[Bug 2111199] Re: fwupd is incompatible with secure boot (regression)

Andreas Hasenack 2111199 at bugs.launchpad.net
Sat Jun 28 17:30:15 UTC 2025 

One difference I noticed when running `efibootmgr` in another laptop,
also plucky, is that the firmware updater entry seems to have an extra
parameter there:

Boot0002* Linux-Firmware-Updater
HD(1,GPT,d8bfcac5-daa4-4e87-a79a-a1ba61b879da,0x800,0x219800)/File(\EFI\ubuntu\shimx64.efi)
File(.\fwupdx64.efi)


Whereas on my machine where it's not working, that extra File() parameter is not there:

Boot0001* Linux-Firmware-Updater
HD(1,GPT,0fa5e368-f741-4510-a481-fac2e4ba4e05,0x800,0x219800)/File(\EFI\ubuntu\shimx64.efi)


efibootmgr and fwupd* packages are at the same version, so I'm not sure what's going on. The system with the extra File() parameter is older, and I don't think it received any recent firmware updates, so maybe that uefi entry is old, created by a previous version of these packages? That laptop was reinstalled a few times in its life, and I *think* it was upgraded from noble or oracular recently, so maybe that entry came from when it was running those systems.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to fwupd-signed in Ubuntu.
https://bugs.launchpad.net/bugs/2111199

Title:
  fwupd is incompatible with secure boot (regression)

Status in fwupd package in Ubuntu:
  Confirmed
Status in fwupd-signed package in Ubuntu:
  Confirmed

Bug description:
  I upgraded very recently from 24.10 to 25.04 and I noticed that
  firmware updates via fwupdmgr were failing:

  sudo fwupdmgr refresh --force && sudo fwupdmgr update

  showed 2 updates but, after a few 'Y' and a reboot, they were not
  applied and fwupdmgr get-history showed both as "failed to update on
  reboot".

  Also, in hindsight, I wasn't seeing a message stating "fwupd-efi
  running" (I'm not 100% sure about the message, when the updates are
  applied successfully it is shown just for a split-second) on the
  bootstrap splashscreen when rebooting to apply the firmware updates.

  Disabling secure boot in the bios settings, running fwupdmgr again
  rebooting once more let them apply but this is a regression: on ubuntu
  24.10 fwupdmgr was able to apply updates with secure boot enabled on
  this system.

  ProblemType: Bug
  DistroRelease: Ubuntu 25.04
  Package: fwupd-signed 1.55+1.7-1
  ProcVersionSignature: Ubuntu 6.14.0-15.15-generic 6.14.0
  Uname: Linux 6.14.0-15-generic x86_64
  ApportVersion: 2.32.0-0ubuntu5
  Architecture: amd64
  CasperMD5CheckMismatches: ./.disk/casper-uuid-oem ./boot/grub/efi.img ./boot/grub/grub.cfg ./casper/initrd
  CasperMD5CheckResult: fail
  CurrentDesktop: ubuntu:GNOME
  Date: Sun May 18 14:15:36 2025
  DistributionChannelDescriptor:
   # This is the distribution channel descriptor for the OEM CDs
   # For more information see http://wiki.ubuntu.com/DistributionChannelDescriptor
   canonical-oem-sutton-jammy-amd64-20231024-582
  InstallationDate: Installed on 2023-10-31 (565 days ago)
  InstallationMedia: Ubuntu 22.04 LTS "Jammy Jellyfish" - pc-sutton-jammy-amd64-20231024-582
  SourcePackage: fwupd-signed
  UpgradeStatus: Upgraded to plucky on 2025-05-17 (1 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/2111199/+subscriptions

More information about the foundations-bugs mailing list