Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1032373: fwupd: Can't update in Secure Boot mode on Thinkpad Carbon X1 Gen5
38 views
Skip to first unread message
Russell Coker
Mar 5, 2023, 7:20:04 AM3/5/23
to
Package: fwupd
Version: 1.8.12-2
Severity: normal
I have a Thinkpad Carbon X1 Gen5 running Debian/Testing with the fwupd from
Unstable with Secure Boot enabled. I believe that we should get everything
working with Secure Boot enabled and to the largest extent possible have
Debian working with all security features.
When I install updates with the "fwupdmgr" program it looks like it is all
working well, the updates are installed and it prompts to reboot the system.
When I boot up I get a screen with white text on blue background saying
"Verification failed: (0x1A) Security Violation" which according to various
pages Google turns up means it's a secure boot issue.
I have the fwupd-amd64-signed package installed, but the version doesn't seem
to match, is there a problem with this?
# dpkg -l fwupd\*|grep ^ii
ii fwupd 1.8.12-2 amd64 Firmware update daemon
ii fwupd-amd64-signed 1:1.4+1 amd64 Tools to manage UEFI firmware updates (signed)
ii fwupdate 12-7 amd64 Transitional package for fwupd
-- System Information:
Debian Release: bookworm/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-5-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Enforcing - Policy name: default
Versions of packages fwupd depends on:
ii adduser 3.131
ii libarchive13 3.6.2-1
ii libc6 2.36-8
ii libcbor0.8 0.8.0-2+b1
ii libcurl3-gnutls 7.88.1-1
ii libefiboot1 37-6
ii libflashrom1 1.3.0-2
ii libfwupd2 1.8.12-2
ii libgcab-1.0-0 1.5-1
ii libglib2.0-0 2.74.5-1
ii libgnutls30 3.7.9-1
ii libgudev-1.0-0 237-2
ii libgusb2 0.3.10-1
ii libjcat1 0.1.9-1
ii libjson-glib-1.0-0 1.6.6-1
ii liblzma5 5.4.1-0.2
ii libmbim-glib4 1.28.2-1
ii libmbim-proxy 1.28.2-1
ii libmm-glib0 1.20.4-1
ii libpolkit-gobject-1-0 122-3
ii libprotobuf-c1 1.4.1-1+b1
ii libqmi-glib5 1.32.2-1
ii libqmi-proxy 1.32.2-1
ii libsmbios-c2 2.4.3-1
ii libsqlite3-0 3.40.1-1
ii libsystemd0 252.5-2
ii libtss2-esys-3.0.2-0 3.2.1-3
ii libxmlb2 0.3.10-2
ii shared-mime-info 2.2-1
Versions of packages fwupd recommends:
pn bolt <none>
ii dbus 1.14.6-1
ii fwupd-amd64-signed [fwupd-signed] 1:1.4+1
pn jq <none>
ii python3 3.11.2-1
pn secureboot-db <none>
ii udisks2 2.9.4-4
Versions of packages fwupd suggests:
pn gir1.2-fwupd-2.0 <none>
-- Configuration Files:
/etc/fwupd/bios-settings.d/README.md [Errno 13] Permission denied: '/etc/fwupd/bios-settings.d/README.md'
/etc/fwupd/daemon.conf [Errno 13] Permission denied: '/etc/fwupd/daemon.conf'
/etc/fwupd/msr.conf [Errno 13] Permission denied: '/etc/fwupd/msr.conf'
/etc/fwupd/redfish.conf [Errno 13] Permission denied: '/etc/fwupd/redfish.conf'
/etc/fwupd/remotes.d/dell-esrt.conf [Errno 13] Permission denied: '/etc/fwupd/remotes.d/dell-esrt.conf'
/etc/fwupd/remotes.d/lvfs-testing.conf [Errno 13] Permission denied: '/etc/fwupd/remotes.d/lvfs-testing.conf'
/etc/fwupd/remotes.d/lvfs.conf [Errno 13] Permission denied: '/etc/fwupd/remotes.d/lvfs.conf'
/etc/fwupd/remotes.d/vendor-directory.conf [Errno 13] Permission denied: '/etc/fwupd/remotes.d/vendor-directory.conf'
/etc/fwupd/remotes.d/vendor.conf [Errno 13] Permission denied: '/etc/fwupd/remotes.d/vendor.conf'
/etc/fwupd/thunderbolt.conf [Errno 13] Permission denied: '/etc/fwupd/thunderbolt.conf'
/etc/fwupd/uefi_capsule.conf [Errno 13] Permission denied: '/etc/fwupd/uefi_capsule.conf'
-- no debconf information
Version: 1.8.12-2
Severity: normal
I have a Thinkpad Carbon X1 Gen5 running Debian/Testing with the fwupd from
Unstable with Secure Boot enabled. I believe that we should get everything
working with Secure Boot enabled and to the largest extent possible have
Debian working with all security features.
