Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#990447: fwupdmgr: Unable to install new updates

133 views
Skip to first unread message

Salvatore Bonaccorso

unread,
Jun 29, 2021, 8:10:04 AM6/29/21
to
Package: fwupd
Version: 1.5.7-4
Severity: normal
X-Debbugs-Cc: car...@debian.org

Hi

I'm not entirely sure how to trackle this problem, since some time I'm
unable anymore to install updates available trough fwupdmgr. Secure
boot is enable, and in BIOS the 'boot order lock' *is* disabled.

Though on every update, the firmware get's downloaded, the capsules
put in /boot/efi/EFI/debian/fw and reboot requested (and even choosing
the Linux Firmare Update manually) the firmware(s) are nut updated.

The get-history command reflects that:

----cut---------cut---------cut---------cut---------cut---------cut-----
20KGS05200

├─LENSE30512GMSP34MEAT3TA:
│ │ Device ID: 04e17fcf7d3de91da49a163ffe4907855c3648be
│ │ Previous version: 1.4.0412
│ │ Update State: Success
│ │ Last modified: 2020-10-01 23:11
│ │ GUID: 124c38ac-0100-5a50-aac8-89602d99769f
│ │ Device Flags: • Internal device
│ │ • Updatable
│ │ • System requires external power source
│ │ • Supported on remote server
│ │ • Needs a reboot after installation
│ │ • Reported to remote server
│ │ • Device is usable for the duration of the update
│ │
│ └─LENSE30512GMSP34MEAT3TA Device Update:
│ New version: 2.5.0412
│ Remote ID: lvfs
│ Summary: Unionmemory LENSE30512GMSP34MEAT3TA NVMe SSD Firmware for Lenovo PC
│ License: Proprietary
│ Size: 588.8 kB
│ Created: 2016-07-08
│ Urgency: High
│ Vendor: Unionmemory
│ Description:
│ Do NOT turn off your computer or remove the AC adapter while update is in progress.

│ The computer shall be restarted after updating firmware completely. The device may not properly function until you shut down or reboot PC

│ Supported devices and firmware version : Unionmemory LENSE30512GMSP34MEAT3TA-512G-2.5.0412

│ Supported Product Scope : Lenovo ThinkPad, ThinkCentre, ThinkStation, IdeaCentre

├─Embedded Controller:
│ │ Device ID: 9698faabddf0d7b18925cfbbda95f8b0d0dacc53
│ │ Previous version: 0.1.8
│ │ Update State: Success
│ │ Last modified: 2020-11-17 16:05
│ │ GUID: 3babca5f-b2bf-4f4b-a72e-2bdc84eb4019
│ │ Device Flags: • Internal device
│ │ • Updatable
│ │ • System requires external power source
│ │ • Supported on remote server
│ │ • Needs a reboot after installation
│ │ • Reported to remote server
│ │ • Device is usable for the duration of the update
│ │
│ └─ThinkPad X1 Carbon 6th Embedded Controller Update:
│ New version: 0.1.22
│ Remote ID: lvfs
│ Summary: Lenovo ThinkPad X1 Carbon 6th Embedded Controller Firmware
│ License: Proprietary
│ Size: 767.1 kB
│ Created: 2016-07-08
│ Urgency: High
│ Vendor: Lenovo Ltd.
│ Description:
│ Lenovo ThinkPad X1 Carbon 6th Embedded Controller Firmware

│ Fixed an issue where ThinkVision T24m-10 monitor might not connected properly.

├─UEFI Device Firmware:
│ │ Device ID: 9e329270a7a68d289c82fe77d32d02208ddf0890
│ │ Previous version: 0.73.4
│ │ Update State: Success
│ │ Last modified: 2021-04-27 20:27
│ │ GUID: cea87551-1701-43fb-afbc-6e8ce9728345
│ │ Device Flags: • Internal device
│ │ • Updatable
│ │ • System requires external power source
│ │ • Supported on remote server
│ │ • Needs a reboot after installation
│ │ • Reported to remote server
│ │ • Device is usable for the duration of the update
│ │
│ └─ThinkPad X1 Carbon 6th System Update:
│ New version: 0.73.20
│ Remote ID: lvfs
│ Summary: Lenovo ThinkPad X1 Carbon 6th STM TPM Firmware
│ License: Proprietary
│ Size: 439.6 kB
│ Created: 2020-03-03
│ Urgency: High
│ Vendor: Lenovo Ltd.
│ Description:
│ Lenovo ThinkPad X1 Carbon 6th STM TPM Firmware Version 73.20

│ • Do NOT turn off your computer or remove the AC adaptor while update is in progress

├─Intel Management Engine:
│ │ Device ID: e563ad307df81c99f0de8c26292afd71cf409673
│ │ Previous version: 184.83.3874
│ │ Update State: Failed
│ │ Update Error: failed to run update on reboot
│ │ Last modified: 2021-06-29 11:45
│ │ GUID: 42a0a96e-c9f3-438f-9687-7826be33e4ce
│ │ Device Flags: • Internal device
│ │ • Updatable
│ │ • System requires external power source
│ │ • Supported on remote server
│ │ • Needs a reboot after installation
│ │ • Device is usable for the duration of the update
│ │
│ └─ThinkPad X1 Carbon 6th Corporate ME Update:
│ New version: 184.86.3909
│ Remote ID: lvfs
│ Summary: Lenovo ThinkPad X1 Carbon 6th Corporate ME Firmware
│ License: Proprietary
│ Size: 7.5 MB
│ Created: 2016-07-08
│ Urgency: High
│ Details: https://pcsupport.lenovo.com/de/en/search?query=N23RM17W
│ Vendor: Lenovo Ltd.
│ Flags: is-upgrade
│ Description:
│ Lenovo ThinkPad X1 Carbon 6th ME Firmware Version 11.8.86.3909(LVFS: 184.86.3909)

│ The computer will be restarted automatically after updating completely. Do NOT turn off your computer or remove the AC adaptor while update is in progress.

│ This stable release fixes the following issues:

│ • Intel CSME IPU 2021.1:

│ Addressed several critical security vulnerabilities.

└─System Firmware:
│ Device ID: 1c53551e7da69d896138fac1ae131c83ad46d923
│ Previous version: 0.1.50
│ Update State: Failed
│ Update Error: failed to run update on reboot
│ Last modified: 2021-06-29 11:47
│ GUID: a4b51dca-8f97-4310-8821-3330f83c9135
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Cryptographic hash verification is available
│ • Device is usable for the duration of the update

└─ThinkPad X1 Carbon 6th System Update:
New version: 0.1.51
Remote ID: lvfs
Summary: Lenovo ThinkPad X1 Carbon 6th System Firmware
License: Proprietary
Size: 9.5 MB
Created: 2016-07-08
Urgency: High
Vendor: Lenovo Ltd.
Flags: is-upgrade
Description:
Lenovo ThinkPad X1 Carbon 6th System Firmware

• Fixed an security issue.
• Update Version 04.17.000 code of FIT's InROM diagnostics.
----cut---------cut---------cut---------cut---------cut---------cut-----

Any idea how to untagle this? Which information would be helpfull if
you direct me directly to fwupd upstream (happy to put it there but
I'm currently a bit lost on how to tackle this update loops, as the
most common suggestion is the disable boot order lock, which *is*
disabled).

Regards,
Salvatore

-- System Information:
Debian Release: 11.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/8 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages fwupd depends on:
ii libc6 2.31-12
ii libcurl3-gnutls 7.74.0-1.3
ii libefiboot1 37-6
ii libelf1 0.183-3
ii libflashrom1 1.2-5
ii libfwupd2 1.5.7-4
ii libfwupdplugin1 1.5.7-4
ii libglib2.0-0 2.66.8-1
ii libgnutls30 3.7.1-5
ii libgudev-1.0-0 234-1
ii libgusb2 0.3.5-1
ii libjcat1 0.1.3-2
ii libjson-glib-1.0-0 1.6.2-1
ii libpolkit-gobject-1-0 0.105-31
ii libsmbios-c2 2.4.3-1
ii libsqlite3-0 3.34.1-3
ii libsystemd0 247.3-5
ii libtss2-esys-3.0.2-0 3.0.3-2
ii libxmlb1 0.1.15-2
ii shared-mime-info 2.0-1

Versions of packages fwupd recommends:
pn bolt <none>
ii dbus 1.12.20-2
ii fwupd-amd64-signed [fwupd-signed] 1.5.7+4
ii python3 3.9.2-3
pn secureboot-db <none>
ii udisks2 2.9.2-2

Versions of packages fwupd suggests:
pn gir1.2-fwupd-2.0 <none>

-- Configuration Files:
/etc/fwupd/remotes.d/lvfs-testing.conf changed:
[fwupd Remote]
Enabled=false
Title=Linux Vendor Firmware Service (testing)
MetadataURI=https://cdn.fwupd.org/downloads/firmware-testing.xml.gz
ReportURI=
Username=
Password=
OrderBefore=lvfs,fwupd
AutomaticReports=false
ApprovalRequired=false


-- no debconf information

Salvatore Bonaccorso

unread,
Jun 30, 2021, 8:40:04 AM6/30/21
to
Hi,
Interesting datapoint: I experimented further, and disabled secure
boot. After that I was able to install those updates.

