fwupd integration with safeboot

[osresearch]

The Linux firmware update service uses an EFI executable to orchestrate firmware updates, which will require that it be signed by the platform key to work with safeboot. Signing the new PCRs in recovery mode (#56) will also need to be fixed since the PCR0 and others will change.

[osresearch]

fwupdmgr update tries to write to /root/.cache/fwupd, which fails on a read-only root filesystem. Providing a fake one with mount -t tmpfs none /root allows it store its data (#64)

It schedules a reboot automatically via capsules, although the debug log disappeared before I could see it. Disabling secure boot is necessary.

[osresearch]

This page shows how to use sbsign with the platform keys to sign /usr/lib/fwupd/efi/fwupdx64.efi: https://wiki.archlinux.org/index.php/Fwupd#Secure_Boot

The config files are in /etc/fwupd/uefi.conf.

There is a merged PR that computes updated PCR0: fwupd/fwupd#1311

[osresearch]

And updating my X1 Gen 5 to 1.48 wouldn't reboot until I entered setup and exited with no changes. This broke all the PCRs, as expected, including the tpm2-totp values. Also remember that the PCRs need to be signed on a clean boot; entering setup or the boot menu guarantees broken PCR4 since the boot path isn't directly into the kernel EFI stub.

sudo safeboot pcrs-sign
sudo tpm2-totp -p abcd reseal