[SOLVED] fwupd & self-signed SecureBoot, signing not needed?

Beemo · 2025-03-16 01:46:40

The Arch wiki has a section about fwupd and self-signed SecureBoot: https://wiki.archlinux.org/title/Fwupd# … r_own_keys
I'm using self-signed SecureBoot with sbctl. I didn't setup or manually sign anything yet the upgrade worked (Framework 13). fwupd didn't prompt me about self-signed SecureBoot either.
How is this possible?

I tried to see if the UEFI executable is already signed but sbctl errors out:

> sudo sbctl verify /usr/lib/fwupd/efi/fwupdx64.efi
‼ /usr/lib/fwupd/efi/fwupdx64.efi permission denied. Can't read file

EDIT: Because it only looks in ESP as documented in man.

Before I restarted I checked /boot folder, besides the UEFI capsule file there was nothing else added, no new entry in efibootmgr either.

Last edited by Beemo (2025-03-16 20:43:46)

Scimmia · 2025-03-16 02:14:53

% pacman -F /usr/lib/fwupd/efi/fwupdx64.efi
usr/lib/fwupd/efi/fwupdx64.efi is owned by extra/fwupd-efi 1.7-1

Is this installed?

Last edited by Scimmia (2025-03-16 02:15:07)

Beemo · 2025-03-16 20:10:52

I think so, the file and package exist.

> pacman -F /usr/lib/fwupd/efi/fwupdx64.efi
warning: database file for 'core' does not exist (use '-Fy' to download)
warning: database file for 'extra' does not exist (use '-Fy' to download)

> pacman -Qi fwupd-efi
Name            : fwupd-efi
Version         : 1.7-1
Description     : EFI Application used by uefi-capsule plugin in fwupd
Architecture    : any
URL             : https://github.com/fwupd/fwupd-efi
Licenses        : LGPL-2.1-or-later
Groups          : None
Provides        : None
Depends On      : None
Optional Deps   : None
Required By     : fwupd
Optional For    : None
Conflicts With  : None
Replaces        : None
Installed Size  : 66.35 KiB
Packager        : Frederik Schwan <freswa@archlinux.org>
Build Date      : Sat 21 Sep 2024 21:50:59
Install Date    : Thu 13 Feb 2025 04:08:10
Install Reason  : Installed as a dependency for another package
Install Script  : No
Validated By    : Signature

Beemo · 2025-03-16 20:31:22

It seems that the preferred method of firmware update (on-disk & firmware) doesn't need the fwupd-efi (fwupd*.efi): https://github.com/fwupd/fwupd/blob/mai … e-behavior
Though the README doesn't explicitly say this.

EDIT:
The UEFI specification linked by the README explains it more, the update is processed by the firmware, instead of being passed through the runtime API UpdateCapsule() (§ 7.5.3) which fwupd-efi uses. The chapter number should be § 7.5.5 instead.
https://github.com/fwupd/fwupd-efi/security

Last edited by Beemo (2025-03-16 20:54:08)

Arch Linux

#1 2025-03-16 01:46:40

[SOLVED] fwupd & self-signed SecureBoot, signing not needed?

#2 2025-03-16 02:14:53

Re: [SOLVED] fwupd & self-signed SecureBoot, signing not needed?

#3 2025-03-16 20:10:52

Re: [SOLVED] fwupd & self-signed SecureBoot, signing not needed?

#4 2025-03-16 20:31:22

Re: [SOLVED] fwupd & self-signed SecureBoot, signing not needed?

Board footer