firmware-lenovo
firmware-lenovo copied to clipboard
Published
20 hours ago •
fwupd
fwupd
Lenovo System Firmware update 1.55 -> 1.56 deletes all SecureBoot keys and certs, disables SecureBoot / turns on Setup Mode and deletes all UEFI Boot entries
Describe the bug Updating my Lenovo system firmware from version 1.55 to version 1.56 (Lenovo-ThinkPad-X1Carbon5th-SystemFirmware-1.55.cab => Lenovo-ThinkPad-X1Carbon5th-SystemFirmware-1.56.cab)
- deleted all of the SecureBoot keys in UEFI NVRAM: all database (DB) keys were removed, all Key Exchange Keys (KEK) were removed, the Platform Key (PK) was removed, all Machine Owner Keys (MOK) were removed.
- put my Thinkpad back into "SecureBoot Setup Mode", so disabled SecureBoot defacto.
- deleted all UEFI Boot entries so that I couldn't boot into Linux directly anymore - Windows started by default; and I had to take the detour via /EFI/BOOT/BOOTX64.EFI.
[root@linux-on-20hr002mmx ~]# efi-readvar
Variable PK has no entries
Variable KEK has no entries
Variable db has no entries
Variable dbx has no entries
Variable MokList has no entries
[root@linux-on-20hr002mmx ~]# mokutil --list-enrolled
[root@linux-on-20hr002mmx ~]#
[root@linux-on-20hr002mmx ~]# efibootmgr
BootCurrent: 0019
Timeout: 0 seconds
BootOrder: 0000,0017,0018,0019,001A,001B,001C,001D,001E
Boot0000* Windows Boot Manager HD(1,GPT,88a96d13-381e-4dc1-8eea-9ac7f7fb5bc3,0x800,0x800000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)57494e444f5753000100000088000000780000004200430044004f0042004a004500430054003d007b00390064006500610038003600320063002d0035006300640064002d0034006500370030002d0061006300630031002d006600330032006200330034003400640034003700390035007d00000061000100000010000000040000007fff0400
Boot0010 Setup FvFile(721c8b66-426c-4e86-8e99-3457c46ab0b9)
Boot0011 Boot Menu FvFile(126a762d-5758-4fca-8531-201a7f57f850)
Boot0012 Diagnostic Splash Screen FvFile(a7d8d9a6-6ab0-4aeb-ad9d-163e59a7a380)
Boot0013 Lenovo Diagnostics FvFile(3f7e615b-0d45-4f80-88dc-26b234958560)
Boot0014 Startup Interrupt Menu FvFile(f46ee6f4-4785-43a3-923d-7f786c3c8479)
Boot0015 Rescue and Recovery FvFile(665d3f60-ad3e-4cad-8e26-db46eee9f1b5)
Boot0016 MEBx Hot Key FvFile(ac6fd56a-3d41-4efd-a1b9-870293811a28)
Boot0017* USB CD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,86701296aa5a7848b66cd49dd3ba6a55)
Boot0018* USB FDD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,6ff015a28830b543a8b8641009461e49)
Boot0019* NVMe0 VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,001c199932d94c4eae9aa0b6e98eb8a400)
Boot001A* ATA HDD0 VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f600)
Boot001B* USB HDD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,33e821aaaf33bc4789bd419f88c50803)
Boot001C* PCI LAN VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,78a84aaf2b2afc4ea79cf5cc8f3d3803)
Boot001D Other CD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,aea2090adfde214e8b3a5e471856a35406)
Boot001E Other HDD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f606)
Boot001F* IDER BOOT CDROM PciRoot(0x0)/Pci(0x16,0x2)/Ata(0,1,0)
Boot0020* IDER BOOT Floppy PciRoot(0x0)/Pci(0x16,0x2)/Ata(0,0,0)
Boot0021* ATA HDD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f6)
Boot0022* ATAPI CD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,aea2090adfde214e8b3a5e471856a354)
Steps to Reproduce
- Open GNOME firmware.
- Go to "Lenovo System Firmware"
- Check if version 1.55 from the available releases is installed.
- Upgrade to version 1.56.
Expected behavior
- the SecureBoot certificates should not be deleted.
- UEFI SecureBoot SetupMode should not be activated
- SecureBoot should not be disabled
- the UEFI Boot entries should not be deleted.
fwupd version information
[root@linux-on-20hr002mmx ~]# fwupdmgr --version
runtime org.freedesktop.fwupd 1.8.6
runtime org.freedesktop.fwupd-efi 1.3
compile org.freedesktop.gusb 0.4.0
runtime com.dell.libsmbios 2.4
runtime org.kernel 6.0.1-arch2-1
runtime com.hughsie.libjcat 0.1.11
compile com.hughsie.libjcat 0.1.11
compile org.freedesktop.fwupd 1.8.6
runtime org.freedesktop.gusb 0.4.1
Please note how you installed it (apt, dnf, pacman, source, etc): pacman
**fwupd device information**
Please provide the output of the fwupd devices recognized in your system.
[root@linux-on-20hr002mmx ~]# fwupdmgr get-devices --show-all-devices
LENOVO 20HR002MMX
│
├─Core™ i7-7500U CPU @ 2.70GHz:
│ Device ID: 4bde70ba4e39b28f9eab1628f9dd6e6244c03027
│ Current version: 0x000000f0
│ Vendor: Intel
│ GUIDs: b9a2dd81-159e-5537-a7db-e7101d164d3f ← cpu
│ 30249f37-d140-5d3e-9319-186b1bd5cac3 ← CPUID\PRO_0&FAM_06
│ 561403e8-143a-5071-ab09-bf5e4c146983 ← CPUID\PRO_0&FAM_06&MOD_8E
│ 9ca69899-3716-5857-9fd3-882a5c73236f ← CPUID\PRO_0&FAM_06&MOD_8E&STP_9
│ Device Flags: • Internal device
│
├─Embedded Controller:
│ Device ID: 2292ae5236790b47884e37cf162dcf23bfcd1c60
│ Summary: UEFI ESRT device
│ Current version: 0.1.22
│ Minimum Version: 0.0.1
│ Vendor: Lenovo (DMI:LENOVO)
│ Update State: Success
│ Update Message: Do not turn off your computer or remove the AC adapter while the update is in progress.
│ GUID: 74997a6b-1adf-4b12-b994-401f06ea8c72
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│
├─HD Graphics 620 (ThinkPad X1 Carbon 5th Gen):
│ Device ID: 5792b48846ce271fab11c4a545f7a3df0d36e00a
│ Current version: 02
│ Vendor: Intel Corporation (PCI:0x8086)
│ GUIDs: 38f6c009-a25c-5b50-b3b5-fef4f9c6b846 ← PCI\VEN_8086&DEV_5916
│ 2886e312-afd8-5510-8993-12d568a85e00 ← PCI\VEN_8086&DEV_5916&REV_02
│ 06d045aa-d32e-5383-b2ad-7f8d8600c990 ← PCI\VEN_8086&DEV_5916&SUBSYS_17AA224F
│ d2bdf246-2892-5553-823f-473036b6b9fd ← PCI\VEN_8086&DEV_5916&SUBSYS_17AA224F&REV_02
│ 52754615-939c-53cf-86f9-3b9ef9be0c25 ← PCI\VEN_8086&DEV_5916&REV_00
│ f2571686-7c25-5d0d-b0c5-5c794493e085 ← PCI\VEN_8086&DEV_5916&SUBSYS_17AA224F&REV_00
│ Device Flags: • Internal device
│ • Cryptographic hash verification is available
│
├─Intel Management Engine:
│ Device ID: 349bb341230b1a86e5effe7dfe4337e1590227bd
│ Summary: UEFI ESRT device
│ Current version: 3093041278
│ Minimum Version: 1
│ Vendor: Lenovo (DMI:LENOVO)
│ Update State: Success
│ Update Message: Do not turn off your computer or remove the AC adapter while the update is in progress.
│ GUID: c35736d2-9e47-4578-93e9-68d5b04ea77e
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│
├─MZVLW512HMJP-000L7:
│ Device ID: 310f45f1f223064b5c16bf6dff31146755a64480
│ Summary: NVM Express solid state drive
│ Current version: 7L7QCXY7
│ Vendor: Samsung (NVME:0x144D)
│ Serial Number: S359NX0HC10163
│ GUIDs: 5b3df2da-f745-5fd0-81de-5dafd7f0bf8c ← NVME\VEN_144D&DEV_A804
│ f87b9ac8-1cb3-5c0a-ae57-7144f211fe5e ← NVME\VEN_144D&DEV_A804&REV_00
│ aed4d3c0-fd97-5e46-a32f-ff35e0692f6d ← NVME\VEN_144D&DEV_A804&SUBSYS_144DA801
│ 030c853f-259a-57a0-b3fb-1c66100db94b ← NVME\VEN_144D&DEV_A804&SUBSYS_144DA801&REV_00
│ a4e35c44-5f9d-5a9c-af86-885610fe75df ← SAMSUNG MZVLW512HMJP-000L7
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│ • Signed Payload
│
├─Sunrise Point-LP LPC Controller (ThinkPad X1 Carbon 5th Gen):
│ │ Device ID: 71b31258b13a4b2793e529856a190f8fb02ad151
│ │ Current version: 21
│ │ Vendor: Intel Corporation (PCI:0x8086)
│ │ GUIDs: 6e096af2-009f-5b41-91c6-1227f9f3c35e ← PCI\VEN_8086&DEV_9D58
│ │ 75d8e82c-311a-5eeb-bf2d-3cb5257011dd ← PCI\VEN_8086&DEV_9D58&REV_21
│ │ 526f80a9-477b-55ae-8ad9-7e42a746ab59 ← PCI\VEN_8086&DEV_9D58&SUBSYS_17AA224F
│ │ 609698d0-ba2d-5e3d-9356-d02a2981daf2 ← PCI\VEN_8086&DEV_9D58&SUBSYS_17AA224F&REV_21
│ │ cfd2b4c2-2913-584f-95d4-58fca2e8596d ← INTEL_SPI_CHIPSET\ID_PCH100
│ │ Device Flags: • Internal device
│ │ • Cryptographic hash verification is available
│ │
│ ├─BIOS:
│ │ Device ID: ff7dbf2f6e354a5727c6ce1c466230f38bd26ff0
│ │ Vendor: Intel Corporation (PCI:0x8086)
│ │ GUID: 2c7b8bd2-3e77-5730-aaf6-596136f5254d ← IFD\NAME_BIOS
│ │ Device Flags: • Internal device
│ │ • Cryptographic hash verification is available
│ │
│ ├─Gigabit Ethernet:
│ │ Device ID: 11188287b93230d58f85f059dfab93e1d59724bb
│ │ Vendor: Intel Corporation (PCI:0x8086)
│ │ GUID: 30ee4fad-d1cd-522f-9a32-e53f4a4269cc ← IFD\NAME_GBE
│ │ Device Flags: • Internal device
│ │ • Cryptographic hash verification is available
│ │
│ └─Intel Management Engine:
│ Device ID: 7ef8a531d2413174034556f12dff8aa3bb4a8c30
│ Vendor: Intel Corporation (PCI:0x8086)
│ GUID: 614566e7-4d60-55f5-9cb9-48c5e488a705 ← IFD\NAME_ME
│ Device Flags: • Internal device
│ • Device is locked
│ • Cryptographic hash verification is available
│
├─System Firmware:
│ Device ID: a45df35ac0e948ee180fe216a5f703f32dda163f
│ Summary: UEFI ESRT device
│ Current version: 0.1.56
│ Minimum Version: 0.1.23
│ Vendor: Lenovo (DMI:LENOVO)
│ Update State: Success
│ Update Message: Do not turn off your computer or remove the AC adapter while the update is in progress.
│ GUIDs: 798ffd60-f10e-4ac4-8939-c8beabfe55b4
│ 230c8b18-8d9b-53ec-838b-6cfc0383493a ← main-system-firmware
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Cryptographic hash verification is available
│ • Device is usable for the duration of the update
│
└─TPM:
Device ID: c6a80ac3a22083423992a3cb15018989f37834d6
Current version: 7.61.10.57600
Vendor: Infineon (TPM:IFX)
GUIDs: ff71992e-52f7-5eea-94ef-883e56e034c6 ← system-tpm
5eebb112-75ad-5536-b173-a11eb3399402 ← TPM\VEN_IFX&DEV_0000
ddf995da-1b32-5a8a-bc1b-8d5af4b38b51 ← TPM\VEN_IFX&MOD_SLB9670
6d81ab63-db2e-50ac-934f-6be9accf5e02 ← TPM\VEN_IFX&DEV_0000&VER_2.0
301555de-680d-5ddc-b995-7553fc9138f1 ← TPM\VEN_IFX&MOD_SLB9670&VER_2.0
Device Flags: • Internal device
________________________________________________
Devices that have been updated successfully:
• System Firmware (0.1.55 → 0.1.56)
Uploading firmware reports helps hardware vendors to quickly identify failing and successful updates on real devices.
Upload report now? (Requires internet connection) [Y|n]:
Y
Target: https://fwupd.org/lvfs/firmware/report
Payload: {
"ReportVersion" : 2,
"MachineId" : "9b64eeb085f44ec939ff025877a9151c3d94196b0eb5c85084c07101dee112cb",
"Metadata" : {
"DistroId" : "arch"
},
"Reports" : [
{
"Checksum" : "0c5c446741856cdd41f217001fec4dc878e7a1ae",
"ChecksumDevice" : [
"5eadf26a5c1213ec40011b2561923a2051dd5a55"
],
"ReleaseId" : null,
"Protocol" : "org.uefi.capsule",
"UpdateState" : 2,
"Guid" : [
"798ffd60-f10e-4ac4-8939-c8beabfe55b4"
],
"Plugin" : "uefi_capsule",
"VersionOld" : "0.1.55",
"VersionNew" : "0.1.56",
"Flags" : 574619947,
"Created" : 1665747291,
"Modified" : 1665747369,
"Metadata" : {
"LastAttemptVersion" : "0x0",
"TpmFamily" : "2.0",
"LastAttemptStatus" : "0x0",
"RuntimeVersion(org.kernel)" : "5.19.13-arch1-1",
"Pcr0_SHA1" : "5eadf26a5c1213ec40011b2561923a2051dd5a55",
"RuntimeVersion(org.freedesktop.fwupd)" : "1.8.6",
"HostSku" : "LENOVO_MT_20HR_BU_Think_FM_ThinkPad X1 Carbon 5th",
"BootMgrDesc" : "legacy",
"UEFIUXCapsule" : "Enabled",
"CpuArchitecture" : "x86_64",
"SecureBoot" : "Enabled",
"HostFamily" : "ThinkPad X1 Carbon 5th",
"HostVendor" : "LENOVO",
"RuntimeVersion(org.freedesktop.gusb)" : "0.4.1",
"CompileVersion(org.freedesktop.gusb)" : "0.4.0",
"RuntimeVersion(com.dell.libsmbios)" : "2.4",
"RuntimeVersion(com.hughsie.libjcat)" : "0.1.11",
"MissingCapsuleHeader" : "False",
"FwupdSupported" : "True",
"KernelVersion" : "5.19.13-arch1-1",
"TpmEventLog" : "0x00000008 700e49db3595b4f8fcd14b04c88bcbf9d259f73d [TgAxAE0ARQBUADcAMABXACAAAAA=]\n0x80000008 962e5b24741f39b33fa321e1ba3d214ba3d0adc2 [AAD+/wAAAAAAAAIAAAAAAA==]\n0x80000008 74fc8ce0889f6f00987f230d68e53fb73f8aece7 [AADq/wAAAAAAABQAAAAAAA==]\n0x80000008 32ae85afdf78e59c3623e82f101215b4da7e856d [AADT/wAAAAAAAAsAAAAAAA==]\n0x80000008 7a223867e1e323c40a8b152b48c4802cc60d8781 [AADe/wAAAAAAAAEAAAAAAA==]\n0x80000008 f057083224fe5b1c37d534de24966261be4f5e47 [AACX/wAAAAAAADwAAAAAAA==]\n0x00000001 01379597febfd617f8f1e27bdede6d3fc75fe97c [QUNQSSBEQVRB]\n0x00000001 b0469aa139a98ebeae9693588554bab11e19724c [QUNQSSBEQVRB]\n0x00000004 9069ca78e7450a285173431b3e52c5c25299e473 [AAAAAA==]\nPCR0: 5eadf26a5c1213ec40011b2561923a2051dd5a55\nPCR0: 60d3f3fbf74d994f2e65fc4c65951b3561c4c8d06cc07d54b5c27052d4c7b60e",
"EspPath" : "/boot/efi",
"HostProduct" : "20HR002MMX",
"BootTime" : "1665668983",
"KernelName" : "Linux",
"RuntimeVersion(org.freedesktop.fwupd-efi)" : "1.3",
"CapsuleApplyMethod" : "nvram",
"LinuxLockdown" : "none",
"CompileVersion(com.hughsie.libjcat)" : "0.1.11",
"Pcr0_SHA256" : "60d3f3fbf74d994f2e65fc4c65951b3561c4c8d06cc07d54b5c27052d4c7b60e",
"EfivarNvramUsed" : "35343",
"KernelCmdline" : "vt.global_cursor_default=0",
"DistroId" : "arch",
"CompileVersion(org.freedesktop.fwupd)" : "1.8.6"
}
}
]
}
Proceed with upload? [Y|n]: Y
Idle… [***************************************]
Successfully uploaded 1 report
Do you want to upload reports automatically for future updates? [y|N]:
N
System UEFI configuration Please provide the output of the following commands:
[root@linux-on-20hr002mmx ~]# efibootmgr -v
BootCurrent: 0019
Timeout: 0 seconds
BootOrder: 0000,0017,0018,0019,001A,001B,001C,001D,001E
Boot0000* Windows Boot Manager HD(1,GPT,88a96d13-381e-4dc1-8eea-9ac7f7fb5bc3,0x800,0x800000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)57494e444f5753000100000088000000780000004200430044004f0042004a004500430054003d007b00390064006500610038003600320063002d0035006300640064002d0034006500370030002d0061006300630031002d006600330032006200330034003400640034003700390035007d00000061000100000010000000040000007fff0400
dp: 04 01 2a 00 01 00 00 00 00 08 00 00 00 00 00 00 00 00 80 00 00 00 00 00 13 6d a9 88 1e 38 c1 4d 8e ea 9a c7 f7 fb 5b c3 02 02 / 04 04 46 00 5c 00 45 00 46 00 49 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 42 00 6f 00 6f 00 74 00 5c 00 62 00 6f 00 6f 00 74 00 6d 00 67 00 66 00 77 00 2e 00 65 00 66 00 69 00 00 00 / 7f ff 04 00
data: 57 49 4e 44 4f 57 53 00 01 00 00 00 88 00 00 00 78 00 00 00 42 00 43 00 44 00 4f 00 42 00 4a 00 45 00 43 00 54 00 3d 00 7b 00 39 00 64 00 65 00 61 00 38 00 36 00 32 00 63 00 2d 00 35 00 63 00 64 00 64 00 2d 00 34 00 65 00 37 00 30 00 2d 00 61 00 63 00 63 00 31 00 2d 00 66 00 33 00 32 00 62 00 33 00 34 00 34 00 64 00 34 00 37 00 39 00 35 00 7d 00 00 00 61 00 01 00 00 00 10 00 00 00 04 00 00 00 7f ff 04 00
Boot0010 Setup FvFile(721c8b66-426c-4e86-8e99-3457c46ab0b9)
dp: 04 06 14 00 66 8b 1c 72 6c 42 86 4e 8e 99 34 57 c4 6a b0 b9 / 7f ff 04 00
Boot0011 Boot Menu FvFile(126a762d-5758-4fca-8531-201a7f57f850)
dp: 04 06 14 00 2d 76 6a 12 58 57 ca 4f 85 31 20 1a 7f 57 f8 50 / 7f ff 04 00
Boot0012 Diagnostic Splash Screen FvFile(a7d8d9a6-6ab0-4aeb-ad9d-163e59a7a380)
dp: 04 06 14 00 a6 d9 d8 a7 b0 6a eb 4a ad 9d 16 3e 59 a7 a3 80 / 7f ff 04 00
Boot0013 Lenovo Diagnostics FvFile(3f7e615b-0d45-4f80-88dc-26b234958560)
dp: 04 06 14 00 5b 61 7e 3f 45 0d 80 4f 88 dc 26 b2 34 95 85 60 / 7f ff 04 00
Boot0014 Startup Interrupt Menu FvFile(f46ee6f4-4785-43a3-923d-7f786c3c8479)
dp: 04 06 14 00 f4 e6 6e f4 85 47 a3 43 92 3d 7f 78 6c 3c 84 79 / 7f ff 04 00
Boot0015 Rescue and Recovery FvFile(665d3f60-ad3e-4cad-8e26-db46eee9f1b5)
dp: 04 06 14 00 60 3f 5d 66 3e ad ad 4c 8e 26 db 46 ee e9 f1 b5 / 7f ff 04 00
Boot0016 MEBx Hot Key FvFile(ac6fd56a-3d41-4efd-a1b9-870293811a28)
dp: 04 06 14 00 6a d5 6f ac 41 3d fd 4e a1 b9 87 02 93 81 1a 28 / 7f ff 04 00
Boot0017* USB CD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,86701296aa5a7848b66cd49dd3ba6a55)
dp: 03 0a 24 00 d2 38 78 bc 82 0f 60 4d 83 16 c0 68 ee 79 d2 5b 86 70 12 96 aa 5a 78 48 b6 6c d4 9d d3 ba 6a 55 / 7f ff 04 00
Boot0018* USB FDD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,6ff015a28830b543a8b8641009461e49)
dp: 03 0a 24 00 d2 38 78 bc 82 0f 60 4d 83 16 c0 68 ee 79 d2 5b 6f f0 15 a2 88 30 b5 43 a8 b8 64 10 09 46 1e 49 / 7f ff 04 00
Boot0019* NVMe0 VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,001c199932d94c4eae9aa0b6e98eb8a400)
dp: 03 0a 25 00 d2 38 78 bc 82 0f 60 4d 83 16 c0 68 ee 79 d2 5b 00 1c 19 99 32 d9 4c 4e ae 9a a0 b6 e9 8e b8 a4 00 / 7f ff 04 00
Boot001A* ATA HDD0 VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f600)
dp: 03 0a 25 00 d2 38 78 bc 82 0f 60 4d 83 16 c0 68 ee 79 d2 5b 91 af 62 59 56 44 9f 41 a7 b9 1f 4f 89 2a b0 f6 00 / 7f ff 04 00
Boot001B* USB HDD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,33e821aaaf33bc4789bd419f88c50803)
dp: 03 0a 24 00 d2 38 78 bc 82 0f 60 4d 83 16 c0 68 ee 79 d2 5b 33 e8 21 aa af 33 bc 47 89 bd 41 9f 88 c5 08 03 / 7f ff 04 00
Boot001C* PCI LAN VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,78a84aaf2b2afc4ea79cf5cc8f3d3803)
dp: 03 0a 24 00 d2 38 78 bc 82 0f 60 4d 83 16 c0 68 ee 79 d2 5b 78 a8 4a af 2b 2a fc 4e a7 9c f5 cc 8f 3d 38 03 / 7f ff 04 00
Boot001D Other CD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,aea2090adfde214e8b3a5e471856a35406)
dp: 03 0a 25 00 d2 38 78 bc 82 0f 60 4d 83 16 c0 68 ee 79 d2 5b ae a2 09 0a df de 21 4e 8b 3a 5e 47 18 56 a3 54 06 / 7f ff 04 00
Boot001E Other HDD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f606)
dp: 03 0a 25 00 d2 38 78 bc 82 0f 60 4d 83 16 c0 68 ee 79 d2 5b 91 af 62 59 56 44 9f 41 a7 b9 1f 4f 89 2a b0 f6 06 / 7f ff 04 00
Boot001F* IDER BOOT CDROM PciRoot(0x0)/Pci(0x16,0x2)/Ata(0,1,0)
dp: 02 01 0c 00 d0 41 03 0a 00 00 00 00 / 01 01 06 00 02 16 / 03 01 08 00 00 01 00 00 / 7f ff 04 00
Boot0020* IDER BOOT Floppy PciRoot(0x0)/Pci(0x16,0x2)/Ata(0,0,0)
dp: 02 01 0c 00 d0 41 03 0a 00 00 00 00 / 01 01 06 00 02 16 / 03 01 08 00 00 00 00 00 / 7f ff 04 00
Boot0021* ATA HDD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f6)
dp: 03 0a 24 00 d2 38 78 bc 82 0f 60 4d 83 16 c0 68 ee 79 d2 5b 91 af 62 59 56 44 9f 41 a7 b9 1f 4f 89 2a b0 f6 / 7f ff 04 00
Boot0022* ATAPI CD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,aea2090adfde214e8b3a5e471856a354)
dp: 03 0a 24 00 d2 38 78 bc 82 0f 60 4d 83 16 c0 68 ee 79 d2 5b ae a2 09 0a df de 21 4e 8b 3a 5e 47 18 56 a3 54 / 7f ff 04 00
[root@linux-on-20hr002mmx ~]# efivar -l | grep fw
[root@linux-on-20hr002mmx ~]#
[root@linux-on-20hr002mmx ~]# tree /boot
/boot
├── create-unified-uefi-kernel-image.sh
├── efi
│ ├── EFI
│ │ ├── Arch
│ │ │ ├── fw
│ │ │ │ └── fwupd-798ffd60-f10e-4ac4-8939-c8beabfe55b4.cap
│ │ │ ├── fwupdx64.efi
│ │ │ ├── linux-hardened-signed.efi
│ │ │ ├── linux-hardened-signed.efi.bak
│ │ │ ├── linux-signed.efi
│ │ │ ├── linux-signed.efi.bak
│ │ │ └── linux-signed.efi.sbat
│ │ ├── BOOT
│ │ │ ├── BOOTX64.EFI
│ │ │ ├── grubx64.efi
│ │ │ ├── grubx64-efi_is_not_grub_but_systemd-bootx64-efi.txt
│ │ │ ├── BOOTX64-efi_is_systemd-bootx64-efi.txt
│ │ │ ├── mmx64.efi
│ │ │ └── shimx64.efi
│ │ ├── keys
│ │ │ ├── DB.efitools.auth
│ │ │ ├── DBX.efitools.auth
│ │ │ ├── KEK.efitools.auth
│ │ │ ├── MicWinProPCA2011_2011-10-19.efitools.auth
│ │ │ └── PK.efitools.auth
│ │ ├── Linux
│ │ ├── Microsoft
│ │ │ ├── Boot
│ │ │ │ ├── BCD
│ │ │ │ ├── BCD.LOG
│ │ │ │ ├── BCD.LOG1
│ │ │ │ ├── BCD.LOG2
│ │ │ │ ├── bg-BG
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ └── bootmgr.efi.mui
│ │ │ │ ├── bootmgfw.efi
│ │ │ │ ├── bootmgr.efi
│ │ │ │ ├── BOOTSTAT.DAT
│ │ │ │ ├── boot.stl
│ │ │ │ ├── cs-CZ
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── da-DK
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── de-DE
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── el-GR
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── en-GB
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ └── bootmgr.efi.mui
│ │ │ │ ├── en-US
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── es-ES
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── es-MX
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ └── bootmgr.efi.mui
│ │ │ │ ├── et-EE
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ └── bootmgr.efi.mui
│ │ │ │ ├── fi-FI
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── Fonts
│ │ │ │ │ ├── chs_boot.ttf
│ │ │ │ │ ├── cht_boot.ttf
│ │ │ │ │ ├── jpn_boot.ttf
│ │ │ │ │ ├── kor_boot.ttf
│ │ │ │ │ ├── malgun_boot.ttf
│ │ │ │ │ ├── malgunn_boot.ttf
│ │ │ │ │ ├── meiryo_boot.ttf
│ │ │ │ │ ├── meiryon_boot.ttf
│ │ │ │ │ ├── msjh_boot.ttf
│ │ │ │ │ ├── msjhn_boot.ttf
│ │ │ │ │ ├── msyh_boot.ttf
│ │ │ │ │ ├── msyhn_boot.ttf
│ │ │ │ │ ├── segmono_boot.ttf
│ │ │ │ │ ├── segoen_slboot.ttf
│ │ │ │ │ ├── segoe_slboot.ttf
│ │ │ │ │ └── wgl4_boot.ttf
│ │ │ │ ├── fr-CA
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ └── bootmgr.efi.mui
│ │ │ │ ├── fr-FR
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── FveTcg_0.log
│ │ │ │ ├── FveTcg_1.log
│ │ │ │ ├── FveTcg_2.log
│ │ │ │ ├── hr-HR
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ └── bootmgr.efi.mui
│ │ │ │ ├── hu-HU
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── it-IT
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── ja-JP
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── kd_02_10df.dll
│ │ │ │ ├── kd_02_10ec.dll
│ │ │ │ ├── kd_02_1137.dll
│ │ │ │ ├── kd_02_14e4.dll
│ │ │ │ ├── kd_02_15b3.dll
│ │ │ │ ├── kd_02_1969.dll
│ │ │ │ ├── kd_02_19a2.dll
│ │ │ │ ├── kd_02_1af4.dll
│ │ │ │ ├── kd_02_8086.dll
│ │ │ │ ├── kd_07_1415.dll
│ │ │ │ ├── kd_0C_8086.dll
│ │ │ │ ├── kdnet_uart16550.dll
│ │ │ │ ├── kdstub.dll
│ │ │ │ ├── ko-KR
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── lt-LT
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ └── bootmgr.efi.mui
│ │ │ │ ├── lv-LV
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ └── bootmgr.efi.mui
│ │ │ │ ├── memtest.efi
│ │ │ │ ├── nb-NO
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── nl-NL
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── pl-PL
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── pt-BR
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── pt-PT
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── qps-ploc
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── Resources
│ │ │ │ │ ├── bootres.dll
│ │ │ │ │ └── en-US
│ │ │ │ │ └── bootres.dll.mui
│ │ │ │ ├── ro-RO
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ └── bootmgr.efi.mui
│ │ │ │ ├── ru-RU
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── sk-SK
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ └── bootmgr.efi.mui
