You are not logged in.
Please pardon me for this Github issue cross-post, but somebody on the forum may have encountered similar issues.
Lenovo Yoga 14AHP9 83DK, assisted secure boot setup with sbctl with both my own keys and the Microsoft certificate:
# sbctl verify
Verifying file database and EFI images in /boot...
✓ /boot/EFI/BOOT/BOOTX64.EFI is signed
✓ /boot/EFI/Linux/arch-linux-fallback.efi is signed
✓ /boot/EFI/Linux/arch-linux.efi is signed
✓ /boot/EFI/systemd/systemd-bootx64.efi is signed
✓ /boot/vmlinuz-linux is signed
failed to verify file /boot/EFI/Lenovo/BIOS/SelfHealing.fd: /boot/EFI/Lenovo/BIOS/SelfHealing.fd: invalid pe header
failed to verify file /boot/amd-ucode.img: /boot/amd-ucode.img: invalid pe header
failed to verify file /boot/loader/entries.srel: /boot/loader/entries.srel: invalid pe header
failed to verify file /boot/loader/loader.conf: /boot/loader/loader.conf: invalid pe header
failed to verify file /boot/loader/random-seed: /boot/loader/random-seed: invalid pe headerThe sbctl developer suggested that messages about ucode and loader entries result from an sbctl bug, but I am nonetheless worried about SelfHealing.fd, since it's a EFI binary (and presumably a useful BIOS feature). Has anybody had an experience with this SelfHealing.fd verification failure, and is it safe to proceed with enabling secure boot?
Last edited by flatmoll (2025-06-24 16:55:13)
Offline
Answer: yes, you can safely continue.
https://en.wikipedia.org/wiki/Portable_Executable
A wild guess:
Despite confusing TeX-like ".fd" extension, the file seems to be a backup image itself and not a recovery executable to extract it (which I was afraid of not signing). See its size below (6 MB).
It is probably located in EFI folder to be discoverable by firmware when restore is required.
$ ls -l /boot/EFI/Lenovo/BIOS/SelfHealing.fd
-rwxr-xr-x 1 root root 6303744 Jun 6 20:46 /boot/EFI/Lenovo/BIOS/SelfHealing.fdFor search engines: Lenovo Thinkpad Yoga Secure Boot BIOS SelfHealing
Last edited by flatmoll (2025-06-24 16:57:33)
Offline