/8

Changed in snapd:
assignee: nobody → Michael Vogt (mvo)
importance: Undecided → Critical
status: Triaged → In Progress
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Exposing /boot/efi alone will not allow for fwupdate snap to work as discussed on Mattermost & Email.

Exposing /boot/efi like that will allow for easier ways to shoot oneself in the foot, without actually making fwupdate to work with FDE.

This is being discussed in https://github.com/fwupd/fwupd/issues/2513

Changed in snapd:
importance: Critical → Wishlist
status: In Progress → Incomplete
assignee: Michael Vogt (mvo) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.