[Bug 1129466] New: fwupd cannot update BIOS with UEFI Secure Boot enabled because of missing fwupdx64.efi.signed
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 Bug ID: 1129466 Summary: fwupd cannot update BIOS with UEFI Secure Boot enabled because of missing fwupdx64.efi.signed Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: bnc-team-screening@forge.provo.novell.com Reporter: pujos.michael@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- fwdupd 1.2.3-2.1 cannot update the BIOS on my laptop because of this error: $fwupdmgr get-devices ... 20MBCTO1WW System Firmware DeviceId: 65b6a9dc7b7df18bdff003584b51bf21373e3aa6 Guid: 1e1fe415-74e8-49e1-9508-106b3d13d50d Guid: 230c8b18-8d9b-53ec-838b-6cfc0383493a Guid: 171800c9-1a51-5fd9-a32b-7b3999cb1c4e Plugin: uefi Flags: internal|require-ac|supported|registered|needs-reboot Version: 0.1.18 VersionLowest: 0.1.0 Icon: computer Created: 2019-03-15 UpdateError: /usr/lib/fwupd/efi/fwupdx64.efi.signed cannot be found Apparently, if Secure Boot is enabled (my case and I believe TW default on UEFI installs), it looks for /usr/lib/fwupd/efi/fwupdx64.efi.signed. This file is missing but it turns out that /usr/lib/fwupd/efi/fwupdx64.efi is present AND signed: $pesign -S -i /usr/lib/fwupd/efi/fwupdx64.efi --------------------------------------------- certificate address is 0x7f0e55679f78 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Tue Mar 05, 2019 There were certs or crls included. --------------------------------------------- So the fix is simply so make a symlink and restart fwupd so it sees the change: $ln -s /usr/lib/fwupd/fwupdx64.efi /usr/lib/fwupd/fwupdx64.efi.signed $systemctl restart fwupd Then the error goes away in 'fwupdmgr get-devices' and you can supposedly update with 'fwupdmgr update' (didn't try it at updating the BIOS is rather scary and I do not absolutely need this update currently). So I think the package should be updated to make the symlink (or rename the file if keeping fwupdx64.efi is unecessary). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 Michiel Janssens <michiel@nexigon.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |michiel@nexigon.net -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c1 Gary Ching-Pang Lin <glin@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |glin@suse.com --- Comment #1 from Gary Ching-Pang Lin <glin@suse.com> --- We don't need fwupdx64.efi.signed since we always sign the binary. I will remove the suffix check. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c2 Gary Ching-Pang Lin <glin@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|dimstar@opensuse.org |glin@suse.com --- Comment #2 from Gary Ching-Pang Lin <glin@suse.com> --- Although removing the suffix check is easy, I decide to create a sym link in the end so that we don't have to maintain an extra patch afterward. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c3 Gary Ching-Pang Lin <glin@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #3 from Gary Ching-Pang Lin <glin@suse.com> --- The fix was released. Feel free to reopen this bug if the issue happens again. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c4 Frank Kr�ger <fkrueger@mailbox.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED CC| |fkrueger@mailbox.org Resolution|FIXED |--- --- Comment #4 from Frank Kr�ger <fkrueger@mailbox.org> --- Given TW20211102 with secure boot enabled, 'sudo fwupdmgr install <filename>' results in an error message: "missing signed bootloader for secure boot: /usr/libexec/fwupd/efi/fwupdx64.efi.signed cannot be found". First of all, I had to install fwupd-efi-1.1-1.1.x86_64 manually. Second, this package only provides fwupdx64.efi rather than fwupdx64.efi.signed in /usr/libexec/fwupd/efi/. As a workaround a symbolic link solves the issue. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 Frank Kr�ger <fkrueger@mailbox.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jlee@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c5 --- Comment #5 from Joey Lee <jlee@suse.com> --- Hi Frank, (In reply to Frank Kr�ger from comment #4)
Given TW20211102 with secure boot enabled, 'sudo fwupdmgr install <filename>' results in an error message: "missing signed bootloader for secure boot: /usr/libexec/fwupd/efi/fwupdx64.efi.signed cannot be found".
First of all, I had to install fwupd-efi-1.1-1.1.x86_64 manually. Second, this package only provides fwupdx64.efi rather than fwupdx64.efi.signed in /usr/libexec/fwupd/efi/. As a workaround a symbolic link solves the issue.