When I install updates with the "fwupdmgr" program it looks like it is all
working well, the updates are installed and it prompts to reboot the system.
When I boot up I get a screen with white text on blue background saying
"Verification failed: (0x1A) Security Violation" which according to various
pages Google turns up means it's a secure boot issue.
I have the fwupd-amd64-signed package installed, but the version doesn't seem
to match, is there a problem with this?
# dpkg -l fwupd\*|grep ^ii
ii fwupd 1.8.12-2 amd64 Firmware update daemon
ii fwupd-amd64-signed 1:1.4+1 amd64 Tools to manage UEFI firmware updates (signed)
ii fwupdate 12-7 amd64 Transitional package for fwupd
-- System Information:
Debian Release: bookworm/sid
APT prefers testing-debug
APT policy: (500, 'testing-debug'), (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-5-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Enforcing - Policy name: default
Versions of packages fwupd depends on:
ii adduser 3.131
ii libarchive13 3.6.2-1
ii libc6 2.36-8
ii libcbor0.8 0.8.0-2+b1
ii libcurl3-gnutls 7.88.1-1
ii libefiboot1 37-6
ii libflashrom1 1.3.0-2
ii libfwupd2 1.8.12-2
ii libgcab-1.0-0 1.5-1
ii libglib2.0-0 2.74.5-1
ii libgnutls30 3.7.9-1
ii libgudev-1.0-0 237-2
ii libgusb2 0.3.10-1
ii libjcat1 0.1.9-1
ii libjson-glib-1.0-0 1.6.6-1
ii liblzma5 5.4.1-0.2
ii libmbim-glib4 1.28.2-1
ii libmbim-proxy 1.28.2-1
ii libmm-glib0 1.20.4-1
ii libpolkit-gobject-1-0 122-3
ii libprotobuf-c1 1.4.1-1+b1
ii libqmi-glib5 1.32.2-1
ii libqmi-proxy 1.32.2-1
ii libsmbios-c2 2.4.3-1
ii libsqlite3-0 3.40.1-1
ii libsystemd0 252.5-2
ii libtss2-esys-3.0.2-0 3.2.1-3
ii libxmlb2 0.3.10-2
ii shared-mime-info 2.2-1
Versions of packages fwupd recommends:
pn bolt <none>
ii dbus 1.14.6-1
ii fwupd-amd64-signed [fwupd-signed] 1:1.4+1
pn jq <none>
ii python3 3.11.2-1
pn secureboot-db <none>
ii udisks2 2.9.4-4
Versions of packages fwupd suggests:
pn gir1.2-fwupd-2.0 <none>
-- Configuration Files:
/etc/fwupd/bios-settings.d/README.md [Errno 13] Permission denied: '/etc/fwupd/bios-settings.d/README.md'
/etc/fwupd/daemon.conf [Errno 13] Permission denied: '/etc/fwupd/daemon.conf'
/etc/fwupd/msr.conf [Errno 13] Permission denied: '/etc/fwupd/msr.conf'
/etc/fwupd/redfish.conf [Errno 13] Permission denied: '/etc/fwupd/redfish.conf'
/etc/fwupd/remotes.d/dell-esrt.conf [Errno 13] Permission denied: '/etc/fwupd/remotes.d/dell-esrt.conf'
/etc/fwupd/remotes.d/lvfs-testing.conf [Errno 13] Permission denied: '/etc/fwupd/remotes.d/lvfs-testing.conf'
/etc/fwupd/remotes.d/lvfs.conf [Errno 13] Permission denied: '/etc/fwupd/remotes.d/lvfs.conf'
/etc/fwupd/remotes.d/vendor-directory.conf [Errno 13] Permission denied: '/etc/fwupd/remotes.d/vendor-directory.conf'
/etc/fwupd/remotes.d/vendor.conf [Errno 13] Permission denied: '/etc/fwupd/remotes.d/vendor.conf'
/etc/fwupd/thunderbolt.conf [Errno 13] Permission denied: '/etc/fwupd/thunderbolt.conf'
/etc/fwupd/uefi_capsule.conf [Errno 13] Permission denied: '/etc/fwupd/uefi_capsule.conf'
-- no debconf information
Steve McIntyre
Mar 9, 2023, 4:40:05 PM3/9/23
to
Hey Russell,
On Sun, Mar 05, 2023 at 11:11:18PM +1100, Russell Coker wrote:
>Package: fwupd
>Version: 1.8.12-2
>Severity: normal
>
>I have a Thinkpad Carbon X1 Gen5 running Debian/Testing with the fwupd from
>Unstable with Secure Boot enabled. I believe that we should get everything
>working with Secure Boot enabled and to the largest extent possible have
>Debian working with all security features.
