canonical · ernestl · Feb 9, 2026 · Jan 20, 2026 · Jan 21, 2026 · Jan 22, 2026
diff --git a/.github/workflows/ci-test.yaml b/.github/workflows/ci-test.yaml
@@ -539,6 +539,7 @@ jobs:
     needs: [unit-tests, unit-tests-c, snap-builds, read-systems]
     if: contains(needs.read-systems.outputs.fundamental-systems, 'systems')
     name: "spread ${{ matrix.group }}"
+    secrets: inherit
     with:
       # Github doesn't support passing sequences as parameters.
       # Instead here we create a json array and pass it as a string.
@@ -578,6 +579,7 @@ jobs:
     # only after the fundamental systems job succeeds.
     needs: [unit-tests, unit-tests-c, snap-builds, read-systems, spread-fundamental]
     name: "spread ${{ matrix.group }}"
+    secrets: inherit
     with:
       # Github doesn't support passing sequences as parameters.
       # Instead here we create a json array and pass it as a string.
@@ -612,6 +614,7 @@ jobs:
     # on the fundamental systems job's success before running this job.
     needs: [unit-tests, unit-tests-c, snap-builds, read-systems]
     name: "spread ${{ matrix.group }}"
+    secrets: inherit
     with:
       # Github doesn't support passing sequences as parameters.
       # Instead here we create a json array and pass it as a string.
@@ -638,6 +641,7 @@ jobs:
     needs: [unit-tests, unit-tests-c, snap-builds, read-systems]
     if: contains(needs.read-systems.outputs.nested-systems, 'systems')
     name: "spread ${{ matrix.group }}"
+    secrets: inherit
     with:
       # Github doesn't support passing sequences as parameters.
       # Instead here we create a json array and pass it as a string.

diff --git a/.github/workflows/nightly-spread.yaml b/.github/workflows/nightly-spread.yaml
@@ -30,6 +30,7 @@ jobs:
   spread-nightly:
     if: ${{ github.event.schedule == '0 2 * * *' || (github.event_name == 'workflow_dispatch' && inputs.job == 'spread-nightly') }}
     uses: ./.github/workflows/spread-tests.yaml
+    secrets: inherit
     with:
       runs-on: '["self-hosted", "spread-enabled"]'
       group: openstack
@@ -42,6 +43,7 @@ jobs:
   spread-nightly-google:
     if: ${{ github.event.schedule == '0 2 * * *' || (github.event_name == 'workflow_dispatch' && inputs.job == 'spread-nightly-google') }}
     uses: ./.github/workflows/spread-tests.yaml
+    secrets: inherit
     with:
       runs-on: '["self-hosted", "spread-enabled"]'
       group: ${{ matrix.group }}
@@ -79,6 +81,7 @@ jobs:
   spread-test-build-from-current:
     if: ${{ github.event.schedule == '0 6 * * *' || (github.event_name == 'workflow_dispatch' && inputs.job == 'spread-test-build-from-current') }}
     uses: ./.github/workflows/spread-tests.yaml
+    secrets: inherit
     with:
       runs-on: '["self-hosted", "spread-enabled"]'
       group: ${{ matrix.group }}
@@ -99,6 +102,7 @@ jobs:
   spread-test-experimental:
     if: ${{ github.event.schedule == '0 2 * * *' || (github.event_name == 'workflow_dispatch' && inputs.job == 'spread-test-experimental') }}
     uses: ./.github/workflows/spread-tests.yaml
+    secrets: inherit
     with:
       runs-on: '["self-hosted", "spread-enabled"]'
       group: openstack
@@ -132,6 +136,7 @@ jobs:
     uses: ./.github/workflows/spread-tests.yaml
     name: "spread master ${{ matrix.group }}"
     needs: [read-systems]
+    secrets: inherit
     with:
       # Github doesn't support passing sequences as parameters.
       # Instead here we create a json array and pass it as a string.
@@ -155,6 +160,7 @@ jobs:
     uses: ./.github/workflows/spread-tests.yaml
     name: "spread master ${{ matrix.group }}"
     needs: [read-systems]
+    secrets: inherit
     with:
       # Github doesn't support passing sequences as parameters.
       # Instead here we create a json array and pass it as a string.
@@ -177,6 +183,7 @@ jobs:
     uses: ./.github/workflows/spread-tests.yaml
     name: "spread master ${{ matrix.group }}"
     needs: [read-systems]
+    secrets: inherit
     with:
       # Github doesn't support passing sequences as parameters.
       # Instead here we create a json array and pass it as a string.
@@ -197,6 +204,7 @@ jobs:
   spread-test-with-kernels:
     if: ${{ github.event.schedule == '0 6 * * *' || (github.event_name == 'workflow_dispatch' && inputs.job == 'spread-test-with-kernels') }}
     uses: ./.github/workflows/spread-tests.yaml
+    secrets: inherit
     with:
       runs-on: '["self-hosted", "spread-enabled"]'
       group: ${{ matrix.group }}

