Skip to content

feat(fwupd): Update fwupd to v2.0.20 and promote to SPECS#17817

Draft
corvus-callidus wants to merge 2 commits into
3.0-devfrom
lyrydber/fwupd
Draft

feat(fwupd): Update fwupd to v2.0.20 and promote to SPECS#17817
corvus-callidus wants to merge 2 commits into
3.0-devfrom
lyrydber/fwupd

Conversation

@corvus-callidus

@corvus-callidus corvus-callidus commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary

Ship fwupd 2.0.20 on Azure Linux 3.0 to provide a user-friendly mechanism for updating the UEFI DB and KEK to include the 2023 CA and associated KEK.

Changes

fwupd 2.0.20 update (SPECS/fwupd/fwupd.spec)

Promoted fwupd to SPECS and updated the version to 2.0.20, matching the Azure Linux 4 version and providing the UEFI key update functionality we need.

The package has been minimized to avoid promoting unnecessary packages from SPECS-EXTENDED. fwupd-efi is not required for DB or KEK updates and has not been included.

Meson option changes

Removed (options no longer exist in 2.0.20):

Option Reason
-Dplugin_uefi_capsule=enabled Removed upstream; plugin is now auto-detected
-Dplugin_uefi_pk=enabled Removed upstream; plugin is now auto-detected
-Dplugin_tpm=enabled Removed upstream; plugin is now auto-detected
-Dplugin_gpio=enabled Removed upstream; plugin is now auto-detected
-Dplugin_msr=enabled Removed upstream; plugin is now auto-detected
-Dplugin_powerd=disabled Removed upstream (ChromeOS power daemon plugin dropped)
-Dlaunchd=disabled Removed upstream as a feature toggle (macOS support now auto-detected)

Removed (default is already correct):

Option Reason
-Defi_binary=false Still exists in 2.0.20 but false is the upstream default; omitting it has no effect

Added:

Option Reason
-Dcbor=disabled coSWID/uSWID metadata support not needed for UEFI key updates; avoids libcbor dependency

Changed from enabled to disabled:

Option Reason
-Dplugin_flashrom=disabled flashrom is in SPECS-EXTENDED, not required for our use case
-Dplugin_modem_manager=disabled ModemManager is in SPECS-EXTENDED, not required for our use case
-Dpassim=disabled passim is in SPECS-EXTENDED, optional caching daemon is not needed

Dependency promotions (SPECS-EXTENDED → SPECS)

Only the minimum set of dependencies was promoted:

  • libjcat — hard dependency for fwupd metadata verification
  • libxmlb — hard dependency for fwupd AppStream XML handling
  • libstemmer — dependency of libxmlb

Backported bug fixes

Backported two upstream commits to fix a bug found by @jejb (James Bottomley) affecting UEFI KEK enumeration:

  • 964aa10 — reprocess device metadata after coldplug to ensure <requires><firmware> tags resolve against the full device tree
  • aadaf0b — defer ensure_device_supported until post-coldplug to avoid redundant metadata processing during startup

Also restructured test conditionals: with_check controls %check execution, enable_tests controls the -tests subpackage (disabled by default).

Testing

  • Verified both online and offline mode updates of the 2023 UEFI CA and KEK on Azure VMs
  • Buddy build:

@corvus-callidus
feat(fwupd): Update fwupd to 2.0.20
db0a4cb 
Promote fwupd and its dependencies from SPECS-EXTENDED to SPECS:
- libjcat (hard dep for fwupd metadata verification)
- libxmlb (hard dep for fwupd AppStream XML handling)
- libstemmer (dep of libxmlb)

Meson options removed (no longer exist in 2.0.20):
- plugin_uefi_capsule, plugin_uefi_pk, plugin_tpm (auto-detected)
- plugin_gpio, plugin_msr (auto-detected)
- plugin_powerd (ChromeOS plugin dropped upstream)
- launchd (macOS support, auto-detected)

Meson options removed (upstream default is already correct):
- efi_binary (default is false; we don't build fwupd-efi from within fwupd)

Meson options added:
- cbor=disabled (coSWID/uSWID firmware supply-chain metadata not needed
  for UEFI capsule updates; avoids promoting libcbor)

Meson options changed to disabled:
- plugin_flashrom (SPI flash programming, not needed for UEFI capsule
  updates; avoids promoting flashrom, libftdi, libjaylink)
- passim (optional P2P firmware caching daemon, not needed for direct
  capsule delivery; avoids promoting passim)
- plugin_modem_manager (cellular modem firmware updates, not relevant for
  our server/cloud use case; avoids promoting ModemManager)

Other spec changes:
- Source changed to GitHub archive tarball
- Added BuildRequires: libmnl-devel
- Replaced %%{valgrind_arches} macro with explicit x86_64 aarch64
  (macro is provided by valgrind-devel and creates a chicken-and-egg
  dependency during initial builds)
@corvus-callidus
feat(fwupd): backport UEFI KEK enumeration fix
7762b27 
- Backport upstream 964aa10: reprocess device metadata after coldplug to ensure <requires><firmware> tags resolve against the full device tree
- Backport upstream aadaf0b: defer ensure_device_supported until post-coldplug to avoid redundant metadata processing during startup
- Restructure test conditionals: use with_check for %check execution, enable_tests for -tests subpackage (disabled by default)
@microsoft-github-policy-service microsoft-github-policy-service Bot added Packaging specs-extended PR to fix SPECS-EXTENDED 3.0-dev PRs Destined for AzureLinux 3.0 labels Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

3.0-dev PRs Destined for AzureLinux 3.0 Packaging specs-extended PR to fix SPECS-EXTENDED

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@corvus-callidus