Fwupdmgr: Update fails with "Secure boot is enabled, but shim isn't installed to EFI/opensuse/shimx64.efi"

Hi,

my system is this:

Operating System: openSUSE Tumbleweed 20231106
KDE Plasma Version: 5.27.9
KDE Frameworks Version: 5.111.0
Qt Version: 5.15.11
Kernel Version: 6.5.9-1-default (64-bit)
Graphics Platform: Wayland
Processors: 16 Γ— AMD Ryzen 7 PRO 6850U with Radeon Graphics
Memory: 30.1 GiB of RAM
Graphics Processor: AMD Radeon Graphics
Manufacturer: LENOVO
Product Name: 21CHCTO1WW
System Version: ThinkPad T16 Gen 1

It has been installed with Secure Boot (and TPM) enabled and everything works really fine.

But when I try to update the firmware with fwupdmgr, I get error messages:

linux:/home/christian # fwupdmgr update
WARNUNG: Die UEFI-ESP-Partition ist mΓΆglicherweise nicht korrekt eingerichtet
Siehe https://github.com/fwupd/fwupd/wiki/PluginFlag:esp-not-valid fΓΌr weitere Informationen.
GerΓ€te mit keinen verfΓΌgbaren Firmware-Aktualisierungen: 
 β€’ Integrated RGB Camera
 β€’ SSD 980 PRO 2TB
 β€’ UEFI Device Firmware
 β€’ UEFI Device Firmware
 β€’ UEFI Device Firmware
 β€’ UEFI Device Firmware
 β€’ UEFI Device Firmware
 β€’ UEFI Device Firmware
 β€’ UEFI Device Firmware
GerΓ€te mit der neuesten verfΓΌgbaren Firmware-Version:
 β€’ Embedded Controller
╔══════════════════════════════════════════════════════════════════════════════╗
β•‘ System Firmware von 0.1.41 auf 0.1.46 aktualisieren?                         β•‘
╠══════════════════════════════════════════════════════════════════════════════╣
β•‘ This release contains the following changes:                                 β•‘
β•‘                                                                              β•‘
β•‘ β€’ [Important] Remove MSC mode.                                               β•‘
β•‘ β€’ (New) Add support for Maori keyboard.                                      β•‘
β•‘ β€’ (New) Enable smart card preboot function.                                  β•‘
β•‘ β€’ (Fix) Fixed issue where Lenovo logo interface lost during restart after    β•‘
β•‘ set Supervisor Password/Power-On Password/NVMe1Password.                     β•‘
β•‘ β€’ (Fix) Fixed issue where keyboard backlight does not remain after           β•‘
β•‘ returning from modern standby.                                               β•‘
β•‘ β€’ (Fix) Fixed issue where system hang up at Pre-Boot Authentication          β•‘
β•‘ interface after perform a normal scan operation with unregistered            β•‘
β•‘ fingerprint for 3 attempts.                                                  β•‘
β•‘ β€’ (Fix) Fixed issue where system will shutdown when dock power button is     β•‘
β•‘ pressed for 4s in the process of BIOS upgrade.                               β•‘
β•‘ β€’ (Fix) Fixed issue where β€œinvalid critical threshold” issue under           β•‘
β•‘ linux.                                                                       β•‘
β•‘ β€’ (Fix) Fixed issue where system can't change power-saver mode under         β•‘
β•‘ linux after wake up from DC+Lid open.                                        β•‘
β•‘                                                                              β•‘
β•‘ 21CHCTO1WW muss wΓ€hrend der gesamten Dauer der Aktualisierung an eine        β•‘
β•‘ Stromquelle angeschlossen bleiben, um SchΓ€den zu vermeiden.                  β•‘
β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•
Operation durchfΓΌhren? [Y|n]: y
Entpacken …              [                                       ]]
Secure boot is enabled, but shim isn't installed to EFI/opensuse/shimx64.efi

These are the critical points:

Die UEFI-ESP-Partition ist mΓΆglicherweise nicht korrekt eingerichtet
Siehe PluginFlag:esp not valid Β· fwupd/fwupd Wiki Β· GitHub fΓΌr weitere Informationen.

