This is related to various discussions:
- Putting secureboot into setup mode breaks several efi-tools
- Can't enable secure boot setup mode - #5 by Alec_Miller
TLDR: clearing the Secure Boot DBX entries makes the Secure Boot status unrecognised, requiring a “Restore Secure Boot to factory settings” to fix.
As I am currently setting up a laptop again from scratch, I ran into this issue but with a complication; a “UEFI revocation database” update from 2025, available through fwupd, breaks the Secure Boot status as well. I have tested the following paths:
Path 1:
-
Secure Boot Factory Reset → SB status recognised
-
Install UEFI revocation database (SB dbx) update through
fwupd→ SB status recognised -
Manually delete Secure Boot PK, KEK and db entries to enter setup mode → SB status unrecognised
Path 2:
-
Secure Boot Factory Reset → SB status recognised
-
Manually delete Secure Boot PK, KEK and db entries to enter setup mode → SB status recognised
2a. (Unable to install SB dbx update at this point as SB is in setup mode) -
Enroll keys in SB → SB status recognised
-
Install UEFI revocation database (SB dbx) update through
fwupd→ SB status unrecognised
So no matter which order you try to go from a factory reset; updating the DBX and enrolling your own keys breaks. All other firmware updates have been installed at the time of writing. If there is any workaround I would love to know.