Firmware update: Shim does not seem to start fwupdx64.efi with Secure Boot enabled

boot firmware bootloader fedora

I tried to do a firmware update on a ThinkPad L14 using fwupdmgr on Fedora 34. Everything seemed fine until the program told me to reboot, which I did, but Fedora was booted instead of the firmware updater. I tried changing the boot order manually, removing an unused Windows boot entry with efibootmgr and various combinations of BIOS settings about when and how to allow firmware updates, but nothing worked. Finally, I found out that when disabling Secure Boot, the updater starts and the update completes successfully. Afterwards, I could reenable Secure Boot and my OS booted normally. Also, fwupdmgr says that the update was successfully installed.

Well, it seems like my problem is solved, but I would like to know why the solution worked. I thought the shim bootloader would not only boot the OS but also the updater and because shim is signed by Microsoft, there should be no problem with having Secure Boot enabled.

In case more information is needed to find the solution, please tell me in a comment and I will add it. I do not know a lot about firmware updates and thus can hardly tell what would be required.


if you decline the fwupdmgr request for an immediate reboot, and run efibootmgr first, you'll notice that fwupdmgr created a new boot entry to run on next boot. On my fedora34, this looks like:

❯ efibootmgr -v
BootCurrent: 0002
Timeout: 0 seconds
BootOrder: 0001,0000,0019,001A,001B,001C,001D,001E,001F,0020,0021,0022,0023,0024,0002
Boot0000* ...
Boot0001* Fedora        HD(1,GPT,2a6909b8-0af2-4faf-96c6-6ff0ad9881a6,0x800,0x12c000)/File(\EFI\fedora\shimx64.efi)
Boot0002* Linux-Firmware-Updater        HD(1,GPT,2a6909b8-0af2-4faf-96c6-6ff0ad9881a6,0x800,0x12c000)/File(\EFI\fedora\shimx64.efi)\.f.w.u.p.d.x.6.4...e.f.i...
...

However there currently seems to be a bug in shim, which prevents it from running the fwupdx64.efi binary, instead it just drops though to grub:

  • https://bugs.launchpad.net/ubuntu/+source/shim/+bug/1929471
  • https://github.com/rhboot/shim/pull/379 this apparent fix for is already merged, b

Related

Double "whom" sounds clunky, but is correct? [duplicate]
Hard disk not properly working
Can I "re-enable" something?
Can I replace "that is/are (supposed) to" with just "to"?
rdesktop aborts due to untrusted certificate
How many rows did I select in Excel?
Question as a Retort? [closed]
Excel - Chart occurrences
Is my laptop equipped with a BIOS or UEFI?
A case that exhibits all the possible conditions a subject can suffer from?
Auto Relogon after remote access by admin
Breaking last word in the lines [duplicate]