>
>When I install updates with the "fwupdmgr" program it looks like it is all
>working well, the updates are installed and it prompts to reboot the system.
>
>When I boot up I get a screen with white text on blue background saying
>"Verification failed: (0x1A) Security Violation" which according to various
>pages Google turns up means it's a secure boot issue.
Yes, that sounds like a correct diagnosis.
>I have the fwupd-amd64-signed package installed, but the version doesn't seem
>to match, is there a problem with this?
>
># dpkg -l fwupd\*|grep ^ii
>ii fwupd 1.8.12-2 amd64 Firmware update daemon
>ii fwupd-amd64-signed 1:1.4+1 amd64 Tools to manage UEFI firmware updates (signed)
>ii fwupdate 12-7 amd64 Transitional package for fwupd
Nope, this should be fine. The fwupd folks moved the fwupd UEFI
support out into a separate source package a while back, hence the
distinct versioning. (Compare https://tracker.debian.org/pkg/fwupd
with https://tracker.debian.org/pkg/fwupd-efi).
I'm not sure what exactly might be happening here to cause your
problem. Could you run the following for me and report the output
please?
# find /boot/efi/ -type f | xargs sha256sum
I'd like to double-check exactly what things you have in the ESP...
--
Steve McIntyre, Cambridge, UK. st...@einval.com
Welcome my son, welcome to the machine.
On Sun, Mar 05, 2023 at 11:11:18PM +1100, Russell Coker wrote:
>Package: fwupd
>Version: 1.8.12-2
>Severity: normal
>
>I have a Thinkpad Carbon X1 Gen5 running Debian/Testing with the fwupd from
>Unstable with Secure Boot enabled. I believe that we should get everything
>working with Secure Boot enabled and to the largest extent possible have
>Debian working with all security features.
>
>When I install updates with the "fwupdmgr" program it looks like it is all
>working well, the updates are installed and it prompts to reboot the system.
>
>When I boot up I get a screen with white text on blue background saying
>"Verification failed: (0x1A) Security Violation" which according to various
>pages Google turns up means it's a secure boot issue.
>I have the fwupd-amd64-signed package installed, but the version doesn't seem
>to match, is there a problem with this?
>
># dpkg -l fwupd\*|grep ^ii
>ii fwupd 1.8.12-2 amd64 Firmware update daemon
>ii fwupd-amd64-signed 1:1.4+1 amd64 Tools to manage UEFI firmware updates (signed)
>ii fwupdate 12-7 amd64 Transitional package for fwupd
support out into a separate source package a while back, hence the
distinct versioning. (Compare https://tracker.debian.org/pkg/fwupd
with https://tracker.debian.org/pkg/fwupd-efi).
I'm not sure what exactly might be happening here to cause your
problem. Could you run the following for me and report the output
please?
# find /boot/efi/ -type f | xargs sha256sum
I'd like to double-check exactly what things you have in the ESP...
--
Steve McIntyre, Cambridge, UK. st...@einval.com
Welcome my son, welcome to the machine.
0 new messages