diff --git a/.github/workflows/spread-tests.yaml b/.github/workflows/spread-tests.yaml
@@ -65,6 +65,8 @@ jobs:
     env:
       SPREAD_EXPERIMENTAL_FEATURES: ${{ inputs.spread-experimental-features }}
       GH_TOKEN: ${{ github.token }}
+      SPREAD_STORE_USER: ${{ secrets.SPREAD_STORE_USER }}
+      SPREAD_STORE_PASSWORD: ${{ secrets.SPREAD_STORE_PASSWORD }}
 
     runs-on: ${{ fromJSON(inputs.runs-on) }}
     steps:

diff --git a/.github/workflows/weekly-feature-tagging.yaml b/.github/workflows/weekly-feature-tagging.yaml
@@ -84,6 +84,7 @@ jobs:
     needs: [set-inputs, read-systems]
     name: "spread ${{ matrix.group }}"
     if: needs.read-systems.outputs.fundamental-systems != ''
+    secrets: inherit
     with:
       runs-on: '${{ matrix.runs-on }}'
       group: ${{ matrix.group }}
@@ -105,6 +106,7 @@ jobs:
     needs: [set-inputs, read-systems]
     if: needs.read-systems.outputs.non-fundamental-systems != ''
     name: "spread ${{ matrix.group }}"
+    secrets: inherit
     with:
       runs-on: '${{ matrix.runs-on }}'
       group: ${{ matrix.group }}
@@ -125,6 +127,7 @@ jobs:
     needs: [set-inputs, read-systems]
     if: needs.read-systems.outputs.nested-systems != ''
     name: "spread ${{ matrix.group }}"
+    secrets: inherit
     with:
       runs-on: '${{ matrix.runs-on }}'
       group: ${{ matrix.group }}

diff --git a/.github/workflows/weekly-state-locks.yaml b/.github/workflows/weekly-state-locks.yaml
@@ -9,6 +9,7 @@ jobs:
   run-spread-tests:
     uses: ./.github/workflows/spread-tests.yaml
     name: "spread ${{ matrix.group }}"
+    secrets: inherit
     with:
       runs-on: '["self-hosted", "spread-enabled"]'
       group: ${{ matrix.group }}

diff --git a/NEWS.md b/NEWS.md
@@ -1,3 +1,11 @@
+# New in snapd 2.74.1
+* FDE: measure DeployedMode and AuditMode variables if they appear as disabled in the event log to avoid a potential reseal-failure boot loop
+* LP: #2139611 FDE: fix db updates by allowing multiple payloads
+* LP: #2139300 snap-confine: add CAP_SYS_RESOURCE to allow raising memory lock limit when required
+* LP: #2139099 snap-confine: bump the max element count of the BPF map used to store IDs of allowed/matched devices to 1000
+* Interfaces: Added pidfd_open and memfd_secret to seccomp template
+* Interfaces: camera | add locking permission for /dev/video
+
 # New in snapd 2.74
 * FDE: use new activation API from secboot
 * FDE: use activation API also with non keydata keys

