Putting secureboot into setup mode breaks several efi-tools

Meta: Apparently I can not use the “bios” and “intel-us1” tags in the “Linux” subcategory? Why is that? I believe these would be the most appropriate tags for this post.

Hello everyone,

I was trying to enroll my own secureboot keys via sbctl (Arch linux) on my new FW13 - Ultra Series One (i7 155H). Firmware is on the latest version (03.04):

[root@MYLAPTOP ~]# dmidecode -s bios-version
03.04

I’m encountering the following issue:

When I put secureboot into setup mode via:

Firmware settings → “Administer Secureboot” → “Erase all Secureboot Settings” → Enable → F10

Several efi-based tools stop working on subsequent boots.

  1. I can not enroll my secureboot keys:
[root@MYLAPTOP ~]# sbctl enroll-keys
open /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c: no such file or directory
  1. sbctl seems to generally believe that I am not on efi system:
[root@MYLAPTOP ~]# sbctl status
system is not booted with UEFI
  1. efibootmgr doesn’t work anymore:
[root@MYLAPTOP ~]# efibootmgr
No BootOrder is set; firmware will attempt recovery
  1. And systemd also can’t reboot into firmware:
[root@MYLAPTOP ~]# systemctl reboot --firmware-setup
Cannot indicate to EFI to boot into setup mode: Firmware does not support boot into firmware.

Interestingly, there are still several efivars present.

[root@MYLAPTOP ~]# efivar -l
8be4df61-93ca-11d2-aa0d-00e098032b8c-dbxDefault
8be4df61-93ca-11d2-aa0d-00e098032b8c-dbDefault
8be4df61-93ca-11d2-aa0d-00e098032b8c-KEKDefault
8be4df61-93ca-11d2-aa0d-00e098032b8c-PKDefault
eac04db0-c87d-40c7-8582-78581ae1444b-XmlCli
3441803e-5a88-4941-82f0-858a1085276c-WIFI_MANAGER_IFR_NVDATA
b318a3fb-c98c-43f4-8655-c76133acde44-VtioCfg
aa1305b9-01f3-4afb-920e-c9b979a852fd-SecureBootData
f72deef6-13ef-4958-b027-0e45ce7fa45e-PasswordConfig
07a66697-d400-4903-b3da-67a61d2b7058-Tcg2ConfigInfo
02eea107-98db-400e-9830-460a1542d799-IP6_CONFIG_IFR_NVDATA
4d20583a-7765-4e7a-8a67-dcde74ee3ec5-HTTP_BOOT_CONFIG_IFR_NVDATA
98ae8272-ce5a-46be-9f5d-d9f9cbbb99f2-H2OFormDialogConfig
1f2d63e1-febd-4dc7-9cc5-ba2b1cef9c5b-FeData
ec87d643-eba4-4bb5-a1e5-3f3e36b20da9-PciBusSetup

Allthough a lot less than before putting secureboot into setup mode. (Would that list be helpfull?)

These problems persist until I go back to the firmware settings and reset secureboot to the default keys. Rebooting or powering off and on by itself did not resolve my issues.

I will happily raise these problems to the maintainers of the respective tools, but since putting secureboot into setup mode reproducibly breaks several of them simultaneously, I have a strong hunch there is something wrong with the firmware here.

I guess I can try to enroll my keys from a flash drive via the firmware interface, but that is rather cumbersome, so I’ll wait for some replies before trying that.

Best and Happy Holidays!

1 Like

About (only) the meta-point: that sounds like a forum bug, of a type the forum has suffered from before; I think you should post about that problem here.

1 Like

I went to the sbctl issue tracker before I found this message.
See Missing `/sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c` EFI variable file · Issue #407 · Foxboron/sbctl · GitHub

You can work around the issue by manually deleting the PK, KEK and DB keys in the firmware as described here: Can't enable secure boot setup mode - #5 by Alec_Miller