Meaning the UEFI-ESP partition is not installed correctly.

And

Secure boot is enabled, but shim isn’t installed to EFI/opensuse/shimx64.efi

When I have a look at EFI/opensuse, I see this:

linux:/home/christian # ls -l /boot/efi/EFI/opensuse
insgesamt 4152
-rwxr-xr-x 1 root root      58  7. Nov 19:21 boot.csv
drwxr-xr-x 2 root root    4096  7. Nov 19:34 fw
-rwxr-xr-x 1 root root   63256  9. Okt 10:59 fwupdx64.efi
-rwxr-xr-x 1 root root     155  7. Nov 19:21 grub.cfg
-rwxr-xr-x 1 root root 2054000  7. Nov 19:21 grub.efi
-rwxr-xr-x 1 root root  331776  7. Nov 19:21 grubx64.efi
-rwxr-xr-x 1 root root  846096  7. Nov 19:21 MokManager.efi
-rwxr-xr-x 1 root root  934024  7. Nov 19:21 shim.efi

So, ok, there is no β€œshimx86.efi”, but shim.efi exist - and after all, it is a AMD64 system.

Any idea what might be the problem here and how to fix it?
Thanks for your input!

Addition:
The link leads to this suggestion

Set the ESP flag using parted /dev/nvme0nXXX set 1 esp on where /dev/nvme0nXXX is the device node that corresponds to the ESP partition – then retry the update.

When I try that, I get

linux:/home/christian # parted /dev/nvme0n1p1 set 1 esp on
Fehler: Keine UnterstΓΌtzung fΓΌr Flags

Error: No support for flags :confused:

I’m not sure that I understand the problem.

OpenSUSE installs β€œshim” as β€œshim.efi”, not as β€œshimx86.efi”. If you have β€œshim.efi” you could try copying that to β€œshimx86.efi” to see whether that helps.

Please, do not translate computer messages. Instead, make output in English and post here in English. Or post in corresponding language subforum.

Anyway

fwupd developer says it is not a bug.

Lenovo T470s - β€œSecure boot is enabled, but shim isn’t installed to the EFI system partition” Β· Issue #2084 Β· fwupd/fwupd Β· GitHub

You may consider submitting openSUSE bug report, because it is more or less integration issue beyond the scope of fwupd. Copying shim.efi to shimx64.efi does provide a workaround.

It is shimx64.efi.

First of all, thank you two for your replies, really appreciate it!

I am sure, that I don’t understand the problem… When everything is working with secure boot and UEFI the way it is installed by openSUSE, then why does fwupdmgr insist, that the .efi file has this very specific name?

Sorry, if I had known how to do that, I would have done.
My systems language is German as you can see, but still partly the messages are in english anyway. I just wanted to post it quickly, sorry.
Next time I will look up how to make the shell output english text before posting.

Strange enough, that it is marked as a problem then by fwupdmgr and it does not continue the update…
I had read that thread too, but I would have expected that when it was reported back in 2020, that either the fwupdmgr developers would have made it look for shim.efi or the distributions would use the naming of shimx64.efi that fwupdmgr looks for, by now.
But the way it looks, it has not been solved and users like me still get that error message and wonder what might be the problem…

I will try that as a quick fix, thanks.

Thanks for the suggestion, I will do that. Already have an account for the bugtracker.

Your are absolutely right, my mistake. Guess I was a little tired already and wanted to finish the post…

Thanks again!

I reported this as 1217138 – fwupdmgr update fails: Secure boot is enabled, but shim isn't installed to EFI/opensuse/shimx64.efi .

1 Like

Thanks a lot, robert.
I added my output to the ticket and am on CC now.