Does that possibly ring some bell?

Regards,
Salvatore

Ansgar

unread,
Jun 30, 2021, 5:40:03 PM6/30/21
to
Salvatore Bonaccorso writes:
> On Tue, Jun 29, 2021 at 02:04:47PM +0200, Salvatore Bonaccorso wrote:
>> Package: fwupd
>> Version: 1.5.7-4
[...]
> Interesting datapoint: I experimented further, and disabled secure
> boot. After that I was able to install those updates.
>
> Does that possibly ring some bell?

I have no idea about fwupd, but if disabling secure boot works: I would
check if the fwupd binaries in /boot/efi/EFI/debian are outdated for
some reason. fwupd-amd64-signed switched to a new signing key with
1.5.7+3 and the old key should be revoked.

Ansgar

Julian Andres Klode

unread,
Jul 1, 2021, 7:10:03 AM7/1/21
to
Control: reassign -1 shim
Control: affects -1 fwupd
shim 15.4 does not support loading fwupd. Patches in discussion to fix
this (or rather pending discussion...):

https://github.com/rhboot/shim/pull/379
https://github.com/rhboot/shim/pull/381

I am running the former and will submit it on the Ubuntu side for
signing soon, and then push it into development release ASAP next
week and then down the lines.

The reason it works if you disable secure boot is that fwupdmgr
installs a different boot entry that does not use shim, which
causes this confusion:

https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1931213

--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en

Phil Dibowitz

unread,
Feb 1, 2023, 6:50:04 PM2/1/23
to
I'm also unable to update to the latest uefi-dbx:

```
$ fwupdmgr update
...
Blocked executable in the ESP, ensure grub and shim are up to date:
/boot/EFI/EFI/debian/shimx64.efi Authenticode checksum
[af79b14064601bc0987d4747af1e914a228c05d622ceda03b7a4f67014fee767] is
present in dbx
```

I am on the latest shims though:

```
root@rider:/boot/EFI/EFI/debian# dpkg -l | awk '/ shim/ {print $1"
"$2"\t\t"$3}'
ii node-set-immediate-shim 2.0.0-2
ii shim-helpers-amd64-signed 1+15.6+1
ii shim-signed:amd64 1.38+15.4-7
ii shim-signed-common 1.38+15.4-7
ii shim-unsigned 15.7-1
```

And I've run `grub-install` with my EFI dir mounted. What's interesting
is the version in EFI is different than the version staged by the package:

```
# sum /usr/lib/shim/shimx64.efi /boot/EFI/EFI/debian/shimx64.efi
47979 918 /usr/lib/shim/shimx64.efi
36147 913 /boot/EFI/EFI/debian/shimx64.efi
```

I even explicitly ran it with `--uefi-secure-boot` to ensure it installs
the shim binary.

--
Phil Dibowitz ph...@ipom.com
Open Source software and tech docs Insanity Palace of Metallica
http://www.phildev.net/ http://www.ipom.com/

"Be who you are and say what you feel, because those who mind don't
matter and those who matter don't mind."
- Dr. Seuss

Phil Dibowitz

unread,
Feb 2, 2023, 11:30:04 AM2/2/23
to
On 2/1/23 23:31, Pascal Hambourg wrote:
> On 02/02/2023 at 00:33, Phil Dibowitz wrote:
>>
>> And I've run `grub-install` with my EFI dir mounted. What's
>> interesting is the version in EFI is different than the version staged
>> by the package:
>>
>> ```
>> # sum /usr/lib/shim/shimx64.efi /boot/EFI/EFI/debian/shimx64.efi
>> 47979   918 /usr/lib/shim/shimx64.efi
>> 36147   913 /boot/EFI/EFI/debian/shimx64.efi
>> ```
>
> You must compare with /usr/lib/shim/shimx64.efi.signed from shim-signed.

Ah, thanks. At least I know I did the grub-install right:

```
$ sum /usr/lib/shim/shimx64.efi.signed /boot/EFI/EFI/debian/shimx64.efi
36147 913 /usr/lib/shim/shimx64.efi.signed
36147 913 /boot/EFI/EFI/debian/shimx64.efi
```

So I guess that means that the shimx64.efi that's distributed with
shim-signed is, in fact, vulnerable, as proposed in the original bug.

Any timeline on updating it?
0 new messages