On Fri, 29 Aug 2025 18:58:30 +0200 Andreas <[email protected]> wrote:
Package: fwupd
Version: 2.0.8-3
Severity: important
X-Debbugs-Cc: [email protected]
Dear Maintainer,
I am trying to update the firmware on my Lenovo X280. It errors as follows:
```
$ fwupdmgr update
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade System Firmware from 0.1.57 to 0.1.58? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ Lenovo System Firmware Version 1.58 ║
║ ║
║ Important updates ║
║ ║
║ • Enhancement to address security vulnerabilities ║
║ ║
║ 20KES03000 must remain plugged into a power source for the duration of the ║
║ update to avoid damage. ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: y
Scheduling… [ ]
failed to write-firmware: Secure boot is enabled, but shim isn't installed to
EFI/systemd/shimx64.efi
```
Yes, shim isn't installed, on purpose as I'm using my own Secure Boot
keys/certs. But I don't see how shim should be involved in an EFI capsule-based
BIOS update.
On my system, shim-signed *is* installed. However, fwupdmgr fails exactly
the same way, with the same error message. This is because it expects
to work in EFI/systemd/, while debian installs things to EFI/debian/,
in particular, it is EFI/debian/shimx64.efi, not EFI/systemd/shimx64.efi.
Copying EFI/debian/shimx64.efi to EFI/systemd/shimx64.efi manually makes
it work. But I don't think this is the right solution.
Thanks,
/mjt
