Fwupdmgr: KEK CA (2011 → 2023) - update fails

ru1marante · April 30, 2026, 4:08pm

Hi all,
so I have this problem that after some digging, I’m not able to solve so far.

#fwupdmgr update 
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade KEK CA from 2011 to 2023?                                            ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the UEFI Signature Database (the "KEK") to the latest release   ║
║ from Microsoft, signed by LENOVO.                                            ║
║                                                                              ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: 
Writing…                 [***************                        ]
failed to write-firmware: failed to write (null): failed to write data to efivarsfs: Error writing to file descriptor: Permission denied

also

Devices that were not updated correctly:
 • KEK CA (2011 → 2023)
Devices that have been updated successfully:
 • System Firmware (0.0.73 → 0.0.76)
 • UEFI CA (2011 → 2023)
 • UEFI dbx (20241101 → 20250902)

more info:

I have no dual boot, this is a Linux only machine (as it should be);
I have secure boot enabled;
I have changed the secure boot from “deployed” to “user mode”;
I have more than enough free space:

Filesystem     Type      Size  Used Avail Use% Mounted on
efivarfs       efivarfs  512K   96K  412K  19% /sys/firmware/efi/efivars

I have tried with enforce 0 (SELinux);
and I’m starting to be out of ideas… but still thinking that it might be a minor problem.

Any help on this is appreciated!
Thanks!

Richard_MQ · May 12, 2026, 3:55pm

Just to note I see the same problem. Current Leap-16.0 on Lenovo ThinkCentre M720t (i5-9400). KEK CA update offered by Discover, but fails with

failed to write-firmware: failed to write (null): failed to write data to efivarsfs: Error writing to file descriptor: Permission denied

CLI attempt using

fwupdmgr --verbose update

fails with an identical message (probably same back-end in use?)

Also may be relevant that Info Centre → Firmware security reports

…
✘ TPM v2.0: Not found
…
Host Security Events
2026-05-04 16:10:34: The UEFI certificate store is now up to date

Like ru1marante I do not know how to resolve this, any help very welcome please.
BR
Richard

Sauerland · May 12, 2026, 6:22pm

Do you use sudo or su to get root?

Here it was working with su:

linux64:/home/stephan # fwupdmgr update
╔══════════════════════════════════════════════════════════════════════════════╗
║ UEFI CA von 2011 auf 2023 aktualisieren?                                     ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the 3rd Party UEFI Signature Database (the "db") to the latest  ║
║ release from Microsoft.It also adds the latest OptionROM UEFI Signature      ║
║ Database update.                                                             ║
║                                                                              ║
║ UEFI CA und alle angeschlossenen Geräte sind während der Aktualisierung      ║
║ möglicherweise nicht nutzbar.                                                ║
╚══════════════════════════════════════════════════════════════════════════════╝
Operation durchführen? [Y|n]: 
Warten …                 [***************************************]]
Erfolgreich installierte Firmware
╔══════════════════════════════════════════════════════════════════════════════╗
║ UEFI dbx von 20160809 auf 20250902 aktualisieren?                            ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the list of forbidden signatures (the "dbx") to the latest      ║
║ release from Microsoft.                                                      ║
║                                                                              ║
║ Some insecure versions of the IGEL bootloader were added, due to a security  ║
║ vulnerability that allowed an attacker to bypass UEFI Secure Boot.           ║
║                                                                              ║
╚══════════════════════════════════════════════════════════════════════════════╝
Operation durchführen? [Y|n]: 
UEFI dbx wird aktualisiert …                                     ] Weniger als eine Minute verbleiben…
Warten …                 [***************************************]]
Erfolgreich installierte Firmware
Devices with no available firmware updates:
 • Intenso SSD SATAIII
 • SPCC Solid State Disk
 • KEK CA
 • SBAT
 • SNV2S1000G
 • Windows UEFI CA
Ein Neustart ist erforderlich, um eine Aktualisierung abzuschließen. Jetzt neu starten? [y|N]:

malcolmlewis · May 12, 2026, 6:27pm

@Richard_MQ zypper in tpm2.0-tools should get it to show…

Richard_MQ · May 13, 2026, 7:46am

Previously using sudo, I just tried with su and it behaves exactly the same

Richard_MQ · May 13, 2026, 7:49am

Thanks for the hint, info centre still shows Not Found though. I’ll re-boot later and see if that changes anything.

ru1marante · May 22, 2026, 3:58pm

the successful updates that you show are not the problem… those also install fine in my machine… it’s this one that fails: Upgrade KEK CA from 2011 to 2023?

hui · May 22, 2026, 4:07pm

github.com/fwupd/fwupd

Offered update that fails: Upgrade KEK CA from 2011 to 2023 (DO NOT TRUST - AMI Test PK)

