[Bug 1129466] New: fwupd cannot update BIOS with UEFI Secure Boot enabled because of missing fwupdx64.efi.signed
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
Bug ID: 1129466 Summary: fwupd cannot update BIOS with UEFI Secure Boot enabled because of missing fwupdx64.efi.signed Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: bnc-team-screening@forge.provo.novell.com Reporter: pujos.michael@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: ---
fwdupd 1.2.3-2.1 cannot update the BIOS on my laptop because of this error:
$fwupdmgr get-devices ... 20MBCTO1WW System Firmware DeviceId: 65b6a9dc7b7df18bdff003584b51bf21373e3aa6 Guid: 1e1fe415-74e8-49e1-9508-106b3d13d50d Guid: 230c8b18-8d9b-53ec-838b-6cfc0383493a Guid: 171800c9-1a51-5fd9-a32b-7b3999cb1c4e Plugin: uefi Flags: internal|require-ac|supported|registered|needs-reboot Version: 0.1.18 VersionLowest: 0.1.0 Icon: computer Created: 2019-03-15 UpdateError: /usr/lib/fwupd/efi/fwupdx64.efi.signed cannot be found
Apparently, if Secure Boot is enabled (my case and I believe TW default on UEFI installs), it looks for /usr/lib/fwupd/efi/fwupdx64.efi.signed.
This file is missing but it turns out that /usr/lib/fwupd/efi/fwupdx64.efi is present AND signed:
$pesign -S -i /usr/lib/fwupd/efi/fwupdx64.efi --------------------------------------------- certificate address is 0x7f0e55679f78 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Tue Mar 05, 2019 There were certs or crls included. ---------------------------------------------
So the fix is simply so make a symlink and restart fwupd so it sees the change:
$ln -s /usr/lib/fwupd/fwupdx64.efi /usr/lib/fwupd/fwupdx64.efi.signed $systemctl restart fwupd
Then the error goes away in 'fwupdmgr get-devices' and you can supposedly update with 'fwupdmgr update' (didn't try it at updating the BIOS is rather scary and I do not absolutely need this update currently).
So I think the package should be updated to make the symlink (or rename the file if keeping fwupdx64.efi is unecessary).
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
Michiel Janssens michiel@nexigon.net changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |michiel@nexigon.net
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c1
Gary Ching-Pang Lin glin@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |glin@suse.com
--- Comment #1 from Gary Ching-Pang Lin glin@suse.com --- We don't need fwupdx64.efi.signed since we always sign the binary. I will remove the suffix check.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c2
Gary Ching-Pang Lin glin@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|dimstar@opensuse.org |glin@suse.com
--- Comment #2 from Gary Ching-Pang Lin glin@suse.com --- Although removing the suffix check is easy, I decide to create a sym link in the end so that we don't have to maintain an extra patch afterward.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c3
Gary Ching-Pang Lin glin@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED
--- Comment #3 from Gary Ching-Pang Lin glin@suse.com --- The fix was released. Feel free to reopen this bug if the issue happens again.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c4
Frank Kr�ger fkrueger@mailbox.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED CC| |fkrueger@mailbox.org Resolution|FIXED |---
--- Comment #4 from Frank Kr�ger fkrueger@mailbox.org --- Given TW20211102 with secure boot enabled, 'sudo fwupdmgr install <filename>' results in an error message: "missing signed bootloader for secure boot: /usr/libexec/fwupd/efi/fwupdx64.efi.signed cannot be found".
First of all, I had to install fwupd-efi-1.1-1.1.x86_64 manually. Second, this package only provides fwupdx64.efi rather than fwupdx64.efi.signed in /usr/libexec/fwupd/efi/. As a workaround a symbolic link solves the issue.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
Frank Kr�ger fkrueger@mailbox.org changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jlee@suse.com
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c5
--- Comment #5 from Joey Lee jlee@suse.com --- Hi Frank,
(In reply to Frank Kr�ger from comment #4)
Given TW20211102 with secure boot enabled, 'sudo fwupdmgr install <filename>' results in an error message: "missing signed bootloader for secure boot: /usr/libexec/fwupd/efi/fwupdx64.efi.signed cannot be found".
First of all, I had to install fwupd-efi-1.1-1.1.x86_64 manually. Second, this package only provides fwupdx64.efi rather than fwupdx64.efi.signed in /usr/libexec/fwupd/efi/. As a workaround a symbolic link solves the issue.
Could you please provide the detail of your machine model and reproducing steps? I want to reference your environment to build up my development/test environment.