Could you please provide the detail of your machine model and reproducing steps? I want to reference your environment to build up my development/test environment. Thanks a lot! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 Joey Lee <jlee@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|glin@suse.com |jlee@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 Joey Lee <jlee@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(fkrueger@mailbox. | |org) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c6 Frank Kr�ger <fkrueger@mailbox.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(fkrueger@mailbox. | |org) | --- Comment #6 from Frank Kr�ger <fkrueger@mailbox.org> --- (In reply to Joey Lee from comment #5)
Hi Frank,
(In reply to Frank Kr�ger from comment #4)
Given TW20211102 with secure boot enabled, 'sudo fwupdmgr install <filename>' results in an error message: "missing signed bootloader for secure boot: /usr/libexec/fwupd/efi/fwupdx64.efi.signed cannot be found".
First of all, I had to install fwupd-efi-1.1-1.1.x86_64 manually. Second, this package only provides fwupdx64.efi rather than fwupdx64.efi.signed in /usr/libexec/fwupd/efi/. As a workaround a symbolic link solves the issue.
Could you please provide the detail of your machine model and reproducing steps? I want to reference your environment to build up my development/test environment. ThinkPad T14 Gen 1 with AMD Ryzen 7 PRO 4750U. As I have already written, I have tried to install a local firmware-update file by using "sudo fwupmgr install <filename>", which stops with the above-mentioned error message. I then realized that the package fwupd-efi was not installed, i.e. /usr/libexec/fwupd/efi did not exist, even though I am running this machine with secure boot enabled for more than one year.
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 Luke Driscoll <novell@driscollnewsletter.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |novell@driscollnewsletter.c | |om -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c12 Enno Gotthold <egotthold@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |egotthold@suse.com Flags| |needinfo?(jlee@suse.com) --- Comment #12 from Enno Gotthold <egotthold@suse.com> --- I also came across this bug today. This is still not fixed. If you find it acceptable I can submit creating the symlink during the build. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 Ondrej Holecek <oholecek@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |oholecek@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c13 --- Comment #13 from Frank Kr�ger <fkrueger@mailbox.org> --- Version 1.7.2 is available from OBS Base:System, but it seems that the aforementioned issue relatetd to fwupdx64.efi.signed hasn't been fixed yet. @joeyli: is there any progess in sight? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c14 --- Comment #14 from Frank Kr�ger <fkrueger@mailbox.org> --- (In reply to Enno Gotthold from comment #12)
I also came across this bug today. This is still not fixed. If you find it acceptable I can submit creating the symlink during the build.
I have just seen request https://build.opensuse.org/request/show/929754 to readd the symlink to fwupd-efi, which was submitted two months ago and accepted a couple of hours ago. Wow! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c15 Joey Lee <jlee@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(fkrueger@mailbox. | |org) --- Comment #15 from Joey Lee <jlee@suse.com> --- Hi Frank, (In reply to Frank Kr�ger from comment #14)
(In reply to Enno Gotthold from comment #12)
I also came across this bug today. This is still not fixed. If you find it acceptable I can submit creating the symlink during the build.
I have just seen request https://build.opensuse.org/request/show/929754 to readd the symlink to fwupd-efi, which was submitted two months ago and accepted a couple of hours ago. Wow!
Sorry for my delay because I was stick on other issues. Are you interested on fwupd/fwupd-efi? If so, then I can add you as maintainer on OBS. Thanks! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c16 Frank Kr�ger <fkrueger@mailbox.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(fkrueger@mailbox. | |org) | --- Comment #16 from Frank Kr�ger <fkrueger@mailbox.org> --- (In reply to Joey Lee from comment #15)
Hi Frank,
(In reply to Frank Kr�ger from comment #14)
(In reply to Enno Gotthold from comment #12)
I also came across this bug today. This is still not fixed. If you find it acceptable I can submit creating the symlink during the build.
I have just seen request https://build.opensuse.org/request/show/929754 to readd the symlink to fwupd-efi, which was submitted two months ago and accepted a couple of hours ago. Wow!
Sorry for my delay because I was stick on other issues.
Are you interested on fwupd/fwupd-efi? If so, then I can add you as maintainer on OBS.
Thanks!
Unfortunately, I don't have the time. Maybe others here are interested. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c17 Frank Kr�ger <fkrueger@mailbox.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution|--- |FIXED --- Comment #17 from Frank Kr�ger <fkrueger@mailbox.org> --- Fixed with TW220220110 and fwupd-efi-1.1-2.1.x86_64. Closing. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com