offen 07:55PM - 01 Sep 25 UTC

geschlossen 02:41PM - 11 Nov 25 UTC

travier

bug

**Describe the bug** First, thanks a lot for all the work on fwupd! fwupd offe…rs me an update but fails to install it: ``` $ sudo fwupdmgr update ╔══════════════════════════════════════════════════════════════════════════════╗ ║ Upgrade KEK CA from 2011 to 2023? ║ ╠══════════════════════════════════════════════════════════════════════════════╣ ║ This updates the UEFI Signature Database (the "KEK") to the latest release ║ ║ from Microsoft, signed by DO NOT TRUST - AMI Test PK. ║ ║ ║ ╚══════════════════════════════════════════════════════════════════════════════╝ Perform operation? [Y|n]: y Writing… [****************************** ] failed to write-firmware: failed to write (null): failed to write data to efivarsfs: Error writing to file descriptor: Invalid argument ``` Given the name, it might be an invalid one. ``` $ sudo fwupdmgr security Host Security ID: HSI:0 (v2.0.14) HSI-1 ✔ BIOS firmware updates: Enabled ✔ Platform debugging: Disabled ✔ SPI write: Disabled ✔ Supported CPU: Valid ✔ UEFI bootservice variables: Locked ✔ UEFI secure boot: Enabled ✘ SPI lock: Disabled ✘ SPI BIOS region: Unlocked ✘ TPM v2.0: Not found ✘ UEFI platform key: Invalid HSI-2 ✔ Platform debugging: Locked ✘ Intel BootGuard: Not supported ✘ IOMMU: Not found HSI-3 ✘ CET Platform: Not supported ✘ Pre-boot DMA protection: Disabled ✘ Suspend-to-idle: Disabled ✘ Suspend-to-ram: Enabled HSI-4 ✔ SMAP: Enabled ✘ Encrypted RAM: Not supported Runtime Suffix -! ✔ fwupd plugins: Untainted ✔ Linux kernel lockdown: Enabled ✔ Linux swap: Encrypted ✔ Linux kernel: Untainted ✔ UEFI db: Valid This system has a low HSI security level. » https://fwupd.github.io/hsi.html#low-security-level Host Security Events 2025-08-23 09:47:57: ✘ SPI BIOS region changed: Locked → Unlocked 2025-08-22 09:14:02: ✔ SPI BIOS region changed: Unlocked → Locked 2025-08-08 16:04:04: ✘ SPI BIOS region changed: Locked → Unlocked 2025-08-06 16:50:11: ✔ SPI BIOS region changed: Unlocked → Locked 2025-08-02 12:56:27: ✘ SPI BIOS region changed: Locked → Unlocked 2025-07-28 08:01:52: ✔ The UEFI certificate store is now up to date 2025-07-21 15:42:02: ✔ SPI BIOS region changed: Unlocked → Locked 2025-07-17 07:19:06: ✘ SPI BIOS region changed: Locked → Unlocked 2025-07-01 20:57:15: ✔ SPI BIOS region changed: Unlocked → Locked ``` ``` $ sudo mokutil --sb SecureBoot enabled $ mokutil --pk 9a3056b526 DO NOT TRUST - AMI Test PK ``` **Steps to Reproduce** ``` $ sudo fwupdmgr update ``` **Expected behavior** No update offered (if it is invalid) or update succeeds if it is valid. **fwupd version information** ```shell $ sudo fwupdtool get-report-metadata BatteryLevel: 101 BatteryThreshold: 10 BootTime: 1756732359 CompileVersion(com.hughsie.libjcat): 0.2.3 CompileVersion(com.hughsie.libxmlb): 0.3.23 CompileVersion(info.libusb): 1.0.29 CompileVersion(org.freedesktop.Passim): 0.1.10 CompileVersion(org.freedesktop.fwupd): 2.0.14 CpuArchitecture: x86_64 CpuModel: Intel Core™ i7-6800K CPU @ 3.40GHz DisplayState: connected DistroId: fedora DistroName: Fedora Linux DistroPrettyName: Fedora Linux 42.20250901.0 (Kinoite) DistroVariant: kinoite DistroVersion: 42 EfivarsNvramFree: 135232 EfivarsNvramUsed: 63433 FwupdSupported: True HostBaseboardManufacturer: MSI HostBaseboardProduct: X99A SLI PLUS(MS-7885) HostBiosMajorRelease: 05 HostBiosMinorRelease: 0b HostBiosVendor: American Megatrends Inc. HostBiosVersion: 1.D0 HostEnclosureKind: 3 HostFamily: Default string HostFirmwareMajorRelease: ff HostFirmwareMinorRelease: ff HostProduct: MS-7885 HostSku: Default string HostVendor: MSI KernelCmdline: usbcore.autosuspend=-1 KernelName: Linux KernelVersion: 6.16.3-200.fc42.x86_64 LidState: unknown PassimDownloadSaving: 13192993 PlatformArchitecture: x86_64 PowerState: ac RuntimeVersion(com.hughsie.libjcat): 0.2.3 RuntimeVersion(com.hughsie.libxmlb): 0.3.23 RuntimeVersion(org.freedesktop.fwupd): 2.0.14 RuntimeVersion(org.freedesktop.fwupd-efi): 1.6 RuntimeVersion(org.kernel): 6.16.3-200.fc42.x86_64 SELinux: enforcing DeviceId: a78789e613e56c1c95012d65ab44c7df9c788331 pre: CapsuleApplyMethod: nvram EspKind: c12a7328-f81f-11d2-ba4b-00a0c93ec93b EspPath: /boot/efi MissingCapsuleHeader: False post: LastAttemptStatus: 0x0 LastAttemptVersion: 0x1 linux_lockdown: LinuxLockdown: integrity uefi_pk: UefiPkKeyId: d79ce11b037c282cf608b056ba4d9e5038917740 uefi_capsule: BootloaderSupportsFwupd: False SecureBoot: Enabled UEFIUXCapsule: Disabled $ sudo fwupdtool hwids Computer Information -------------------- BiosVendor: American Megatrends Inc. BiosVersion: 1.D0 BiosMajorRelease: 5 BiosMinorRelease: 11 FirmwareMajorRelease: ff FirmwareMinorRelease: ff Manufacturer: MSI Family: Default string ProductName: MS-7885 ProductSku: Default string EnclosureKind: 3 BaseboardManufacturer: