Home Original page

Secure boot is enabled, but shim isn't installed to the EFI system partition

$ fwupdmgr --version
client version: 1.1.1
daemon version: 1.1.1
compile-time dependency versions
        appstream-glib: 0.7.10
        gusb:   0.3.0
        efivar: 35
$ fwupdmgr get-devices
20HQS0LV00 System Firmware
  DeviceId:             1cbe298fc17877b6883e85560778ac0812f0a385
  Guid:                 798ffd60-f10e-4ac4-8939-c8beabfe55b4
  Guid:                 230c8b18-8d9b-53ec-838b-6cfc0383493a
  Plugin:               uefi
  Flags:                internal|updatable|require-ac|supported|registered|needs-reboot
  Version:              0.1.33
  VersionLowest:        0.1.14
  Icon:                 computer
  Created:              2018-08-17
  Modified:             2018-08-17
  UpdateState:          failed
  UpdateError:          Secure boot is enabled, but shim isn't installed to the EFI system partition

UEFI Device Firmware
  DeviceId:             6461040534f2259a0439361986adf73979fd836e
  Guid:                 c35736d2-9e47-4578-93e9-68d5b04ea77e
  Plugin:               uefi
  Flags:                internal|updatable|require-ac|registered|needs-reboot
  Version:              182.10.1196
  VersionLowest:        0.0.1
  Icon:                 audio-card
  Created:              2018-08-17

UEFI Device Firmware
  DeviceId:             6b3fcb33b92ea5cdd94954b276ad0b63ed14f9bb
  Guid:                 74997a6b-1adf-4b12-b994-401f06ea8c72
  Plugin:               uefi
  Flags:                internal|updatable|require-ac|registered|needs-reboot
  Version:              0.1.19
  VersionLowest:        0.0.1
  Icon:                 audio-card
  Created:              2018-08-17

ThinkPad X1 Carbon Thunderbolt Controller
  DeviceId:             0ce8788ee1c567edffe7dccfda4d6fa7d219d776
  Guid:                 89d9d1e6-9e4c-5f07-b5c1-603da3d61835
  Summary:              Unmatched performance for high-speed I/O
  Plugin:               thunderbolt
  Flags:                internal|updatable|registered
  Vendor:               Lenovo
  VendorId:             TBT:0x0109
  Version:              15.00
  Icon:                 computer
  Created:              2018-08-17
$ efibootmgr -v
BootCurrent: 0002
Timeout: 0 seconds
BootOrder: 0002,0000,0017,0018,0019,001A,001B,0023,001D,001E
Boot0000* SecureBoot linux      HD(1,GPT,b0a0807d-0592-40e9-adac-3bb724e9e305,0x800,0x80000)/File(\EFI\Secure\secure-boot-linux.efi)
Boot0002* SecureBoot 4.18.1+    HD(1,GPT,b0a0807d-0592-40e9-adac-3bb724e9e305,0x800,0x80000)/File(\EFI\Secure\secure-boot-4.18.1+.efi)
Boot0010  Setup FvFile(721c8b66-426c-4e86-8e99-3457c46ab0b9)
Boot0011  Boot Menu     FvFile(126a762d-5758-4fca-8531-201a7f57f850)
Boot0012  Diagnostic Splash Screen      FvFile(a7d8d9a6-6ab0-4aeb-ad9d-163e59a7a380)
Boot0013  Lenovo Diagnostics    FvFile(3f7e615b-0d45-4f80-88dc-26b234958560)
Boot0014  Startup Interrupt Menu        FvFile(f46ee6f4-4785-43a3-923d-7f786c3c8479)
Boot0015  Rescue and Recovery   FvFile(665d3f60-ad3e-4cad-8e26-db46eee9f1b5)
Boot0016  MEBx Hot Key  FvFile(ac6fd56a-3d41-4efd-a1b9-870293811a28)
Boot0017* USB CD        VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,86701296aa5a7848b66cd49dd3ba6a55)
Boot0018* USB FDD       VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,6ff015a28830b543a8b8641009461e49)
Boot0019* NVMe0 VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,001c199932d94c4eae9aa0b6e98eb8a400)
Boot001A* ATA HDD0      VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f600)
Boot001B* USB HDD       VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,33e821aaaf33bc4789bd419f88c50803)
Boot001D  Other CD      VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,aea2090adfde214e8b3a5e471856a35406)
Boot001E  Other HDD     VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f606)
Boot001F* IDER BOOT CDROM       PciRoot(0x0)/Pci(0x16,0x2)/Ata(0,1,0)
Boot0020* IDER BOOT Floppy      PciRoot(0x0)/Pci(0x16,0x2)/Ata(0,0,0)
Boot0021* ATA HDD       VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f6)
Boot0022* ATAPI CD      VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,aea2090adfde214e8b3a5e471856a354)
Boot0023* PCI LAN       VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,78a84aaf2b2afc4ea79cf5cc8f3d3803)
$ efivar -l | grep fw
0abba7dc-e516-4167-bbf5-4d9d1c739416-fwupd-798ffd60-f10e-4ac4-8939-c8beabfe55b4-0
$ tree /boot
/boot/
├── EFI
│   ├── arch
│   │   └── fw
│   │       ├── fwupd-3b8c8162-188c-46a4-aec9-be43f1d65697.cap
│   │       └── fwupd-798ffd60-f10e-4ac4-8939-c8beabfe55b4.cap
│   ├── Secure
│   │   ├── secure-boot-4.18.1+.efi
│   │   └── secure-boot-linux.efi
├── initramfs-4.18.1+.img
├── initramfs-linux-fallback.img
├── initramfs-linux.img
├── intel-ucode.img
├── vmlinuz-4.18.1+
└── vmlinuz-linux
  • Operating system and version: ArchLinux (up-to-date as of 2018-08-17)
  • installed with pacman
  • Have you tried rebooting? no
  • Are you using an NVMe disk? yes
  • Is secure boot enabled (only for the UEFI plugin)? yes
$ sudo fwupdmgr update
Downloading 0.1.34 for 20HQS0LV00 System Firmware...
Decompressing…         [***************************************]
Authenticating…        [***************************************]
Updating 20HQS0LV00 System Firmware from 0.1.33 to 0.1.34…     ]
Scheduling…            [***************************************]
Secure boot is enabled, but shim isn't installed to the EFI system partition

I need to clarify that I use my own keys for UEFI secure boot, and sign a combined kernel+initramfs+command-line image. I've already signed the fwupdx64.efi with my keys. Do I need to install fwupdx64.efi.signed in /boot and activate it with efibootmgr myself?

/usr/lib/fwupd/efi/
├── fwupdx64.efi
└── fwupdx64.efi.signed