Upgrading the BIOS Using fwupd on Debian 11 With Secure Boot

Updated

Update: This problem is fixed with the newer version of shim in Debian 12 (bookworm) so the steps detailed below are no longer required.

I’ve had this problem with my ThinkPad running Debian 11 (bullseye) for a while, and only recently took the time to figure it out. I’m writing it all out here, hopefully with enough keywords that others can stumble onto this from search engines and save themselves the time.

Problem

fwupd would have no problems downloading or setting up the updates, but upon a reboot the machine would boot straight to GRUB and then Debian, with no sign of the updater. Even manually selecting the boot entry for “Linux Firmware Updater” would still just boot normally. Disabling Secure Boot and then manually selecting it didn’t work either.

The root cause is that the version of shim (a package which runs before the bootloader and helps distributions manage Secure Boot) in Debian 11 has issues around booting a custom .efi file passed through the boot entry, which is how fwupd sets up its firmware updater. This has been rectified in later versions of shim, and Ubuntu has applied the patch to their package, so I think Debian might be the only distribution affected by this. Even if you disable Secure Boot before trying to boot the updater, the boot entry is still set up to try and use shim, so it won’t work.

Solution

fwupd decides whether to make use of shim when you run fwupdmgr, by looking at whether the current system was booted through Secure Boot. Changing this setting after the fact does nothing, but if you run fwupdmgr while Secure Boot is disabled, the boot entry is set up to boot the updater directly without involving shim.

I tried to chain load the updater from GRUB through shim, but after a series of cryptic error messages I gave up. If this is possible it would be preferable as it doesn’t involve disabling Secure Boot.

Step by step

  1. Disable Secure Boot in your machine’s BIOS
  2. Boot into Debian and run fwupdmgr update, but don’t accept the restart yet
  3. Verify the new boot entry with efibootmgr -v
    • There should be a boot entry for “Linux Firmware Updater”
    • BootNext should be set to the index of this boot entry
    • The boot entry shouldn’t mention shimx64.efi, only fwupdx64.efi
  4. Reboot and wait for the firmware updates to complete
  5. (Optionally) re-enable Secure Boot