MSI BaseboardProduct: X99A SLI PLUS(MS-7885) Hardware IDs ------------ {df3c33cb-bdf4-54b9-aa82-f2353f736135} <- Manufacturer + Family + ProductName + ProductSku + BiosVendor + BiosVersion + BiosMajorRelease + BiosMinorRelease {1c7d4eec-d9e7-515d-b69c-b5214acc4dc3} <- Manufacturer + Family + ProductName + BiosVendor + BiosVersion + BiosMajorRelease + BiosMinorRelease {f9929ac6-59a3-570e-8081-740725affac1} <- Manufacturer + ProductName + BiosVendor + BiosVersion + BiosMajorRelease + BiosMinorRelease {e682ead2-d1c5-5726-8d7f-7d49c308ca7c} <- Manufacturer + Family + ProductName + ProductSku + BaseboardManufacturer + BaseboardProduct {ffc2289d-f69a-59bf-b6d5-4d4f31b2345d} <- Manufacturer + Family + ProductName + ProductSku {e0eb7b46-cf44-5e79-8fb1-5dc48956de3d} <- Manufacturer + Family + ProductName {56db4e95-9b05-541b-bd6b-884fa4ff296e} <- Manufacturer + ProductSku + BaseboardManufacturer + BaseboardProduct {5bb63485-7c67-5156-afb4-5dbdef1581d8} <- Manufacturer + ProductSku {bb04ffe3-4dda-5ac8-9072-09789136d6f9} <- Manufacturer + ProductName + BaseboardManufacturer + BaseboardProduct {3cf9413d-067c-5a0d-bae5-421d6ce9c7ee} <- Manufacturer + ProductName {56db4e95-9b05-541b-bd6b-884fa4ff296e} <- Manufacturer + Family + BaseboardManufacturer + BaseboardProduct {5bb63485-7c67-5156-afb4-5dbdef1581d8} <- Manufacturer + Family {513dfd34-2e9c-588b-a212-57710c540f52} <- Manufacturer + EnclosureKind {d5602e74-3916-5ed2-951d-26b47dc31d9e} <- Manufacturer + BaseboardManufacturer + BaseboardProduct {1944ee2f-f58d-5666-949f-3504bc6eb727} <- Manufacturer Extra Hardware IDs ------------------ {801d1d29-1a84-50ae-9402-b63b898df0fd} <- Manufacturer + Family + ProductName + ProductSku + BiosVendor {bb2cc835-2dff-5bb9-ae54-803dc8e90684} <- Manufacturer + Family + ProductName + BiosVendor {af2774d3-ea15-537d-a802-c2e6e257853a} <- Manufacturer + BiosVendor ``` Please note how you installed it (`apt`, `dnf`, `pacman`, source, etc): Part of Kinoite base image (Fedora 42) <summary>**fwupd device information**</summary> Please provide the output of the fwupd devices recognized in your system. ```shell $ sudo fwupdmgr get-devices --show-all-devices MSI MS-7885 │ ├─AMD Radeon RX 6700 XT: │ │ Device ID: 08740947f5235290dc47990eb8e3468dad7fe6b8 │ │ Summary: GV-R67XTEAGLE-12GD/F10/0CFE │ │ Current version: R67XTE │ │ Vendor: Advanced Micro Devices, Inc. [AMD/ATI] (PCI:0x1002) │ │ GUID: 95944dec-2ea0-5cf4-aaa3-35f3fb692641 ← AMD\113-D51221 │ │ Device Flags: • Internal device │ │ • Cryptographic hash verification is available │ │ • Can tag for emulation │ │ │ └─Unknown Device: │ Device ID: 57e35fbedc32c4e5e69c55e3d7810f7ae6f1427a │ Vendor: PNP:VSC │ Serial Number: VR2170100001 │ GUID: a12c3dc4-915c-51ea-a6f5-f3147f92c199 ← DRM\VEN_VSC&DEV_6B34 │ Device Flags: • Can tag for emulation │ ├─Core™ i7-6800K CPU @ 3.40GHz: │ Device ID: 4bde70ba4e39b28f9eab1628f9dd6e6244c03027 │ Current version: 0x0b000040 │ Vendor: Intel │ GUIDs: a935c535-b4a9-580f-bcf3-776b64dfd328 ← CPUID\PRO_0&FAM_06&MOD_4F │ 18800804-cac8-57ad-b534-fc5e4485ff94 ← CPUID\PRO_0&FAM_06&MOD_4F&STP_1 │ Device Flags: • Internal device │ ├─SBAT: │ Device ID: 6469856584e2f5873b2f148302e46c9313c7d054 │ Summary: Generation number based revocation mechanism │ Current version: 1.5.4 │ Vendor: OS:fedora │ GUID: 92f517f7-73b9-5373-a9b2-9da4b726178e ← UEFI\OS_fedora&VAR_SbatLevelRT │ Device Flags: • Updatable │ • Needs a reboot after installation │ • Signed Payload │ ├─SSD 850 EVO 500GB: │ Device ID: 026832ef919d46bbccf9efa3b78c7fbf9e744cb7 │ Summary: ATA drive │ Current version: EMT02B6Q │ Vendor: Samsung (ATA:0x144D, OUI:002538) │ Serial Number: S2RBNCAH112046P │ GUIDs: 4f91c57f-0080-5f61-95b8-c54899cc39cb ← IDE\Samsung_SSD_850_EVO_500GB_______________EMT02B6Q │ 086811eb-c412-5a0b-a319-7c37d3dd3e46 ← IDE\0Samsung_SSD_850_EVO_500GB_______________ │ 967c50bf-25a0-5394-b21d-5939967dade6 ← Samsung SSD 850 EVO 500GB │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ • Can tag for emulation │ ├─SSD 860 QVO 1TB: │ Device ID: 202e6a83b828cc43eac0a765c18153c8011cb9db │ Summary: ATA drive │ Current version: RVQ02B6Q │ Vendor: Samsung (ATA:0x144D, OUI:002538) │ Serial Number: S4CZNF0MB16137A │ GUIDs: 50c33fd4-242e-5b80-84bb-ade4426a4b8a ← IDE\Samsung_SSD_860_QVO_1TB_________________RVQ02B6Q │ 78b69e45-01fb-566d-aaae-e7aa6ff0431c ← IDE\0Samsung_SSD_860_QVO_1TB_________________ │ 8f2db83f-1fb1-59bb-966a-88718689210c ← Samsung SSD 860 QVO 1TB │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ • Can tag for emulation │ ├─SSD 870 EVO 4TB: │ Device ID: c321a110ae1c61a2083a8138ad9a892af7707f8f │ Summary: ATA drive │ Current version: SVT02B6Q │ Vendor: Samsung (ATA:0x144D, OUI:002538) │ Serial Number: S6BCNX0T201404N │ GUIDs: 6968727c-7898-5537-8529-913a57cc16d7 ← IDE\Samsung_SSD_870_EVO_4TB_________________SVT02B6Q │ 2df587c3-7c28-519f-8c10-af98edc3fbc6 ← IDE\0Samsung_SSD_870_EVO_4TB_________________ │ c4ba2aec-b057-5a6b-91e1-56079dd1bad9 ← Samsung SSD 870 EVO 4TB │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ • Can tag for emulation │ ├─Samsung SSD 960 EVO 500GB: │ Device ID: 03281da317dccd2b18de2bd1cc70a782df40ed7e │ Summary: NVM Express solid state drive │ Current version: 1B7QCXE7 │ Vendor: Samsung Electronics Co Ltd (PCI:0x144D) │ Serial Number: S3EUNX0J100356J │ GUIDs: 5b3df2da-f745-5fd0-81de-5dafd7f0bf8c ← NVME\VEN_144D&DEV_A804 │ aed4d3c0-fd97-5e46-a32f-ff35e0692f6d ← NVME\VEN_144D&DEV_A804&SUBSYS_144DA801 │ 841f7890-a450-5aa7-8e16-9a4ad2bffedb ← Samsung SSD 960 EVO 500GB │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ • Signed Payload │ • Can tag for emulation │ └─System Firmware: │ Device ID: a78789e613e56c1c95012d65ab44c7df9c788331 │ Summary: UEFI System Resource Table device (updated via NVRAM) │ Current version: 1 │ Minimum Version: 1 │ Vendor: MSI (DMI:American Megatrends Inc.) │ Update State: Success │ GUID: 7039436b-6acf-433b-86a1-368ec2ef7e1f │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ Device Requests: • Message │ ├─DO NOT TRUST - AMI Test PK: │ Device ID: 6924110cde4fa051bfdc600a60620dc7aa9d3c6a │ Summary: UEFI Platform Key │ Current version: 2013 │ Vendor: Unknown │ GUID: d3d15463-a33a-5f24-8537-156d42991c8d ← UEFI\CRT_D79CE11B037C282CF608B056BA4D9E5038917740 │ Device Flags: • Internal device │ ├─UEFI Key Exchange Key: │ │ Device ID: 2a4c23bfb79b5dabe474cb7b1b3e604645d6f9c6 │ │ Device Flags: • Internal device │ │ │ └─KEK CA: │ Device ID: b7a1d3d90faa1f6275d9a98da4fb3be7118e61c7 │ Current version: 2011 │ Vendor: Microsoft (UEFI:Microsoft) │ GUIDs: 814e950f-1449-566a-a190-42c9d3a3a2df ← UEFI\VENDOR_Microsoft&NAME_Microsoft-KEK-CA │ dfa66406-6568-5bdf-bb8e-b53ddb4be4cf ← UEFI\CRT_9F402B1CC0243CBEDC58A525789816CCCA7687A9 │ Device Flags: • Internal device │ • Updatable │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ • Signed Payload │ • Can tag for emulation │ ├─UEFI Signature Database: │ │ Device ID: 0352a8acc949c7df21fec16e566ba9a74e797a97 │ │ Device Flags: • Internal device │ │ │ ├─Option ROM UEFI CA: │ │ Device ID: 92120fc1a625f725901333cbfec152b8d6e42d43 │ │ Current version: 2023 │ │ Vendor: Microsoft (UEFI:Microsoft) │ │ GUIDs: ca4668d9-734f-5b2b-aae8-8120b196f659 ← UEFI\VENDOR_Microsoft&NAME_Microsoft-Option-ROM-UEFI-CA │ │ 965d1919-0e18-5b63-9ebd-e5d122cd11df ← UEFI\CRT_F45B559FC1C60F31B3071021298D5ED7D77280B0 │ │ Device Flags: • Internal device │ │ • Updatable │ │ • Needs a reboot after installation │ │ • Signed Payload │ │ • Can tag for emulation │ │ │ ├─UEFI CA: │ │ Device ID: 5bc922b7bd1adb5b6f99592611404036bd9f42d0 │ │ Current version: 2023 │ │ Vendor: Microsoft (UEFI:Microsoft) │ │ GUIDs: 26f42cba-9bf6-5365-802b-e250eb757e96 ← UEFI\VENDOR_Microsoft&NAME_Microsoft-UEFI-CA │ │ 308281c7-d0c5-52e0-8c1a-810540de03df ← UEFI\CRT_7CD7437C555F89E7C2B50E21937E420C4E583E80 │ │ Device Flags: • Internal device │ │ • Updatable │ │ • Supported on remote server │ │ • Needs a reboot after installation │ │ • Signed Payload │ │ • Can tag for emulation │ │ │ └─Windows Production PCA: │ Device ID: ad7e00ec37f005ae10492bdb7f73aef0d2e20488 │ Current version: 2011 │ Vendor: Microsoft (UEFI:Microsoft) │ GUIDs: 675d2184-6c9a-59f1-a6f1-3c229b5dbb79 ← UEFI\VENDOR_Microsoft&NAME_Microsoft-Windows-Production-PCA │ 0611d85d-99a4-5c50-8c17-fc5196226f85 ← UEFI\CRT_1A8B6903D64CC9AD09D12FCB355663A458A09EF0 │ Device Flags: • Internal device │ • Updatable │ • Needs a reboot after installation │ • Signed Payload │ • Can tag for emulation │ └─UEFI dbx: Device ID: 362301da643102b9f38477387e2193e57abaa590 Summary: UEFI revocation database Current version: 20250507 Minimum Version: 20250507 Vendor: UEFI:Microsoft Install Duration: 1 second GUID: f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64 Device Flags: • Internal device • Updatable • Supported on remote server • Needs a reboot after installation • Device is usable for the duration of the update • Only version upgrades are allowed • Signed Payload • Can tag for emulation ──────────────────────────────────────────────── Devices that were not updated correctly: • KEK CA (2011 → 2023) ``` </details> **Additional questions** - Operating system and version: Fedora Kinoite 42 (42.20250901.0) - Have you tried rebooting? Yes - Is this a regression? Not as far as I know I have found: - https://www.csoonline.com/article/3478127/secure-boot-no-more-leaked-key-faulty-practices-put-900-pc-server-models-in-jeopardy.html - https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/ - https://github.com/fwupd/fwupd/issues/2695 - https://github.com/fwupd/fwupd/issues/8909 - https://github.com/fwupd/fwupd/issues/5643 I'll try https://github.com/fwupd/fwupd/wiki/LVFS-Triaged-Issue:-dbx-efivarfs-IO-error next. Thanks

