Meta: Apparently I can not use the “bios” and “intel-us1” tags in the “Linux” subcategory? Why is that? I believe these would be the most appropriate tags for this post.
Hello everyone,
I was trying to enroll my own secureboot keys via sbctl (Arch linux) on my new FW13 - Ultra Series One (i7 155H). Firmware is on the latest version (03.04):
[root@MYLAPTOP ~]# dmidecode -s bios-version
03.04
I’m encountering the following issue:
When I put secureboot into setup mode via:
Firmware settings → “Administer Secureboot” → “Erase all Secureboot Settings” → Enable → F10
Several efi-based tools stop working on subsequent boots.
- I can not enroll my secureboot keys:
[root@MYLAPTOP ~]# sbctl enroll-keys
open /sys/firmware/efi/efivars/SetupMode-8be4df61-93ca-11d2-aa0d-00e098032b8c: no such file or directory
- sbctl seems to generally believe that I am not on efi system:
[root@MYLAPTOP ~]# sbctl status
system is not booted with UEFI
- efibootmgr doesn’t work anymore:
[root@MYLAPTOP ~]# efibootmgr
No BootOrder is set; firmware will attempt recovery
- And systemd also can’t reboot into firmware:
[root@MYLAPTOP ~]# systemctl reboot --firmware-setup
Cannot indicate to EFI to boot into setup mode: Firmware does not support boot into firmware.
Interestingly, there are still several efivars present.
[root@MYLAPTOP ~]# efivar -l
8be4df61-93ca-11d2-aa0d-00e098032b8c-dbxDefault
8be4df61-93ca-11d2-aa0d-00e098032b8c-dbDefault
8be4df61-93ca-11d2-aa0d-00e098032b8c-KEKDefault
8be4df61-93ca-11d2-aa0d-00e098032b8c-PKDefault
eac04db0-c87d-40c7-8582-78581ae1444b-XmlCli
3441803e-5a88-4941-82f0-858a1085276c-WIFI_MANAGER_IFR_NVDATA
b318a3fb-c98c-43f4-8655-c76133acde44-VtioCfg
aa1305b9-01f3-4afb-920e-c9b979a852fd-SecureBootData
f72deef6-13ef-4958-b027-0e45ce7fa45e-PasswordConfig
07a66697-d400-4903-b3da-67a61d2b7058-Tcg2ConfigInfo
02eea107-98db-400e-9830-460a1542d799-IP6_CONFIG_IFR_NVDATA
4d20583a-7765-4e7a-8a67-dcde74ee3ec5-HTTP_BOOT_CONFIG_IFR_NVDATA
98ae8272-ce5a-46be-9f5d-d9f9cbbb99f2-H2OFormDialogConfig
1f2d63e1-febd-4dc7-9cc5-ba2b1cef9c5b-FeData
ec87d643-eba4-4bb5-a1e5-3f3e36b20da9-PciBusSetup
Allthough a lot less than before putting secureboot into setup mode. (Would that list be helpfull?)
These problems persist until I go back to the firmware settings and reset secureboot to the default keys. Rebooting or powering off and on by itself did not resolve my issues.
I will happily raise these problems to the maintainers of the respective tools, but since putting secureboot into setup mode reproducibly breaks several of them simultaneously, I have a strong hunch there is something wrong with the firmware here.
I guess I can try to enroll my keys from a flash drive via the firmware interface, but that is rather cumbersome, so I’ll wait for some replies before trying that.
Best and Happy Holidays!