Hi all,
so I have this problem that after some digging, I’m not able to solve so far.
#fwupdmgr update
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade KEK CA from 2011 to 2023? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the UEFI Signature Database (the "KEK") to the latest release ║
║ from Microsoft, signed by LENOVO. ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]:
Writing… [*************** ]
failed to write-firmware: failed to write (null): failed to write data to efivarsfs: Error writing to file descriptor: Permission denied
also
Devices that were not updated correctly:
• KEK CA (2011 → 2023)
Devices that have been updated successfully:
• System Firmware (0.0.73 → 0.0.76)
• UEFI CA (2011 → 2023)
• UEFI dbx (20241101 → 20250902)
more info:
- I have no dual boot, this is a Linux only machine (as it should be);
- I have secure boot enabled;
- I have changed the secure boot from “deployed” to “user mode”;
- I have more than enough free space:
Filesystem Type Size Used Avail Use% Mounted on
efivarfs efivarfs 512K 96K 412K 19% /sys/firmware/efi/efivars
- I have tried with enforce 0 (SELinux);
and I’m starting to be out of ideas… but still thinking that it might be a minor problem.
Any help on this is appreciated!
Thanks!
Just to note I see the same problem. Current Leap-16.0 on Lenovo ThinkCentre M720t (i5-9400). KEK CA update offered by Discover, but fails with
failed to write-firmware: failed to write (null): failed to write data to efivarsfs: Error writing to file descriptor: Permission denied
CLI attempt using
fwupdmgr --verbose update
fails with an identical message (probably same back-end in use?)
Also may be relevant that Info Centre → Firmware security reports
…
✘ TPM v2.0: Not found
…
Host Security Events
2026-05-04 16:10:34: 
The UEFI certificate store is now up to date
Like ru1marante I do not know how to resolve this, any help very welcome please.
BR
Richard
Do you use sudo or su to get root?
Here it was working with su:
linux64:/home/stephan # fwupdmgr update
╔══════════════════════════════════════════════════════════════════════════════╗
║ UEFI CA von 2011 auf 2023 aktualisieren? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the 3rd Party UEFI Signature Database (the "db") to the latest ║
║ release from Microsoft.It also adds the latest OptionROM UEFI Signature ║
║ Database update. ║
║ ║
║ UEFI CA und alle angeschlossenen Geräte sind während der Aktualisierung ║
║ möglicherweise nicht nutzbar. ║
╚══════════════════════════════════════════════════════════════════════════════╝
Operation durchführen? [Y|n]:
Warten … [***************************************]]
Erfolgreich installierte Firmware
╔══════════════════════════════════════════════════════════════════════════════╗
║ UEFI dbx von 20160809 auf 20250902 aktualisieren? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the list of forbidden signatures (the "dbx") to the latest ║
║ release from Microsoft. ║
║ ║
║ Some insecure versions of the IGEL bootloader were added, due to a security ║
║ vulnerability that allowed an attacker to bypass UEFI Secure Boot. ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
Operation durchführen? [Y|n]:
UEFI dbx wird aktualisiert … ] Weniger als eine Minute verbleiben…
Warten … [***************************************]]
Erfolgreich installierte Firmware
Devices with no available firmware updates:
• Intenso SSD SATAIII
• SPCC Solid State Disk
• KEK CA
• SBAT
• SNV2S1000G
• Windows UEFI CA
Ein Neustart ist erforderlich, um eine Aktualisierung abzuschließen. Jetzt neu starten? [y|N]:
@Richard_MQ zypper in tpm2.0-tools should get it to show…
Previously using sudo, I just tried with su and it behaves exactly the same 
Thanks for the hint, info centre still shows Not Found though. I’ll re-boot later and see if that changes anything.