diff --git a/cmd/libsnap-confine-private/device-cgroup-support.c b/cmd/libsnap-confine-private/device-cgroup-support.c
@@ -390,8 +390,14 @@ static int _sc_cgroup_v2_init_bpf(sc_device_cgroup *self, int flags) {
     int devmap_fd = bpf_get_by_path(path);
     /* keep a copy of errno in case it gets clobbered */
     int get_by_path_errno = errno;
-    /* XXX: this should be more than enough keys */
-    const size_t max_entries = 500;
+    /* This used to be 500 (using ~47kB of kernel mem), but got bumped to 1000
+       (~89kB of kernel mem) due to LP#2139099. Should be more than enough keys
+       now. */
+    /* TODO: make this configurable or proportional to number of
+       interfaces/potentially matching devices, system memory size or see
+       whether we can maybe use a 2 stage combination of
+       BPF_MAP_TYPE_BLOOM_FILTER & BPF_MAP_TYPE_HASH */
+    const size_t max_entries = 1000;
     if (devmap_fd < 0) {
         if (get_by_path_errno != ENOENT) {
             die("cannot get existing device map");

diff --git a/cmd/snap-confine/snap-confine.c b/cmd/snap-confine/snap-confine.c
@@ -371,6 +371,9 @@ int main(int argc, char **argv) {
         CAP_CHOWN,            // file ownership
         CAP_FOWNER,           // to create tmp dir with sticky bit
         CAP_SYS_PTRACE,       // to inspect the mount namespace of PID1
+        // TODO: when removing the manual adjustment to memlock limit, remove this capability as well.
+        // The capability is to support the logic needed for 5.11 kernels.
+        CAP_SYS_RESOURCE,  // to raise memlock limit before setting up device eBPF program.
     };
 
     /* We may be invoking tools such as snap-update-ns or snap-discard which are

diff --git a/cmd/snap-confine/snap-confine.caps b/cmd/snap-confine/snap-confine.caps
@@ -1 +1 @@
-cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p
+cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource=p
diff --git a/cmd/snap-confine/snap-confine.v2-only.caps b/cmd/snap-confine/snap-confine.v2-only.caps
@@ -1 +1 @@
-cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p
+cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource=p
diff --git a/daemon/api_system_secureboot.go b/daemon/api_system_secureboot.go
@@ -67,6 +67,11 @@ type securebootRequest struct {
 	// blob is in the range from few kB to tens of kBs
 	Payload string `json:"payload,omitempty"`
 
+	// Payloads is the same as Payload, but as a list of multiple
+	// ordered payloads to be applied. It is not valid to have both
+	// Payload and Payloads defined at the same time.
+	Payloads []string `json:"payloads,omitempty"`
+
 	// KeyDatabase is used with efi-secureboot-db-prepare action, and indicates the
 	// secureboot keys database which is a target of the action, possible values are
 	// PK, KEK, DB, DBX
@@ -110,9 +115,12 @@ func (r *securebootRequest) Validate() error {
 			return fmt.Errorf("invalid key database %q", r.KeyDatabase)
 		}
 
-		if len(r.Payload) == 0 {
+		if len(r.Payload) == 0 && len(r.Payloads) == 0 {
 			return errors.New("update payload not provided")
 		}
+		if len(r.Payload) != 0 && len(r.Payloads) != 0 {
+			return errors.New("both single payload and multiple payloads provided")
+		}
 	default:
 		return fmt.Errorf("unsupported EFI secure boot action %q", r.Action)
 	}
@@ -151,9 +159,26 @@ func postSystemSecurebootActionJSON(c *Command, r *http.Request) Response {
 var fdestateEFISecurebootDBUpdatePrepare = fdestate.EFISecurebootDBUpdatePrepare
 
