Fwupd w/UEFI admin password set

A new firmware update was published to lvfs by the vendor of the laptop I am using. I have an admin password set to get into the UEFI.

fwupdmgr update

The boot messages while the update occured indicated that the firmware updated successfully. When it automatically rebooted it hung at the vendor logo just after selecting the uefi boot device.

After much consternation and fiddling it looks like the issue might be related to the admin password being set. I both unset the admin password and removed the fedora and fwupd entries from the list of boot devices to try in the uefi setup. If I were to guess there being a fwupd boot option at this point is wrong, fwupd should have removed it by then. The system finally booted back into f40 this time.

Next I reinstalled the fw

fwupdmgr reinstall <GUID>

and the firmware indicated it successfully updated which was followed by a successful reboot into f40 (again this is with no uefi admin password).

Are these firmware updates expected to work with an admin password on the UEFI? Does anybody else have to remove the admin password before updating firmware?

1 Like

I don’t have and never use a bios password on my home system.
I really suspect that the fwupdmgr is not aware of a need to unlock the bios when a password is set so will continue with the motions but fail as it did for you.

Probably there needs to be a bug report so fwupdmgr can either warn about the locked bios and exit cleanly or provide a means to unlock it before attempting the update.

Thank you for pointing out that questions about a specific piece of software included in fedora is better asked within the upstream project. Being so close to upstream is one of the best fedora features. Having very few patches applied by fedora packagers reduces their load and fixing any issue upstream brings better software to all linux users.

It is saddening that security practices are ignored and even denegrated by those answering questions on fedora branded assets especially in light of how these assets cater to fedora (and more generally linux) neophytes. I recommend using best practices when it comes to uefi passwords, grub passwords, luks authentication, user authentication, sudo usage, selinux, systemd, software supply chain, minimizing attack vectors and the whole meriad of the computer security realm. The fedora distribution has a good reputation for continually improving security and I whole heartedly support this effort. Even stating practices that are contrary is unhelpful.

Some especially interesting security features that have been proven relatively recently are bundled within the large topic of containerization. Podman, buildah, skopeo and images from trusted sources have garnered success. Maybe some day flatpaks will acquire real security improvements and verifiable software supply chain trust. All very exciting stuff.

1 Like