Thanks a lot!
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
Joey Lee jlee@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Assignee|glin@suse.com |jlee@suse.com
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
Joey Lee jlee@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(fkrueger@mailbox. | |org)
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c6
Frank Kr�ger fkrueger@mailbox.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(fkrueger@mailbox. | |org) |
--- Comment #6 from Frank Kr�ger fkrueger@mailbox.org --- (In reply to Joey Lee from comment #5)
Hi Frank,
(In reply to Frank Kr�ger from comment #4)
Given TW20211102 with secure boot enabled, 'sudo fwupdmgr install <filename>' results in an error message: "missing signed bootloader for secure boot: /usr/libexec/fwupd/efi/fwupdx64.efi.signed cannot be found".
First of all, I had to install fwupd-efi-1.1-1.1.x86_64 manually. Second, this package only provides fwupdx64.efi rather than fwupdx64.efi.signed in /usr/libexec/fwupd/efi/. As a workaround a symbolic link solves the issue.
Could you please provide the detail of your machine model and reproducing steps? I want to reference your environment to build up my development/test environment.
ThinkPad T14 Gen 1 with AMD Ryzen 7 PRO 4750U. As I have already written, I have tried to install a local firmware-update file by using "sudo fwupmgr install <filename>", which stops with the above-mentioned error message. I then realized that the package fwupd-efi was not installed, i.e. /usr/libexec/fwupd/efi did not exist, even though I am running this machine with secure boot enabled for more than one year.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
Luke Driscoll novell@driscollnewsletter.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |novell@driscollnewsletter.c | |om
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c12
Enno Gotthold egotthold@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |egotthold@suse.com Flags| |needinfo?(jlee@suse.com)
--- Comment #12 from Enno Gotthold egotthold@suse.com --- I also came across this bug today. This is still not fixed. If you find it acceptable I can submit creating the symlink during the build.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
Ondrej Holecek oholecek@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |oholecek@suse.com
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c13
--- Comment #13 from Frank Kr�ger fkrueger@mailbox.org --- Version 1.7.2 is available from OBS Base:System, but it seems that the aforementioned issue relatetd to fwupdx64.efi.signed hasn't been fixed yet. @joeyli: is there any progess in sight?
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c14
--- Comment #14 from Frank Kr�ger fkrueger@mailbox.org --- (In reply to Enno Gotthold from comment #12)
I also came across this bug today. This is still not fixed. If you find it acceptable I can submit creating the symlink during the build.
I have just seen request https://build.opensuse.org/request/show/929754 to readd the symlink to fwupd-efi, which was submitted two months ago and accepted a couple of hours ago. Wow!
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c15
Joey Lee jlee@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(fkrueger@mailbox. | |org)
--- Comment #15 from Joey Lee jlee@suse.com --- Hi Frank,
(In reply to Frank Kr�ger from comment #14)
(In reply to Enno Gotthold from comment #12)
I also came across this bug today. This is still not fixed. If you find it acceptable I can submit creating the symlink during the build.
I have just seen request https://build.opensuse.org/request/show/929754 to readd the symlink to fwupd-efi, which was submitted two months ago and accepted a couple of hours ago. Wow!
Sorry for my delay because I was stick on other issues.
Are you interested on fwupd/fwupd-efi? If so, then I can add you as maintainer on OBS.
Thanks!
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c16
Frank Kr�ger fkrueger@mailbox.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(fkrueger@mailbox. | |org) |
--- Comment #16 from Frank Kr�ger fkrueger@mailbox.org --- (In reply to Joey Lee from comment #15)
Hi Frank,
(In reply to Frank Kr�ger from comment #14)
(In reply to Enno Gotthold from comment #12)
I also came across this bug today. This is still not fixed. If you find it acceptable I can submit creating the symlink during the build.
I have just seen request https://build.opensuse.org/request/show/929754 to readd the symlink to fwupd-efi, which was submitted two months ago and accepted a couple of hours ago. Wow!
Sorry for my delay because I was stick on other issues.
Are you interested on fwupd/fwupd-efi? If so, then I can add you as maintainer on OBS.
Thanks!
Unfortunately, I don't have the time. Maybe others here are interested.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c17
Frank Kr�ger fkrueger@mailbox.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution|--- |FIXED
--- Comment #17 from Frank Kr�ger fkrueger@mailbox.org --- Fixed with TW220220110 and fwupd-efi-1.1-2.1.x86_64. Closing.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
Ludwig Nussel lnussel@suse.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@suse.com
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com