 func postSystemActionEFISecurebootUpdateDBPrepare(c *Command, req *securebootRequest) Response {
-	payload, err := base64.StdEncoding.DecodeString(req.Payload)
-	if err != nil {
-		return BadRequest("cannot decode payload: %v", err)
+	var payloads [][]byte
+	switch {
+	case len(req.Payload) != 0 && len(req.Payloads) != 0:
+		return BadRequest("cannot use both single payload and multiple payloads")
+	case len(req.Payload) != 0:
+		payload, err := base64.StdEncoding.DecodeString(req.Payload)
+		if err != nil {
+			return BadRequest("cannot decode payload: %v", err)
+		}
+		payloads = append(payloads, payload)
+	case len(req.Payloads) != 0:
+		for _, rawPayload := range req.Payloads {
+			payload, err := base64.StdEncoding.DecodeString(rawPayload)
+			if err != nil {
+				return BadRequest("cannot decode payload: %v", err)
+			}
+			payloads = append(payloads, payload)
+		}
+	default:
+		return BadRequest("cannot find payload")
 	}
 
 	keyDatabase, err := keyDatabaseFromString(req.KeyDatabase)
@@ -163,7 +188,7 @@ func postSystemActionEFISecurebootUpdateDBPrepare(c *Command, req *securebootReq
 
 	err = fdestateEFISecurebootDBUpdatePrepare(c.d.state,
 		keyDatabase,
-		payload)
+		payloads)
 	if err != nil {
 		return BadRequest("cannot notify of update prepare: %v", err)
 	}

diff --git a/daemon/api_system_secureboot_test.go b/daemon/api_system_secureboot_test.go
@@ -48,7 +48,7 @@ func (s *systemSecurebootSuite) SetUpTest(c *C) {
 		Interfaces: []string{"fwupd"},
 	})
 
-	s.AddCleanup(daemon.MockFdestateEFISecurebootDBUpdatePrepare(func(st *state.State, db fdestate.EFISecurebootKeyDatabase, payload []byte) error {
+	s.AddCleanup(daemon.MockFdestateEFISecurebootDBUpdatePrepare(func(st *state.State, db fdestate.EFISecurebootKeyDatabase, payloads [][]byte) error {
 		panic("unexpected call")
 	}))
 	s.AddCleanup(daemon.MockFdestateEFISecurebootDBUpdateCleanup(func(st *state.State) error {
@@ -215,23 +215,37 @@ func (s *systemSecurebootSuite) TestEFISecurebootUpdateDBPrepareBadPayloadDBX(c
 func (s *systemSecurebootSuite) testEFISecurebootUpdateDBPrepareHappyForKind(
 	c *C,
 	kind fdestate.EFISecurebootKeyDatabase,
+	multiplePayloads bool,
 ) {
 	s.daemon(c)
 
 	updatePrepareCalls := 0
-	s.AddCleanup(daemon.MockFdestateEFISecurebootDBUpdatePrepare(func(st *state.State, db fdestate.EFISecurebootKeyDatabase, payload []byte) error {
+	s.AddCleanup(daemon.MockFdestateEFISecurebootDBUpdatePrepare(func(st *state.State, db fdestate.EFISecurebootKeyDatabase, payloads [][]byte) error {
 		c.Check(db, Equals, kind)
-		c.Check(payload, DeepEquals, []byte("payload"))
+		if multiplePayloads {
+			c.Check(payloads, DeepEquals, [][]byte{[]byte("payload2"), []byte("payload3")})
+		} else {
+			c.Check(payloads, DeepEquals, [][]byte{[]byte("payload")})
+		}
 		updatePrepareCalls++
 		return nil
 	}))
 
