Bug#1112464: fwupdmgr: "Secure boot is enabled, but shim isn't installed to EFI/systemd/shimx64.efi" when updating firmware
Package: fwupd
Version: 2.0.8-3
Severity: important
X-Debbugs-Cc: debian.org@schildbach.de
Dear Maintainer,
I am trying to update the firmware on my Lenovo X280. It errors as follows:
```
$ fwupdmgr update
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade System Firmware from 0.1.57 to 0.1.58? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ Lenovo System Firmware Version 1.58 ║
║ ║
║ Important updates ║
║ ║
║ • Enhancement to address security vulnerabilities ║
║ ║
║ 20KES03000 must remain plugged into a power source for the duration of the ║
║ update to avoid damage. ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: y
Scheduling… [ ]
failed to write-firmware: Secure boot is enabled, but shim isn't installed to EFI/systemd/shimx64.efi
```
Yes, shim isn't installed, on purpose as I'm using my own Secure Boot keys/certs. But I don't see how shim should be involved in an EFI capsule-based BIOS update.
Note that fwupdmgr managed to at least write the capsule to the ESP:
```
$ sudo tree /boot/efi/EFI/systemd/fw
/boot/efi/EFI/systemd/fw
├── fwupd-3b8c8162-188c-46a4-aec9-be43f1d65697.cap
└── fwupd-508f7539-1ad6-48b9-8680-38377535009d.cap
1 directory, 2 files
```
I'd expect some success message and a prompt to reboot my machine, so that the UEFI BIOS can update the BIOS.
Cheers,
Andreas
-- System Information:
Debian Release: 13.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.12.41+deb13-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages fwupd depends on:
ii libarchive13t64 3.7.4-4
ii libblkid1 2.41-5
ii libc6 2.41-12
ii libcbor0.10 0.10.2-2
ii libcurl3t64-gnutls 8.14.1-2
ii libdrm-amdgpu1 2.4.124-2
ii libdrm2 2.4.124-2
ii libflashrom1 1.4.0-3
ii libfwupd3 2.0.8-3
ii libglib2.0-0t64 2.84.3-1
ii libgnutls30t64 3.8.9-3
ii libjcat1 0.2.3-1
ii libjson-glib-1.0-0 1.10.6+ds-2
ii liblzma5 5.8.1-1
ii libmbim-glib4 1.32.0-1
ii libmbim-proxy 1.32.0-1
ii libmm-glib0 1.24.0-1
ii libpolkit-gobject-1-0 126-2
ii libprotobuf-c1 1.5.1-1
ii libqmi-glib5 1.36.0-1
ii libqmi-proxy 1.36.0-1
ii libsqlite3-0 3.46.1-7
ii libsystemd0 257.7-1
ii libtss2-esys-3.0.2-0t64 4.1.3-1.2
ii libusb-1.0-0 2:1.0.28-1
ii libxmlb2 0.3.22-1
ii shared-mime-info 2.4-5+b2
ii systemd [systemd-sysusers] 257.7-1
ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1
Versions of packages fwupd recommends:
ii bolt 0.9.8-1
ii dbus [default-dbus-system-bus] 1.16.2-2
ii fwupd-amd64-signed [fwupd-signed] 1:1.7+1
ii jq 1.7.1-6+deb13u1
ii python3 3.13.5-1
ii udisks2 2.10.1-12.1+deb13u1
Versions of packages fwupd suggests:
pn gir1.2-fwupd-2.0 <none>
-- Configuration Files:
/etc/fwupd/fwupd.conf [Errno 13] Permission denied: '/etc/fwupd/fwupd.conf'
-- no debconf information
Reply to: