Hello everyone, in an attempt to get this stylus to work I updated my bios to the latest version present here at time of writing (24-10-2025). This lead to the automatic unlocking of my encrypted drive breaking, as the TPM had the measurement of the previous firmware as included in the keys.

I have regained access to the drive except for the fact that I can no longer enable secure boot.

Long story short: Programs now believe I am not using UEFI.

Specs

I am using arch linux. I am booting from UEFI and I enrolled the entries using efibootmgr.

I updated today.

I am running firmware version 3.06

I am using kernel 6.17.4-arch2-1

I am using the Framework 12 with the i5 configuration.

Outpus

❯ efibootmgr -v
No BootOrder is set; firmware will attempt recovery

❯ sbctl status
system is not booted with UEFI

❯ bootctl
systemd-boot not installed in ESP.
No default/fallback boot loader installed in ESP.
System:
      Firmware: n/a (n/a)
 Firmware Arch: x64
   Secure Boot: disabled (unsupported)
  TPM2 Support: yes
  Measured UKI: no
  Boot into FW: not supported

Random Seed:
 System Token: not set
       Exists: yes

Available Boot Loaders on ESP:
          ESP: /boot (/dev/disk/by-partuuid/5f4e00ea-9dde-45c6-a151-12d8c787d92a)

No boot loaders listed in EFI Variables.

Boot Loader Entry Locations:
          ESP: /boot (/dev/disk/by-partuuid/5f4e00ea-9dde-45c6-a151-12d8c787d92a, $BOOT)
       config: /boot//loader/loader.conf: No such file or directory
        token: arch

Default Boot Loader Entry:
         type: Boot Loader Specification Type #2 (UKI, .efi)
        title: Arch Linux (6.17.4-arch2-1)
           id: arch-linux.efi
       source: /boot//EFI/Linux/arch-linux.efi (on the EFI System Partition)
     sort-key: arch
      version: 6.17.4-arch2-1
        linux: /boot//EFI/Linux/arch-linux.efi
      options: rd.luks.name=edcead35-2b84-4f13-a32f-fceb37718efe=root root=/dev/mapper/root

❯ ls /sys/firmware/efi
config_table  efivars  esrt  fw_platform_size  fw_vendor  runtime  runtime-map  systab

❯ sudo dmesg | grep -i efi

[    0.000000] efi: EFI v2.8 by INSYDE Corp.
[    0.000000] efi: ACPI=0x44afe000 ACPI 2.0=0x44afe014 TPMFinalLog=0x44906000 SMBIOS=0x3ffda000 MEMATTR=0x39064098 ESRT=0x39edd518 RNG=0x44a0df18 INITRD=0x39310418 TPMEventLog=0x44a0b018
[    0.000000] efi: Remove mem79: MMIO range=[0xc0000000-0xcfffffff] (256MB) from e820 map
[    0.000000] efi: Remove mem81: MMIO range=[0xff000000-0xffffffff] (16MB) from e820 map
[    0.004903] ACPI: UEFI 0x000000004498E000 0001CF (v01 INSYDE ADL-P-M  00000001 ACPI 00040000)
[    0.004950] ACPI: Reserving UEFI table memory at [mem 0x4498e000-0x4498e1ce]
[    0.026201] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 1910969940391419 ns
[    0.749783] efivars: Registered efivars operations
[    9.964990] systemd[1]: Clear Stale Hibernate Storage Info was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67).

What was atempted

Rolling back the update

fwupdmgr did not let me as I cannot enable secure boot, I managed to download the zip file tho and rolled it back to 3.04, which was what I had previously. I also restored all of my BIOS settings to default.
It still does not work

Running an officially supported distro

I booted into an ubuntu live media and replicated the bootctl output

Please advise

I have no idea what exactly solved this, but I restored secure boot to factory settings, enabled it, then disabled it, and it now works.

I will do a later post on the stylus, I just want to test my machine with a microsoft stylus first.

Apperantly this is a recurring issue.

Yeah, had the exact same issue. Also Arch, also manual update to 3.06 and broke UEFI settings.
Basically what I had to do is reset the Secure Boot state to manufacturer, and then manually delete the PK key, to enable setup mode. Using the firmware delete keys option deletes a little bit much I guess and breaks efibootmgr and sbctl.

This worked, thank you.