│ │ │ │ ├── sl-SI
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ └── bootmgr.efi.mui
│ │ │ │ ├── sr-Latn-RS
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ └── bootmgr.efi.mui
│ │ │ │ ├── sv-SE
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── tr-TR
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ ├── uk-UA
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ └── bootmgr.efi.mui
│ │ │ │ ├── winsipolicy.p7b
│ │ │ │ ├── zh-CN
│ │ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ │ └── memtest.efi.mui
│ │ │ │ └── zh-TW
│ │ │ │ ├── bootmgfw.efi.mui
│ │ │ │ ├── bootmgr.efi.mui
│ │ │ │ └── memtest.efi.mui
│ │ │ └── Recovery
│ │ │ ├── BCD
│ │ │ ├── BCD.LOG
│ │ │ ├── BCD.LOG1
│ │ │ └── BCD.LOG2
│ │ └── systemd
│ │ └── systemd-bootx64.efi
│ ├── loader
│ │ ├── entries
│ │ │ ├── Arch-linux.conf
│ │ │ ├── Arch-linux-hardened.conf
│ │ ├── entries.srel
│ │ ├── loader.conf
│ │ └── random-seed
│ └── System Volume Information
├── initramfs-linux-fallback.img
├── initramfs-linux-hardened-fallback.img
├── initramfs-linux-hardened.img
├── initramfs-linux.img
├── initrd-linux.img
├── intel-ucode.img
├── linux-2.efi
├── linux.efi
├── vmlinuz-linux
└── vmlinuz-linux-hardened
Additional questions
- Operating system and version:
# Arch Linux:
[root@linux-on-20hr002mmx ~]# uname -a
Linux linux-on-20hr002mmx 6.0.1-arch2-1 fwupd/fwupd#1 SMP PREEMPT_DYNAMIC Thu, 13 Oct 2022 18:58:49 +0000 x86_64 GNU/Linux
- Have you tried rebooting? Yes, didn't help.
- Is this a regression? I don't know.
- Are you using an NVMe disk? Yes.
- Is secure boot enabled? Secure Boot was enabled, but is now practically disabled, because ALL SecureBoot keys and certs were deleted and therefore there is nothing the EFI binaries could be checked against for Secure Boot:
[root@linux-on-20hr002mmx efi]# bootctl status | head -n 30
System:
Firmware: UEFI 2.50 (Lenovo 0.5472)
Secure Boot: disabled (setup)
TPM2 Support: yes
Boot into FW: supported
Current Boot Loader:
Product: systemd-boot 251.4-1-arch
Features: ✓ Boot counting
✓ Menu timeout control
✓ One-shot menu timeout control
✓ Default entry control
✓ One-shot entry control
✓ Support for XBOOTLDR partition
✓ Support for passing random seed to OS
✓ Load drop-in drivers
✓ Boot loader sets ESP information
Stub: systemd-stub 251.6-1-arch
ESP: /dev/disk/by-partuuid/88a96d13-381e-4dc1-8eea-9ac7f7fb5bc3
File: └─/EFI/BOOT/BOOTX64.EFI
- Is this a Lenovo system with 'Boot Order Lock' turned on in the BIOS?
No, Boot Order Lock is not turned on in the BIOS:
See:
Is the hardware on this Lenovo Thinkpad broken?
Or is this a firmware bug?
I also made two photos during the Lenovo System Firmware update, but I guess they won't help; because they report success and no error:
Is this not a bug, but an undocumented feature to disable Secure Boot? :laughing: :smile: I guess this issue is a security vulnerability.... Maybe I should not have gone public. Anyway, here we are.
Could be the same bug as #266 . Lenovo System Firmware updates seem to delete quite a lot of things...
@mrhpearson if this is disabling SecureBoot by just updating we should probably spin up secalart too. Do you want me to pull the update whilst we debug?
Sorry for the slow reply. I'll definitely follow up with the FW team on this, but unsure on pulling it - looks like a lot of succesful downloads and updates from the stats. My concern is that we're not going to be able to reproduce this and if it's a one off we end up stuck. Can you give me a day to follow up with the FW team and see what they say?