hui · May 22, 2026, 4:11pm

Seems like a common issue with different hardware/Bios manufacturers. There are a lot reports with the same issue independent from distribution. But no clear solution.

github.com/fwupd/fwupd

Offered update that fails: Upgrade KEK CA from 2011 to 2023 (DO NOT TRUST - AMI Test PK)

offen 07:55PM - 01 Sep 25 UTC

geschlossen 02:41PM - 11 Nov 25 UTC

travier

bug

**Describe the bug** First, thanks a lot for all the work on fwupd! fwupd offe…rs me an update but fails to install it: ``` $ sudo fwupdmgr update ╔══════════════════════════════════════════════════════════════════════════════╗ ║ Upgrade KEK CA from 2011 to 2023? ║ ╠══════════════════════════════════════════════════════════════════════════════╣ ║ This updates the UEFI Signature Database (the "KEK") to the latest release ║ ║ from Microsoft, signed by DO NOT TRUST - AMI Test PK. ║ ║ ║ ╚══════════════════════════════════════════════════════════════════════════════╝ Perform operation? [Y|n]: y Writing… [****************************** ] failed to write-firmware: failed to write (null): failed to write data to efivarsfs: Error writing to file descriptor: Invalid argument ``` Given the name, it might be an invalid one. ``` $ sudo fwupdmgr security Host Security ID: HSI:0 (v2.0.14) HSI-1 ✔ BIOS firmware updates: Enabled ✔ Platform debugging: Disabled ✔ SPI write: Disabled ✔ Supported CPU: Valid ✔ UEFI bootservice variables: Locked ✔ UEFI secure boot: Enabled ✘ SPI lock: Disabled ✘ SPI BIOS region: Unlocked ✘ TPM v2.0: Not found ✘ UEFI platform key: Invalid HSI-2 ✔ Platform debugging: Locked ✘ Intel BootGuard: Not supported ✘ IOMMU: Not found HSI-3 ✘ CET Platform: Not supported ✘ Pre-boot DMA protection: Disabled ✘ Suspend-to-idle: Disabled ✘ Suspend-to-ram: Enabled HSI-4 ✔ SMAP: Enabled ✘ Encrypted RAM: Not supported Runtime Suffix -! ✔ fwupd plugins: Untainted ✔ Linux kernel lockdown: Enabled ✔ Linux swap: Encrypted ✔ Linux kernel: Untainted ✔ UEFI db: Valid This system has a low HSI security level. » https://fwupd.github.io/hsi.html#low-security-level Host Security Events 2025-08-23 09:47:57: ✘ SPI BIOS region changed: Locked → Unlocked 2025-08-22 09:14:02: ✔ SPI BIOS region changed: Unlocked → Locked 2025-08-08 16:04:04: ✘ SPI BIOS region changed: Locked → Unlocked 2025-08-06 16:50:11: ✔ SPI BIOS region changed: Unlocked → Locked 2025-08-02 12:56:27: ✘ SPI BIOS region changed: Locked → Unlocked 2025-07-28 08:01:52: ✔ The UEFI certificate store is now up to date 2025-07-21 15:42:02: ✔ SPI BIOS region changed: Unlocked → Locked 2025-07-17 07:19:06: ✘ SPI BIOS region changed: Locked → Unlocked 2025-07-01 20:57:15: ✔ SPI BIOS region changed: Unlocked → Locked ``` ``` $ sudo mokutil --sb SecureBoot enabled $ mokutil --pk 9a3056b526 DO NOT TRUST - AMI Test PK ``` **Steps to Reproduce** ``` $ sudo fwupdmgr update ``` **Expected behavior** No update offered (if it is invalid) or update succeeds if it is valid. **fwupd version information** ```shell $ sudo fwupdtool get-report-metadata BatteryLevel: 101 BatteryThreshold: 10 BootTime: 1756732359 CompileVersion(com.hughsie.libjcat): 0.2.3 CompileVersion(com.hughsie.libxmlb): 0.3.23 CompileVersion(info.libusb): 1.0.29 CompileVersion(org.freedesktop.Passim): 0.1.10 CompileVersion(org.freedesktop.fwupd): 2.0.14 CpuArchitecture: x86_64 CpuModel: Intel Core™ i7-6800K CPU @ 3.40GHz DisplayState: connected DistroId: fedora DistroName: Fedora Linux DistroPrettyName: Fedora Linux 42.20250901.0 (Kinoite) DistroVariant: kinoite DistroVersion: 42 EfivarsNvramFree: 135232 EfivarsNvramUsed: 63433 FwupdSupported: True HostBaseboardManufacturer: MSI HostBaseboardProduct: X99A SLI PLUS(MS-7885) HostBiosMajorRelease: 05 HostBiosMinorRelease: 0b HostBiosVendor: American Megatrends Inc. HostBiosVersion: 1.D0 HostEnclosureKind: 