 	updateKindStr := kind.String()
-	body, err := json.Marshal(map[string]any{
+	bodyRaw := map[string]any{
 		"action":       "efi-secureboot-update-db-prepare",
 		"key-database": updateKindStr,
-		"payload":      base64.StdEncoding.EncodeToString([]byte("payload")),
-	})
+	}
+	if multiplePayloads {
+		bodyRaw["payloads"] = []string{
+			base64.StdEncoding.EncodeToString([]byte("payload2")),
+			base64.StdEncoding.EncodeToString([]byte("payload3")),
+		}
+	} else {
+		bodyRaw["payload"] = base64.StdEncoding.EncodeToString([]byte("payload"))
+	}
+
+	body, err := json.Marshal(bodyRaw)
 	c.Assert(err, IsNil)
 	req, err := http.NewRequest("POST", "/v2/system-secureboot", bytes.NewReader(body))
 	c.Assert(err, IsNil)
@@ -245,16 +259,28 @@ func (s *systemSecurebootSuite) testEFISecurebootUpdateDBPrepareHappyForKind(
 }
 
 func (s *systemSecurebootSuite) TestEFISecurebootUpdateDBPrepareHappyPK(c *C) {
-	s.testEFISecurebootUpdateDBPrepareHappyForKind(c, fdestate.EFISecurebootPK)
+	s.testEFISecurebootUpdateDBPrepareHappyForKind(c, fdestate.EFISecurebootPK, false)
+}
+func (s *systemSecurebootSuite) TestEFISecurebootUpdateDBPrepareHappyPKMultiple(c *C) {
+	s.testEFISecurebootUpdateDBPrepareHappyForKind(c, fdestate.EFISecurebootPK, true)
 }
 func (s *systemSecurebootSuite) TestEFISecurebootUpdateDBPrepareHappyKEK(c *C) {
-	s.testEFISecurebootUpdateDBPrepareHappyForKind(c, fdestate.EFISecurebootKEK)
+	s.testEFISecurebootUpdateDBPrepareHappyForKind(c, fdestate.EFISecurebootKEK, false)
+}
+func (s *systemSecurebootSuite) TestEFISecurebootUpdateDBPrepareHappyKEKMultiple(c *C) {
+	s.testEFISecurebootUpdateDBPrepareHappyForKind(c, fdestate.EFISecurebootKEK, true)
 }
 func (s *systemSecurebootSuite) TestEFISecurebootUpdateDBPrepareHappyDB(c *C) {
-	s.testEFISecurebootUpdateDBPrepareHappyForKind(c, fdestate.EFISecurebootDB)
+	s.testEFISecurebootUpdateDBPrepareHappyForKind(c, fdestate.EFISecurebootDB, false)
+}
+func (s *systemSecurebootSuite) TestEFISecurebootUpdateDBPrepareHappyDBMultiple(c *C) {
+	s.testEFISecurebootUpdateDBPrepareHappyForKind(c, fdestate.EFISecurebootDB, true)
 }
 func (s *systemSecurebootSuite) TestEFISecurebootUpdateDBPrepareHappyDBX(c *C) {
-	s.testEFISecurebootUpdateDBPrepareHappyForKind(c, fdestate.EFISecurebootDBX)
+	s.testEFISecurebootUpdateDBPrepareHappyForKind(c, fdestate.EFISecurebootDBX, false)
+}
+func (s *systemSecurebootSuite) TestEFISecurebootUpdateDBPrepareHappyDBXMultiple(c *C) {
+	s.testEFISecurebootUpdateDBPrepareHappyForKind(c, fdestate.EFISecurebootDBX, true)
 }
 
 func (s *systemSecurebootSuite) TestSecurebootRequestValidate(c *C) {
@@ -287,6 +313,14 @@ func (s *systemSecurebootSuite) TestSecurebootRequestValidate(c *C) {
 	}
 	c.Check(r.Validate(), ErrorMatches, `update payload not provided`)
 
