Firmware Updates with Secure Boot disabled?

Noel_J_Bergman · February 12, 2026, 3:38pm

The topic at hand is EFI Firmware updates with respect to Secure Boot. I have read FAQs and install guides, none of which appear to address the issue.

OS: Linux. Ubuntu 25.10 (Officially Supported) and Linux Mint 22.3 (Community)
Product: Framework 16 AMD Ryzen AI HX 370

Although nothing on the firmware page mentions Secure Boot at all, both the officially supported Ubuntu install guide and the community supported Linux Mint guide reference the official Secure Boot explained page: “Remember. We advice [sic] leaving this enabled - disabling may lead to issues with our various upgrade processes. This also means it will interfere with EFI firmware updates if secure boot is disabled. So before you disable it, make sure you acknowledge this. No EFI updaters if secure boot is disabled.”

So, although “Secure Boot is a choice”, it is explicitly stated that making the choice to disable it also disables firmware updates.

My issue is that I want both, otherwise if I choose to leave Secure Boot enabled, that interferes with VMware Workstation installing its kernel modules. Yes, I can manually fix that issue after each kernel update, but would prefer to avoid that not infrequent annoyance. But, if I disable Secure Boot, the docs claim the EFI Firmware won’t get updated.

Neither of those options is a joy. Having to patch VMware’s kernel modules (vmmon and vmnet) after breaking kernel API changes is hassle enough already, and now we’re adding having to deal with module signing after every minor kernel patch. No, don’t reply that I could “simply” switch to QEMU/KVM. One, if you think so, you’ve likely never tried (plus, VMware is already working on putting that technology under their Linux stack – I’ll wait). Two, VMware is just an example that matters to me. The issue is the choice of disabling Secure Boot and thus disabling firmware updates vs needing to deal with kernel module signing on whatever basis.

Can one just reboot, enable Secure Boot, boot to the EFI Shell on USB, update the firmware, disable secure boot, and go back to Linux? Is there a smoother path? What practical options exist?

I’ve already e-mailed Framework Support, but they want to get this into the Community Forum as well.

James3 · February 12, 2026, 4:07pm

I don’t know where you are getting those quotes from.
I have Ubuntu 24.04 on a FW16 7840HS and secure boot is disabled. It has no adverse effects on firmware updates.
I can upgrade and downgrade without any problems with secure boot disabled.

DHowett · February 12, 2026, 4:29pm

@James3 is right. You do not need Secure Boot enabled to install firmware updates. The documentation on that GitHub page is wrong.

Anecdotally: I have never encountered a platform that allows you to disable Secure Boot which could not be updated with Secure Boot disabled.

Steve_Fishman · February 12, 2026, 5:52pm

I have the Framework 16 with the 7840 CPU. I have had this laptop since June of 2024. I quad boot Windows, Arch, Fedora and Ubuntu. I have never had secure boot enabled. I have successfully updated the firmware every time a new version became available, almost always while in beta.

Noel_J_Bergman · February 12, 2026, 6:05pm

> I don’t know where you are getting those quotes from

I linked the source, but it is here: linux-docs/misc/secure-boot.md at main · FrameworkComputer/linux-docs · GitHub

See #5 on that page. The quote is lifted directly from there.

Noel_J_Bergman · February 12, 2026, 6:06pm

This is the best news, that the official Framework page on Secure Boot is wrong!

Given the consensus, I have opened an issue to have it corrected.

JakeSully · February 12, 2026, 7:14pm

I don’t really see it saying it disables EFI Firmware updates, if secure boot is disabled. But it does mention it may interfere with updates and also affect EFI Firmware updates if it’s disabled. So what they probably mean is if a EFI Firmware does update it might have a coding that checks if Secure Boot is enabled and if it isn’t then it fails.

Noel_J_Bergman · February 13, 2026, 5:27pm

Well, I’m not sure how else to take “make sure you acknowledge this. No EFI updaters if secure boot is disabled.“

I never suggested that it would impact Linux updates.

JakeSully · February 13, 2026, 6:07pm

Here

Remember. We advice leaving this enabled - disabling may lead to issues with our various upgrade processes. This also means it will interfere with EFI firmware updates if secure boot is disabled. So before you disable it, make sure you acknowledge this. No EFI updaters if secure boot is disabled.

It clearly says disabling may lead to issues with updating processes. This also means it will interfere with EFI Firmware updates if secure boot is disabled.

It does not mean EFI updates would not update but it can probably throw failed if secure boot is disabled depending on EFI update image or file it downloads if it checks for secure boot is enabled. If it’s detecting it as disabled it will post EFI update failed or something I guess.

Noel_J_Bergman · February 15, 2026, 2:37am

Well, Jake, I just got another e-mail from Framework Support, and they doubled down on this, saying:

”Regarding this, ***if your workflow depends on Linux-only maintenance, you’ll need Secure Boot enabled for firmware updates as per the GitHub statement. If you disable it for kernel/module flexibility, you’ll have to temporarily re-enable Secure Boot when updates are needed.

If you normally run with Secure Boot disabled but want to apply a firmware update, you can re-enable Secure Boot, perform the update through fwupd, then disable it again afterward. This is often the most practical option.***”

I don’t know what to tell you. I did notice that there is a firmware update for my FW16, I installed it yesterday (and again, just now). I don’t know what happened yesterday, but after installing it again, it seems to have worked, as this discussion expects.

--- Noel

James3 · February 15, 2026, 7:47am

@Noel_J_Bergman

It think it best to ignore FW support in this particular case.
The fact is you do not need secure boot enabled for BIOS upgrades. Try it for yourself, it updates fine without it.

It appears the FW support people sometimes just cut/paste your question into chatgpt/copilot and blindly return that response to you, without fact checking it. In this case the chatgpt response from FW support is wrong.

Rob-i-di-bob · February 15, 2026, 8:05pm

I tend to agree with @James3 …

I’ve been running linux distros on various systems for a number of years and Secure Boot in BIOS is always disabled. Never had an issue with any BIOS, firmware, system or device updates.

I currently run a FW16 Laptop… same story.

My understanding and from what i have read Secure Boot is more of a Microsoft / Windows thing.

Having shared what i have shared… I guess i could still be wrong. But… this has been my experience with Linux and Secure Boot.

Matt_Hartley · February 18, 2026, 3:15am

This has been corrected. Thanks for calling this out.

Charlie_6 · February 18, 2026, 4:25am

Firmware updates are not related to secure boot. You can update your BIOS with either secure boot enabled or disabled

Topic		Replies	Views
Secure Boot dbx configuration update, just sits there Linux fedora	2	470	December 10, 2025
Unable to update Firmware from 3.04 to latest on website Linux bazzite	14	1053	October 21, 2025
Linux BIOS Update Linux ubuntu	17	3309	July 13, 2024
System firmware absolutely will not update in Ubuntu Linux ubuntu	1	261	November 12, 2025
Will upcoming firmware updates require Framework secure boot signing keys? Framework Laptop 16 bios , framework-laptop-16-amd-7040 , graphics-module-amd-rx7700s	8	432	September 30, 2025

Firmware Updates with Secure Boot disabled?

Related topics