3 HostFamily: Default string HostFirmwareMajorRelease: ff HostFirmwareMinorRelease: ff HostProduct: MS-7885 HostSku: Default string HostVendor: MSI KernelCmdline: usbcore.autosuspend=-1 KernelName: Linux KernelVersion: 6.16.3-200.fc42.x86_64 LidState: unknown PassimDownloadSaving: 13192993 PlatformArchitecture: x86_64 PowerState: ac RuntimeVersion(com.hughsie.libjcat): 0.2.3 RuntimeVersion(com.hughsie.libxmlb): 0.3.23 RuntimeVersion(org.freedesktop.fwupd): 2.0.14 RuntimeVersion(org.freedesktop.fwupd-efi): 1.6 RuntimeVersion(org.kernel): 6.16.3-200.fc42.x86_64 SELinux: enforcing DeviceId: a78789e613e56c1c95012d65ab44c7df9c788331 pre: CapsuleApplyMethod: nvram EspKind: c12a7328-f81f-11d2-ba4b-00a0c93ec93b EspPath: /boot/efi MissingCapsuleHeader: False post: LastAttemptStatus: 0x0 LastAttemptVersion: 0x1 linux_lockdown: LinuxLockdown: integrity uefi_pk: UefiPkKeyId: d79ce11b037c282cf608b056ba4d9e5038917740 uefi_capsule: BootloaderSupportsFwupd: False SecureBoot: Enabled UEFIUXCapsule: Disabled $ sudo fwupdtool hwids Computer Information -------------------- BiosVendor: American Megatrends Inc. BiosVersion: 1.D0 BiosMajorRelease: 5 BiosMinorRelease: 11 FirmwareMajorRelease: ff FirmwareMinorRelease: ff Manufacturer: MSI Family: Default string ProductName: MS-7885 ProductSku: Default string EnclosureKind: 3 BaseboardManufacturer: MSI BaseboardProduct: X99A SLI PLUS(MS-7885) Hardware IDs ------------ {df3c33cb-bdf4-54b9-aa82-f2353f736135} <- Manufacturer + Family + ProductName + ProductSku + BiosVendor + BiosVersion + BiosMajorRelease + BiosMinorRelease {1c7d4eec-d9e7-515d-b69c-b5214acc4dc3} <- Manufacturer + Family + ProductName + BiosVendor + BiosVersion + BiosMajorRelease + BiosMinorRelease {f9929ac6-59a3-570e-8081-740725affac1} <- Manufacturer + ProductName + BiosVendor + BiosVersion + BiosMajorRelease + BiosMinorRelease {e682ead2-d1c5-5726-8d7f-7d49c308ca7c} <- Manufacturer + Family + ProductName + ProductSku + BaseboardManufacturer + BaseboardProduct {ffc2289d-f69a-59bf-b6d5-4d4f31b2345d} <- Manufacturer + Family + ProductName + ProductSku {e0eb7b46-cf44-5e79-8fb1-5dc48956de3d} <- Manufacturer + Family + ProductName {56db4e95-9b05-541b-bd6b-884fa4ff296e} <- Manufacturer + ProductSku + BaseboardManufacturer + BaseboardProduct {5bb63485-7c67-5156-afb4-5dbdef1581d8} <- Manufacturer + ProductSku {bb04ffe3-4dda-5ac8-9072-09789136d6f9} <- Manufacturer + ProductName + BaseboardManufacturer + BaseboardProduct {3cf9413d-067c-5a0d-bae5-421d6ce9c7ee} <- Manufacturer + ProductName {56db4e95-9b05-541b-bd6b-884fa4ff296e} <- Manufacturer + Family + BaseboardManufacturer + BaseboardProduct {5bb63485-7c67-5156-afb4-5dbdef1581d8} <- Manufacturer + Family {513dfd34-2e9c-588b-a212-57710c540f52} <- Manufacturer + EnclosureKind {d5602e74-3916-5ed2-951d-26b47dc31d9e} <- Manufacturer + BaseboardManufacturer + BaseboardProduct {1944ee2f-f58d-5666-949f-3504bc6eb727} <- Manufacturer Extra Hardware IDs ------------------ {801d1d29-1a84-50ae-9402-b63b898df0fd} <- Manufacturer + Family + ProductName + ProductSku + BiosVendor {bb2cc835-2dff-5bb9-ae54-803dc8e90684} <- Manufacturer + Family + ProductName + BiosVendor {af2774d3-ea15-537d-a802-c2e6e257853a} <- Manufacturer + BiosVendor ``` Please note how you installed it (`apt`, `dnf`, `pacman`, source, etc): Part of Kinoite base image (Fedora 42) <summary>**fwupd device information**</summary> Please provide the output of the fwupd devices recognized in your system. ```shell $ sudo fwupdmgr get-devices --show-all-devices MSI MS-7885 │ ├─AMD Radeon RX 6700 XT: │ │ Device ID: 08740947f5235290dc47990eb8e3468dad7fe6b8 │ │ Summary: GV-R67XTEAGLE-12GD/F10/0CFE │ │ Current version: R67XTE │ │ Vendor: Advanced Micro Devices, Inc. [AMD/ATI] (PCI:0x1002) │ │ GUID: 95944dec-2ea0-5cf4-aaa3-35f3fb692641 ← AMD\113-D51221 │ │ Device Flags: • Internal device │ │ • Cryptographic hash verification is available │ │ • Can tag for emulation │ │ │ └─Unknown Device: │ Device ID: 57e35fbedc32c4e5e69c55e3d7810f7ae6f1427a │ Vendor: PNP:VSC │ Serial Number: VR2170100001 │ GUID: a12c3dc4-915c-51ea-a6f5-f3147f92c199 ← DRM\VEN_VSC&DEV_6B34 │ Device Flags: • Can tag for emulation │ ├─Core™ i7-6800K CPU @ 3.40GHz: │ Device ID: 4bde70ba4e39b28f9eab1628f9dd6e6244c03027 │ Current version: 0x0b000040 │ Vendor: Intel │ GUIDs: a935c535-b4a9-580f-bcf3-776b64dfd328 ← CPUID\PRO_0&FAM_06&MOD_4F │ 18800804-cac8-57ad-b534-fc5e4485ff94 ← CPUID\PRO_0&FAM_06&MOD_4F&STP_1 │ Device Flags: • Internal device │ ├─SBAT: │ Device ID: 6469856584e2f5873b2f148302e46c9313c7d054 │ Summary: Generation number based revocation mechanism │ Current version: 1.5.4 │ Vendor: OS:fedora │ GUID: 92f517f7-73b9-5373-a9b2-9da4b726178e ← UEFI\OS_fedora&VAR_SbatLevelRT │ Device Flags: • Updatable │ • Needs a reboot after installation │ • Signed Payload │ ├─SSD 850 EVO 500GB: │ Device ID: 026832ef919d46bbccf9efa3b78c7fbf9e744cb7 │ Summary: ATA drive │ Current version: EMT02B6Q │ Vendor: Samsung (ATA:0x144D, OUI:002538) │ Serial Number: S2RBNCAH112046P │ GUIDs: 4f91c57f-0080-5f61-95b8-c54899cc39cb ← IDE\Samsung_SSD_850_EVO_500GB_______________EMT02B6Q │ 086811eb-c412-5a0b-a319-7c37d3dd3e46 ← IDE\0Samsung_SSD_850_EVO_500GB_______________ │ 967c50bf-25a0-5394-b21d-5939967dade6 ← Samsung SSD 850 EVO 500GB │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ • Can tag for emulation │ ├─SSD 860 QVO 1TB: │ Device ID: 202e6a83b828cc43eac0a765c18153c8011cb9db │ Summary: ATA drive │ Current version: RVQ02B6Q │ Vendor: Samsung (ATA:0x144D, OUI:002538) │ Serial Number: S4CZNF0MB16137A │ GUIDs: 50c33fd4-242e-5b80-84bb-ade4426a4b8a ← IDE\Samsung_SSD_860_QVO_1TB_________________RVQ02B6Q │ 78b69e45-01fb-566d-aaae-e7aa6ff0431c ← IDE\0Samsung_SSD_860_QVO_1TB_________________ │ 8f2db83f-1fb1-59bb-966a-88718689210c ← Samsung SSD 860 QVO 1TB │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ • Can tag for emulation │ ├─SSD 870 EVO 4TB: │ Device ID: c321a110ae1c61a2083a8138ad9a892af7707f8f │ Summary: ATA drive │ Current version: SVT02B6Q │ Vendor: Samsung (ATA:0x144D, OUI:002538) │ Serial Number: S6BCNX0T201404N │ GUIDs: 6968727c-7898-5537-8529-913a57cc16d7 ← IDE\Samsung_SSD_870_EVO_4TB_________________SVT02B6Q │ 2df587c3-7c28-519f-8c10-af98edc3fbc6 ← IDE\0Samsung_SSD_870_EVO_4TB_________________ │ c4ba2aec-b057-5a6b-91e1-56079dd1bad9 ← Samsung SSD 870 EVO 4TB │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ • Can tag for emulation │ ├─Samsung SSD 960 EVO 500GB: │ Device ID: 03281da317dccd2b18de2bd1cc70a782df40ed7e │ Summary: NVM Express solid state drive │ Current version: 1B7QCXE7 │ Vendor: Samsung Electronics Co Ltd (PCI:0x144D) │ Serial Number: S3EUNX0J100356J │ GUIDs: 5b3df2da-f745-5fd0-81de-5dafd7f0bf8c ← NVME\VEN_144D&DEV_A804 │ aed4d3c0-fd97-5e46-a32f-ff35e0692f6d ← NVME\VEN_144D&DEV_A804&SUBSYS_144DA801 │ 841f7890-a450-5aa7-8e16-9a4ad2bffedb ← Samsung SSD 960 EVO 500GB │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ • Signed Payload │ • Can tag for emulation │ └─System Firmware: │ Device ID: a78789e613e56c1c95012d65ab44c7df9c788331 │ Summary: UEFI System Resource Table device (updated via NVRAM) │ Current version: 1 │ Minimum Version: 1 │ Vendor: MSI (DMI:American Megatrends Inc.) │ Update State: Success │ GUID: 7039436b-6acf-433b-86a1-368ec2ef7e1f │ Device Flags: • Internal device │ • Updatable │ • System requires external power source │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ Device Requests: • Message │ ├─DO NOT TRUST - AMI Test PK: │ Device ID: 6924110cde4fa051bfdc600a60620dc7aa9d3c6a │ Summary: UEFI Platform Key │ Current version: 2013 │ Vendor: Unknown │ GUID: d3d15463-a33a-5f24-8537-156d42991c8d ← UEFI\CRT_D79CE11B037C282CF608B056BA4D9E5038917740 │ Device Flags: • Internal device │ ├─UEFI Key Exchange Key: │ │ Device ID: 2a4c23bfb79b5dabe474cb7b1b3e604645d6f9c6 │ │ Device Flags: • Internal device │ │ │ └─KEK CA: │ Device ID: b7a1d3d90faa1f6275d9a98da4fb3be7118e61c7 │ Current version: 2011 │ Vendor: Microsoft (UEFI:Microsoft) │ GUIDs: 814e950f-1449-566a-a190-42c9d3a3a2df ← UEFI\VENDOR_Microsoft&NAME_Microsoft-KEK-CA │ dfa66406-6568-5bdf-bb8e-b53ddb4be4cf ← UEFI\CRT_9F402B1CC0243CBEDC58A525789816CCCA7687A9 │ Device Flags: • Internal device │ • Updatable │ • Needs a reboot after installation │ • Device is usable for the duration of the update │ • Signed Payload │ • Can tag for emulation │ ├─UEFI Signature Database: │ │ Device ID: 0352a8acc949c7df21fec16e566ba9a74e797a97 │ │ Device Flags: • Internal device │ │ │ ├─Option ROM UEFI CA: │ │ Device ID: 92120fc1a625f725901333cbfec152b8d6e42d43 │ │ Current version: 2023 │ │ Vendor: Microsoft (UEFI:Microsoft) │ │ GUIDs: ca4668d9-734f-5b2b-aae8-8120b196f659 ← UEFI\VENDOR_Microsoft&NAME_Microsoft-Option-ROM-UEFI-CA │ │ 965d1919-0e18-5b63-9ebd-e5d122cd11df ← UEFI\CRT_F45B559FC1C60F31B3071021298D5ED7D77280B0 │ │ Device Flags: • Internal device │ │ • Updatable │ │ • Needs a reboot after installation │ │ • Signed Payload │ │ • Can tag for emulation │ │ │ ├─UEFI CA: │ │ Device ID: 5bc922b7bd1adb5b6f99592611404036bd9f42d0 │ │ Current version: 2023 │ │ Vendor: Microsoft (UEFI:Microsoft) │ │ GUIDs: 26f42cba-9bf6-5365-802b-e250eb757e96 ← UEFI\VENDOR_Microsoft&NAME_Microsoft-UEFI-CA │ │ 308281c7-d0c5-52e0-8c1a-810540de03df ← UEFI\CRT_7CD7437C555F89E7C2B50E21937E420C4E583E80 │ │ Device Flags: • Internal device │ │ • Updatable │ │ • Supported on remote server │ │ • Needs a reboot after installation │ │ • Signed Payload │ │ • Can tag for emulation │ │ │ └─Windows Production PCA: │ Device ID: ad7e00ec37f005ae10492bdb7f73aef0d2e20488 │ Current version: 2011 │ Vendor: Microsoft (UEFI:Microsoft) │ GUIDs: 675d2184-6c9a-59f1-a6f1-3c229b5dbb79 ← UEFI\VENDOR_Microsoft&NAME_Microsoft-Windows-Production-PCA │ 0611d85d-99a4-5c50-8c17-fc5196226f85 ← UEFI\CRT_1A8B6903D64CC9AD09D12FCB355663A458A09EF0 │ Device Flags: • Internal device │ • Updatable │ • Needs a reboot after installation │ • Signed Payload │ • Can tag for emulation │ └─UEFI dbx: Device ID: 362301da643102b9f38477387e2193e57abaa590 Summary: UEFI revocation database Current version: 20250507 Minimum Version: 20250507 Vendor: UEFI:Microsoft Install Duration: 1 second GUID: f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64 Device Flags: • Internal device • Updatable • Supported on remote server • Needs a reboot after installation • Device is usable for the duration of the update • Only version upgrades are allowed • Signed Payload • Can tag for emulation ──────────────────────────────────────────────── Devices that were not updated correctly: • KEK CA (2011 → 2023) ``` </details> **Additional questions** - Operating system and version: Fedora Kinoite 42 (42.20250901.0) - Have you tried rebooting? Yes - Is this a regression? Not as far as I know I have found: - https://www.csoonline.com/article/3478127/secure-boot-no-more-leaked-key-faulty-practices-put-900-pc-server-models-in-jeopardy.html - https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-on-200-models-from-5-big-device-makers/ - https://github.com/fwupd/fwupd/issues/2695 - https://github.com/fwupd/fwupd/issues/8909 - https://github.com/fwupd/fwupd/issues/5643 I'll try https://github.com/fwupd/fwupd/wiki/LVFS-Triaged-Issue:-dbx-efivarfs-IO-error next. Thanks

https://www.reddit.com/r/Fedora/comments/1s1sb7h/microsoft_kek_ca_needs_updating_but_its_unable_to/

system · June 21, 2026, 4:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.