Bug#1112464: fwupdmgr: "Secure boot is enabled, but shim isn't installed to EFI/systemd/shimx64.efi" when updating firmware

To: 1112464@bugs.debian.org
Subject: Bug#1112464: fwupdmgr: "Secure boot is enabled, but shim isn't installed to EFI/systemd/shimx64.efi" when updating firmware
From: Michael Tokarev <mjt@tls.msk.ru>
Date: Wed, 29 Oct 2025 13:38:02 +0300
Message-id: <[🔎] 1a36b90a-10dc-4551-91a9-b2817596b2f0@tls.msk.ru>
Reply-to: Michael Tokarev <mjt@tls.msk.ru>, 1112464@bugs.debian.org
In-reply-to: <175648671082.4642.11840801533319592946.reportbug@trixie>
References: <175648671082.4642.11840801533319592946.reportbug@trixie> <175648671082.4642.11840801533319592946.reportbug@trixie> <175648671082.4642.11840801533319592946.reportbug@trixie>

On Fri, 29 Aug 2025 18:58:30 +0200 Andreas <debian.org@schildbach.de> wrote:

Package: fwupd
Version: 2.0.8-3
Severity: important
X-Debbugs-Cc: debian.org@schildbach.de

Dear Maintainer,

I am trying to update the firmware on my Lenovo X280. It errors as follows:

```
$ fwupdmgr update
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade System Firmware from 0.1.57 to 0.1.58?                               ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ Lenovo System Firmware Version 1.58                                          ║
║                                                                              ║
║ Important updates                                                            ║
║                                                                              ║
║ • Enhancement to address security vulnerabilities                            ║
║                                                                              ║
║ 20KES03000 must remain plugged into a power source for the duration of the   ║
║ update to avoid damage.                                                      ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: y
Scheduling…              [                                       ]
failed to write-firmware: Secure boot is enabled, but shim isn't installed to EFI/systemd/shimx64.efi
```

Yes, shim isn't installed, on purpose as I'm using my own Secure Boot keys/certs. But I don't see how shim should be involved in an EFI capsule-based BIOS update.

On my system, shim-signed *is* installed.  However, fwupdmgr fails exactly
the same way, with the same error message.  This is because it expects
to work in EFI/systemd/, while debian installs things to EFI/debian/,
in particular, it is EFI/debian/shimx64.efi, not EFI/systemd/shimx64.efi.

Copying EFI/debian/shimx64.efi to EFI/systemd/shimx64.efi manually makes
it work.  But I don't think this is the right solution.

Thanks,

/mjt

Reply to:

Prev by Date: Bug#1089119: I can confirm this bug
Next by Date: fwupd_2.0.16-4_source.changes ACCEPTED into unstable
Previous by thread: Bug#1089119: I can confirm this bug
Next by thread: fwupd_2.0.16-4_source.changes ACCEPTED into unstable
Index(es):
- Date
- Thread