It's hard enough getting them to do the FW updates for the older platforms where LVFS support wasn't in the plan of record without moving FW back and forth. If that's a bad reason and you think I'm under-estimating the severity I'm OK to be overridden :) Mark
During the firmware update, a "System reset" message was displayed. I guess the "System reset" is the problem. Solution:
- either don't do a "System reset" during the firmware update (for this, the *.cab file would have to be changed, I guess)
- or make a backup of all system settings (UEFI boot variables, UEFI secure boot certs, etc.) before the firmware update / System Reset, and reload the backup file back into NVRAM after the firmware update / System Reset.
The absolute minimum should be a warning from fwupdmgr: fwupdmgr should advise the users to make a backup of all UEFI boot entries and all Secure Boot entries before running the firmware update.
Those entries really shouldn't be impacted by a FW update. The system is reset during the update so that's pretty normal and I don't think is necesarily the problem.
I saw your note in #266 and that is making me double guess if this should be pulled or not. We didn't get to the bottom of what was going on there.
Afraid I really need feedback from the FW team. What you're seeing is not common - I've not seen this reported on a FW update before.
Let's see who is faster to implement: the firmware developers at Lenovo or the developers of fwupdmgr. I would guess the latter. ;-)
I suppose I got hit by this issue, updating my ThinkPad P72 BIOS.
After BIOS update was completed (as shown in photos above), it rebooted into Windows (instead of GRUB).
My openSUSE EFI boot entry starting GRUB had been removed and I had to boot on a live Linux USB distro
to recreate it with efibootmgr.
Thanks for the note. If possible - we really need to catch this and see if rolling back the BIOS to the previous version brings back the entries. I personally don't think it will - but the BIOS team wanted to confirm
We're unable to reproduce which is making it really hard to figure out what the issue is. It's seemingly a rather rare occurence :(
mark
Thank you for the comment.
Note that the same thing happened a few months ago on this machine when I updated the BIOS the same way, but I did not report it. I wanted to update to a new BIOS today and check if that problem was still there, which it did. Since I can probably reproduce it (downgrading the BIOS, recreating my GRUB EFI entry if necessary, then upgrading again), I can if you wish do that test with any additional info you'd need (more logging, etc) to understand what happens. Let me know if I should enable anything for additional logging, or any other instructions. I'm on fwupd v1.8.6, packaged in openSUSE Tumbleweed.
I also noticed that Secure Boot is disabled because it is in Setup Mode.
All keys managed by mokutil have been removed.
~> mokutil --sb-state
SecureBoot disabled
Platform is in Setup Mode
So now I have to research how to fix this situation on openSUSE Tumbleweed...
As a side note, I just updated the Intel ME firmware with fwupdmgr and it did not cause the initial problem (loss of GRUB EFI entry).
Thanks for the note - useful you can reproduce it and I'll forward those details to the FW team. I'm really intrigued by your system being in setup mode - can you go into the BIOS setup menu (F1 during early boot) and reset it so that it's no longer in setup mode? I wonder if somehow it's related? (grasping at straws a little bit)
The same problem (all UEFI secure boot entries deleted, all UEFI boot entries deleted, Secure Boot disabled / Setup Mode activated) appeared again when updating the System Firmware from version 0.1.56 to 0.1.57:
[das_menschy@linux-on-20hr002mmx ~]$ sudo fwupdmgr get-history
LENOVO 20HR002MMX
│
... unimportant stuff ...
│
└─System Firmware:
│ Device ID: a45df35ac0e948ee180fe216a5f703f32dda163f
│ Previous version: 0.1.56
│ Update State: Success
│ Last modified: 2023-01-30 20:37
│ GUID: 798ffd60-f10e-4ac4-8939-c8beabfe55b4
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Cryptographic hash verification is available
│ • Device is usable for the duration of the update
│
└─ThinkPad X1 Carbon 5th:
New version: 0.1.57
Remote ID: lvfs
Release ID: 17085
Summary: Lenovo ThinkPad X1 Carbon 5th System Firmware
License: Proprietary
Size: 9,4 MB
Created: 2022-11-28
Urgency: High
Tested by Lenovo:
Tested: 2022-12-07
Distribution: debian 11
Old version: 0.1.56
Version[fwupd]: 1.5.7
Vendor: Lenovo
Description:
Lenovo System Firmware Version 1.57
Important updates
• Update includes a security fix.
New functions or enhancements
• Updated the Diagnostics module to version 04.27.000.
I could see the "Reset system" message during the firmware update. I guess the deletion of all these variables happened during the "Reset system".
@kmauleon and @ChiWei-Chen - tagging you as this is still under investigation by the FW team.
As a quick update - we think we may have root cause on this issue. Still some work to do to confirm; and get a fix released but there is progress. Mark
Hi, The FW team released N1MET73W(1.58) with the fix. Please give it a try, thanks. https://fwupd.org/lvfs/devices/com.lenovo.ThinkPadN1MET.firmware