+	r = daemon.SecurebootRequest{
+		Action:      "efi-secureboot-update-db-prepare",
+		Payload:     "MAo=",
+		Payloads:    []string{"MQo=", "Mgo="},
+		KeyDatabase: "DBX",
+	}
+	c.Check(r.Validate(), ErrorMatches, `both single payload and multiple payloads provided`)
+
 	// valid
 	for _, r := range []daemon.SecurebootRequest{{
 		Action:      "efi-secureboot-update-db-prepare",

diff --git a/daemon/export_api_system_secureboot_test.go b/daemon/export_api_system_secureboot_test.go
@@ -28,7 +28,7 @@ import (
 type SecurebootRequest = securebootRequest
 
 func MockFdestateEFISecurebootDBUpdatePrepare(
-	f func(st *state.State, db fdestate.EFISecurebootKeyDatabase, payload []byte) error,
+	f func(st *state.State, db fdestate.EFISecurebootKeyDatabase, payloads [][]byte) error,
 ) (restore func()) {
 	restore = testutil.Backup(&fdestateEFISecurebootDBUpdatePrepare)
 	fdestateEFISecurebootDBUpdatePrepare = f

diff --git a/go.mod b/go.mod
@@ -22,7 +22,7 @@ require (
 	github.com/mvo5/libseccomp-golang v0.9.1-0.20180308152521-f4de83b52afb // old trusty builds only
 	github.com/seccomp/libseccomp-golang v0.9.2-0.20220502024300-f57e1d55ea18
 	github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785
-	github.com/snapcore/secboot v0.0.0-20260116095945-507475da2340
+	github.com/snapcore/secboot v0.0.0-20260129175210-e638825ef829
 	golang.org/x/crypto v0.23.0
 	golang.org/x/net v0.21.0 // indirect
 	golang.org/x/sys v0.21.0

diff --git a/go.sum b/go.sum
@@ -61,8 +61,8 @@ github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785 h1:PaunR+BhraK
 github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785/go.mod h1:D3SsWAXK7wCCBZu+Vk5hc1EuKj/L3XN1puEMXTU4LrQ=
 github.com/snapcore/maze.io-x-crypto v0.0.0-20190131090603-9b94c9afe066 h1:InG0EmriMOiI4YgtQNOo+6fNxzLCYioo3Q3BCVLdMCE=
 github.com/snapcore/maze.io-x-crypto v0.0.0-20190131090603-9b94c9afe066/go.mod h1:VuAdaITF1MrGzxPU+8GxagM1HW2vg7QhEFEeGHbmEMU=
-github.com/snapcore/secboot v0.0.0-20260116095945-507475da2340 h1:Djqa+9z3rnJE+cBdiWKCIa/pfc/VaroesvfP+EH9Ncs=
-github.com/snapcore/secboot v0.0.0-20260116095945-507475da2340/go.mod h1:BeEYaTJC4cqXVgpjjxajO31p2kVDvXwXJJx3YD7nCaE=
+github.com/snapcore/secboot v0.0.0-20260129175210-e638825ef829 h1:9qeADnUPs/YhO0tty+j2zxi9dUI2Bn96y9Nc9XOKTOk=
+github.com/snapcore/secboot v0.0.0-20260129175210-e638825ef829/go.mod h1:BeEYaTJC4cqXVgpjjxajO31p2kVDvXwXJJx3YD7nCaE=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 go.etcd.io/bbolt v1.3.9 h1:8x7aARPEXiXbHmtUwAIv7eV2fQFHrLLavdiJ3uzJXoI=
 go.etcd.io/bbolt v1.3.9/go.mod h1:zaO32+Ti0PK1ivdPtgMESzuzL2VPoIG1PCQNvOdo/dE=

diff --git a/interfaces/builtin/camera.go b/interfaces/builtin/camera.go
@@ -35,7 +35,7 @@ const cameraBaseDeclarationSlots = `
 
 const cameraConnectedPlugAppArmor = `
 # Until we have proper device assignment, allow access to all cameras
-###PROMPT### /dev/video[0-9]* rw,
+###PROMPT### /dev/video[0-9]* rwk,
 
 # VideoCore cameras (shared device with VideoCore/EGL)
 ###PROMPT### /dev/vchiq rw,
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin=p
		cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_setgid,cap_setuid,cap_sys_chroot,cap_sys_ptrace,cap_sys_admin,cap_sys_resource=p