[Bug 1129466] New: fwupd cannot update BIOS with UEFI Secure Boot enabled because of missing fwupdx64.efi.signed
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466 Bug ID: 1129466 Summary: fwupd cannot update BIOS with UEFI Secure Boot enabled because of missing fwupdx64.efi.signed Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: bnc-team-screening@forge.provo.novell.com Reporter: pujos.michael@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- fwdupd 1.2.3-2.1 cannot update the BIOS on my laptop because of this error: $fwupdmgr get-devices ... 20MBCTO1WW System Firmware DeviceId: 65b6a9dc7b7df18bdff003584b51bf21373e3aa6 Guid: 1e1fe415-74e8-49e1-9508-106b3d13d50d Guid: 230c8b18-8d9b-53ec-838b-6cfc0383493a Guid: 171800c9-1a51-5fd9-a32b-7b3999cb1c4e Plugin: uefi Flags: internal|require-ac|supported|registered|needs-reboot Version: 0.1.18 VersionLowest: 0.1.0 Icon: computer Created: 2019-03-15 UpdateError: /usr/lib/fwupd/efi/fwupdx64.efi.signed cannot be found Apparently, if Secure Boot is enabled (my case and I believe TW default on UEFI installs), it looks for /usr/lib/fwupd/efi/fwupdx64.efi.signed. This file is missing but it turns out that /usr/lib/fwupd/efi/fwupdx64.efi is present AND signed: $pesign -S -i /usr/lib/fwupd/efi/fwupdx64.efi --------------------------------------------- certificate address is 0x7f0e55679f78 Content was not encrypted. Content is detached; signature cannot be verified. The signer's common name is openSUSE Secure Boot Signkey The signer's email address is build@opensuse.org Signing time: Tue Mar 05, 2019 There were certs or crls included. --------------------------------------------- So the fix is simply so make a symlink and restart fwupd so it sees the change: $ln -s /usr/lib/fwupd/fwupdx64.efi /usr/lib/fwupd/fwupdx64.efi.signed $systemctl restart fwupd Then the error goes away in 'fwupdmgr get-devices' and you can supposedly update with 'fwupdmgr update' (didn't try it at updating the BIOS is rather scary and I do not absolutely need this update currently). So I think the package should be updated to make the symlink (or rename the file if keeping fwupdx64.efi is unecessary). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
Michiel Janssens
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c1
Gary Ching-Pang Lin
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c2
Gary Ching-Pang Lin
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c3
Gary Ching-Pang Lin
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c4
Frank Kr�ger
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
Frank Kr�ger
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c5
--- Comment #5 from Joey Lee
Given TW20211102 with secure boot enabled, 'sudo fwupdmgr install <filename>' results in an error message: "missing signed bootloader for secure boot: /usr/libexec/fwupd/efi/fwupdx64.efi.signed cannot be found".
First of all, I had to install fwupd-efi-1.1-1.1.x86_64 manually. Second, this package only provides fwupdx64.efi rather than fwupdx64.efi.signed in /usr/libexec/fwupd/efi/. As a workaround a symbolic link solves the issue.
Could you please provide the detail of your machine model and reproducing steps? I want to reference your environment to build up my development/test environment. Thanks a lot! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
Joey Lee
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
Joey Lee
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c6
Frank Kr�ger
Hi Frank,
(In reply to Frank Kr�ger from comment #4)
Given TW20211102 with secure boot enabled, 'sudo fwupdmgr install <filename>' results in an error message: "missing signed bootloader for secure boot: /usr/libexec/fwupd/efi/fwupdx64.efi.signed cannot be found".
First of all, I had to install fwupd-efi-1.1-1.1.x86_64 manually. Second, this package only provides fwupdx64.efi rather than fwupdx64.efi.signed in /usr/libexec/fwupd/efi/. As a workaround a symbolic link solves the issue.
Could you please provide the detail of your machine model and reproducing steps? I want to reference your environment to build up my development/test environment. ThinkPad T14 Gen 1 with AMD Ryzen 7 PRO 4750U. As I have already written, I have tried to install a local firmware-update file by using "sudo fwupmgr install <filename>", which stops with the above-mentioned error message. I then realized that the package fwupd-efi was not installed, i.e. /usr/libexec/fwupd/efi did not exist, even though I am running this machine with secure boot enabled for more than one year.
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
Luke Driscoll
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c12
Enno Gotthold
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
Ondrej Holecek
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c13
--- Comment #13 from Frank Kr�ger
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c14
--- Comment #14 from Frank Kr�ger
I also came across this bug today. This is still not fixed. If you find it acceptable I can submit creating the symlink during the build.
I have just seen request https://build.opensuse.org/request/show/929754 to readd the symlink to fwupd-efi, which was submitted two months ago and accepted a couple of hours ago. Wow! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c15
Joey Lee
(In reply to Enno Gotthold from comment #12)
I also came across this bug today. This is still not fixed. If you find it acceptable I can submit creating the symlink during the build.
I have just seen request https://build.opensuse.org/request/show/929754 to readd the symlink to fwupd-efi, which was submitted two months ago and accepted a couple of hours ago. Wow!
Sorry for my delay because I was stick on other issues. Are you interested on fwupd/fwupd-efi? If so, then I can add you as maintainer on OBS. Thanks! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c16
Frank Kr�ger
Hi Frank,
(In reply to Frank Kr�ger from comment #14)
(In reply to Enno Gotthold from comment #12)
I also came across this bug today. This is still not fixed. If you find it acceptable I can submit creating the symlink during the build.
I have just seen request https://build.opensuse.org/request/show/929754 to readd the symlink to fwupd-efi, which was submitted two months ago and accepted a couple of hours ago. Wow!
Sorry for my delay because I was stick on other issues.
Are you interested on fwupd/fwupd-efi? If so, then I can add you as maintainer on OBS.
Thanks!
Unfortunately, I don't have the time. Maybe others here are interested. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466#c17
Frank Kr�ger
http://bugzilla.opensuse.org/show_bug.cgi?id=1129466
Ludwig Nussel
participants (2)
-
bugzilla_noreply@novell.com -
bugzilla_noreply@suse.com