Bug ID 1129466
Summary fwupd cannot update BIOS with UEFI Secure Boot enabled because of missing fwupdx64.efi.signed
Classification openSUSE
Product openSUSE Tumbleweed
Version Current
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Other
Assignee bnc-team-screening@forge.provo.novell.com
Reporter pujos.michael@gmail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker ---

fwdupd 1.2.3-2.1 cannot update the BIOS on my laptop because of this error:

$fwupdmgr get-devices
...
20MBCTO1WW System Firmware
  DeviceId:             65b6a9dc7b7df18bdff003584b51bf21373e3aa6
  Guid:                 1e1fe415-74e8-49e1-9508-106b3d13d50d
  Guid:                 230c8b18-8d9b-53ec-838b-6cfc0383493a
  Guid:                 171800c9-1a51-5fd9-a32b-7b3999cb1c4e
  Plugin:               uefi
  Flags:                internal|require-ac|supported|registered|needs-reboot
  Version:              0.1.18
  VersionLowest:        0.1.0
  Icon:                 computer
  Created:              2019-03-15
  UpdateError:          /usr/lib/fwupd/efi/fwupdx64.efi.signed cannot be found


Apparently, if Secure Boot is enabled (my case and I believe TW default on UEFI
installs), it looks for /usr/lib/fwupd/efi/fwupdx64.efi.signed.

This file is missing but it turns out that /usr/lib/fwupd/efi/fwupdx64.efi is
present AND signed:

$pesign -S -i /usr/lib/fwupd/efi/fwupdx64.efi
---------------------------------------------
certificate address is 0x7f0e55679f78
Content was not encrypted.
Content is detached; signature cannot be verified.
The signer's common name is openSUSE Secure Boot Signkey
The signer's email address is build@opensuse.org
Signing time: Tue Mar 05, 2019
There were certs or crls included.
---------------------------------------------

So the fix is simply so make a symlink and restart fwupd so it sees the change:

$ln -s /usr/lib/fwupd/fwupdx64.efi /usr/lib/fwupd/fwupdx64.efi.signed
$systemctl restart fwupd

Then the error goes away in 'fwupdmgr get-devices' and you can supposedly
update with 'fwupdmgr update' (didn't try it at updating the BIOS is rather
scary and I do not absolutely need this update currently).

So I think the package should be updated to make the symlink (or rename the
file if keeping fwupdx64.efi is unecessary).


You are receiving this mail because: