secboot: bump to rev cdcb64992e54 for FDE fixes

[ernestl]

The secboot bump brings in the following FDE fixes for Resolute Installer:

canonical/secboot#515
canonical/secboot#514
canonical/secboot#521

Furthermore also canonical/secboot#529 to fix checkHostSecurity signature as used for arm64 builds.

The following fixes are still outstanding
canonical/secboot#513
canonical/secboot#516

[github-actions]

Fri Mar 20 20:08:14 UTC 2026
The following results are from: https://github.com/canonical/snapd/actions/runs/23349012444

Failures:

Executing:

• openstack:debian-12-64:tests/main/snapd-state
• openstack-ext:ubuntu-26.04-64:tests/nested/manual/minimal-smoke:secboot_disabled
• openstack-ext:ubuntu-26.04-64:tests/nested/manual/minimal-smoke:secboot_enabled
• openstack:ubuntu-20.04-64:tests/main/bad-meta-file-types
• openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:download_file_safer
• openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_deny_allow
• openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_allow
• openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:timespan_deny
• openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_allow
• openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:write_single_allow
• openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_allow
• openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:download_file_conflict
• openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:timespan_allow
• openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_actioned_by_other_pid_always_deny
• openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:write_read_multiple_actioned_by_other_pid_allow_deny
• openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_not_actioned_by_other_pid_single_deny
• openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:write_single_deny
• openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:read_single_deny
• openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:read_single_allow
• openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:create_multiple_deny
• openstack:ubuntu-24.04-64:tests/main/apparmor-prompting-integration-tests:download_file_defaults

Skipped tests from snapd-testing-skip

• openstack:ubuntu-24.04-64:tests/main/i18n

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.57%. Comparing base (929566d) to head (3736554).
⚠️ Report is 14 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #16795   +/-   ##
=======================================
  Coverage   77.56%   77.57%           
=======================================
  Files        1363     1363           
  Lines      188394   188452   +58     
  Branches     2446     2446           
=======================================
+ Hits       146131   146189   +58     
+ Misses      33444    33437    -7     
- Partials     8819     8826    +7     

Flag	Coverage Δ
unittests	77.57% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[bboozzoo]

Can you amend the commit message to include this:

Bump secboot to rev cdcb64992e54 to include the following fixes:

canonical/secboot#515 make sure to interpret bit 30 of HSTS6 correctly
canonical/secboot#514 policy check for degraded firmware shouldn't fail on unexpected event types
canonical/secboot#521 do not fail on unknown vendor defined event types in the TCG log

as some indication of what is included in the bump

[ernestl]

Can you amend the commit message to include this:

Bump secboot to rev cdcb64992e54 to include the following fixes:

canonical/secboot#515 make sure to interpret bit 30 of HSTS6 correctly
canonical/secboot#514 policy check for degraded firmware shouldn't fail on unexpected event types
canonical/secboot#521 do not fail on unknown vendor defined event types in the TCG log

as some indication of what is included in the bump

Good idea, will do this in during squash merge and also add that there are other changes.