Will my MSI Bravo 15 AMD laptop get the new Microsoft UEFI secure boot signing key?

invalid_user_name · September 4, 2025, 12:51am

I’m running Linux (Opensuse Tumbleweed). Laptop details → Purchased June 2021. AMD MSI Bravo 15 AMD Ryzen 7 4800H 15.6" 16GB A4DDR-212IN laptop. Model MS-16WK. S/N: K2104N0045901. BBAR748H16GXXDX10EMH.

Will this laptop get the new Microsoft UEFI secure boot signing key(s)? I’m mostly a tech noob.

Unfortunately I don’t have the original article that alerted me to this issue.

A person on the reddit/MSI forum said I will likely not get the new keys. Will my laptop fail to boot?

malcolmlewis · September 4, 2025, 2:48am

@invalid_user_name As root user run fwupdmgr get-updates the system should notify you that firmware updates are available? You can also run fwupdmgr security to get some insight.

arvidjaar · September 4, 2025, 3:55am

https://mjg59.dreamwidth.org/72892.html

invalid_user_name · September 4, 2025, 8:29am

@malcolmlewis Here’s the results.

advait@localhost:~> fwupdmgr get-updates
Devices with no available firmware updates: 
 • 2203:00 04F3:30AA
 • KEK CA
 • OM8PCP3512F-AI1
 • Option ROM UEFI CA
 • Seagate FireCuda 520 SSD ZP2000GM30002
 • System Firmware
 • Windows Production PCA
Devices with the latest available firmware version:
 • UEFI CA
 • UEFI dbx
No updates available
advait@localhost:~>

Does this mean my UEFI secure boot signing keys are up to date?

invalid_user_name · September 4, 2025, 8:33am

advait@localhost:~> fwupdmgr security
Host Security ID: HSI:0! (v2.0.14)

HSI-1
✔ BIOS firmware updates:         Enabled
✔ Fused platform:                Locked
✔ Supported CPU:                 Valid
✔ UEFI bootservice variables:    Locked
✔ UEFI platform key:             Valid
✘ SMM locked down:               Unlocked
✘ TPM v2.0:                      Not found

HSI-2
✔ IOMMU:                         Enabled
✔ Platform debugging:            Locked
✘ SPI write protection:          Disabled

HSI-3
✘ SPI replay protection:         Not supported
✘ CET Platform:                  Not supported
✘ Pre-boot DMA protection:       Disabled
✘ Suspend-to-idle:               Disabled
✘ Suspend-to-ram:                Enabled

HSI-4
✔ SMAP:                          Enabled
✘ Processor rollback protection: Disabled
✘ Encrypted RAM:                 Not supported

Runtime Suffix -!
✔ fwupd plugins:                 Untainted
✔ Linux swap:                    Disabled
✔ UEFI db:                       Valid
✘ Linux kernel lockdown:         Disabled
✘ Linux kernel:                  Tainted
✘ UEFI secure boot:              Disabled

This system has a low HSI security level.
 » https://fwupd.github.io/hsi.html#low-security-level

This system has HSI runtime issues.
 » https://fwupd.github.io/hsi.html#hsi-runtime-suffix

Host Security Events
  2025-06-03 04:21:13:  ✔ The UEFI certificate store is now up to date

Upload these anonymous results to the Linux Vendor Firmware Service to help other users? [y|N]:

Is this good news or bad news?

invalid_user_name · September 4, 2025, 8:40am

I’m now reading this article. It’s kinda dense.

After reading the article it seems like there’s nothing for me to worry about. That sound right?

invalid_user_name · September 4, 2025, 8:51am

This jumped out at me. Then I did some googling and looks like I don’t need to worry about it.

malcolmlewis · September 4, 2025, 10:10am

@invalid_user_name so the db is up to date, you don’t have secure boot on any way?

Your running Nvidia driver? Did you have a look at the kernel taint?

invalid_user_name · September 5, 2025, 10:15am

Here’s the details. Looks like no nvidia on my AMD laptop.

advait@localhost:~> lspci | grep VGA
08:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Renoir [Radeon Vega Series / Radeon Vega Mobile Series] (rev c6)
advait@localhost:~> 
advait@localhost:~> cat /proc/driver/nvidia/version
cat: /proc/driver/nvidia/version: No such file or directory
advait@localhost:~>

invalid_user_name · September 5, 2025, 10:19am

I’m a tech noob and I have no idea why the UEFI secure boot is disabled. I hired a Linux wizard to install my Tumbleweed. Maybe he disabled it for some reason?

I did some googling and it looks like having secure boot disabled on a Linux laptop is (mostly) not a big deal. That sound right?

invalid_user_name · September 5, 2025, 10:46am

I ran dmesg and got a very long output. Here’s the section with the word “tainted”.

[ 1279.242433] [   T2715] CPU: 9 UID: 0 PID: 2715 Comm: kworker/u64:3 **Tainted:** G           O        6.16.3-1-default #1 PREEMPT(voluntary) openSUSE Tumbleweed  3fff61d018dd46d9200d6e84030a89f171995bab
[ 1279.242438] [   T2715] **Tainted:** [O]=OOT_MODULE
[ 1279.242439] [   T2715] Hardware name: Micro-Star International Co., Ltd. Bravo 15 A4DDR/MS-16WK, BIOS E16WKAMS.110 10/29/2020
[ 1279.242441] [   T2715] Workqueue: amdgpu-reset-dev drm_sched_job_timedout [gpu_sched]
[ 1279.242450] [   T2715] RIP: 0010:amdgpu_irq_put+0x6f/0x90 [amdgpu]

Here’s the link to the full output of dmesg: openSUSE Paste

Anything I need to do about my “tainted” kernel? What commands should I run and what actions should I take?

hui · September 5, 2025, 11:02am

It is the out-of-tree kernel module of Virtualbox which taints the kernel. Nothing to worry about.

invalid_user_name · September 5, 2025, 2:06pm

Cool. Thanks.

system · October 5, 2025, 2:06pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.