[Bug 2071940] [NEW] Cannot update Lenovo firmware with TPM enabled encryption
Bartosz Woronicz
2071940 at bugs.launchpad.net
Thu Jul 4 14:46:19 UTC 2024
Public bug reported:
So basically updating firmware with TPM enabled installation for full
disk encryption is impossible as it relies on shim to be installed in
EFI.
Is it known limitation ? When will it be fixed ?
Is there any workaround ? Maybe Running firmware update from EFI shell ?
mastier at earl:~$ sudo fwupdmgr get-upgrades
Devices with no available firmware updates:
• ELAN0677:00 04F3:3196
• Integrated Camera
• Prometheus IOTA Config
• UEFI Device Firmware
• UEFI Device Firmware
• UEFI Device Firmware
• UEFI Device Firmware
• UEFI Device Firmware
Devices with the latest available firmware version:
• Embedded Controller
• KXG8AZNV1T02 LA KIOXIA
• Prometheus
• UEFI dbx
LENOVO 21K3S0DS00
│
└─System Firmware:
│ Device ID: 6c946da70cfcaaf4a1d4660f82906333c1c96b8d
│ Summary: UEFI System Resource Table device (updated via NVRAM)
│ Current version: 0.1.35
│ Vendor: Lenovo (DMI:LENOVO)
│ Update State: Transient failure
│ Update Error: Secure boot is enabled, but shim isn't installed to EFI/ubuntu/shimx64.efi ###### <------------
│ Last modified: 2024-07-04 14:38
│ GUID: 18cced7e-d108-41c4-9189-b0355c41450d
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Cryptographic hash verification is available
│ • Device is usable for the duration of the update
│ Device Requests: • Message
│
$ sudo apt install shim
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
boot-managed-by-snapd : Conflicts: shim but 15.8-0ubuntu1 is to be installed
Cannot install shim on system as boot is managed by snapd. ############### <<<----------------------
E: Error, pkgProblemResolver::Resolve generated breaks, this may be caused by held packages.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: boot-managed-by-snapd 4build1
ProcVersionSignature: Ubuntu 6.8.0-36.36-generic 6.8.4
Uname: Linux 6.8.0-36-generic x86_64
ApportVersion: 2.28.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Thu Jul 4 16:42:25 2024
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-256color
XDG_RUNTIME_DIR=<set>
SourcePackage: boot-managed-by-snapd
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: boot-managed-by-snapd (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug noble wayland-session
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to boot-managed-by-snapd in
Ubuntu.
https://bugs.launchpad.net/bugs/2071940
Title:
Cannot update Lenovo firmware with TPM enabled encryption
Status in boot-managed-by-snapd package in Ubuntu:
New
Bug description:
So basically updating firmware with TPM enabled installation for full
disk encryption is impossible as it relies on shim to be installed in
EFI.
Is it known limitation ? When will it be fixed ?
Is there any workaround ? Maybe Running firmware update from EFI shell ?
mastier at earl:~$ sudo fwupdmgr get-upgrades
Devices with no available firmware updates:
• ELAN0677:00 04F3:3196
• Integrated Camera
• Prometheus IOTA Config
• UEFI Device Firmware
• UEFI Device Firmware
• UEFI Device Firmware
• UEFI Device Firmware
• UEFI Device Firmware
Devices with the latest available firmware version:
• Embedded Controller
• KXG8AZNV1T02 LA KIOXIA
• Prometheus
• UEFI dbx
LENOVO 21K3S0DS00
│
└─System Firmware:
│ Device ID: 6c946da70cfcaaf4a1d4660f82906333c1c96b8d
│ Summary: UEFI System Resource Table device (updated via NVRAM)
│ Current version: 0.1.35
│ Vendor: Lenovo (DMI:LENOVO)
│ Update State: Transient failure
│ Update Error: Secure boot is enabled, but shim isn't installed to EFI/ubuntu/shimx64.efi ###### <------------
│ Last modified: 2024-07-04 14:38
│ GUID: 18cced7e-d108-41c4-9189-b0355c41450d
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Cryptographic hash verification is available
│ • Device is usable for the duration of the update
│ Device Requests: • Message
│
$ sudo apt install shim
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
boot-managed-by-snapd : Conflicts: shim but 15.8-0ubuntu1 is to be installed
Cannot install shim on system as boot is managed by snapd. ############### <<<----------------------
E: Error, pkgProblemResolver::Resolve generated breaks, this may be caused by held packages.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: boot-managed-by-snapd 4build1
ProcVersionSignature: Ubuntu 6.8.0-36.36-generic 6.8.4
Uname: Linux 6.8.0-36-generic x86_64
ApportVersion: 2.28.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Thu Jul 4 16:42:25 2024
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-256color
XDG_RUNTIME_DIR=<set>
SourcePackage: boot-managed-by-snapd
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/boot-managed-by-snapd/+bug/2071940/+subscriptions
More information about the foundations-bugs
mailing list