I have a strange bug in the update manager GUI. The system updates are installed normally and then disappear from it when I reboot. But the Secure boot configuration item seems glitchy : I clicked install and reboot and it stays in the GUI as if I didn’t do anything, with the same ‘date’ in the ‘subtitle’. And this, several times.
When I start my laptop I have no problems with passing the encryption passphrase though. I put the one I’ve chosen, it validates it and I can login to my fedora account and do my stuff. No error messages linked to secure boot show up.
Has it happened to anybody ? Is it ‘just a visual glitch’ ?
It’s quite a strange problem so I don’t know how to describe it otherwise, I hope it’s understandable. Thank you for any info / input.
Detail to anyone who wasn’t present in my other posts, i run a dual boot system with Mint 22.1 Cinnamon and Fedora 42 Workstation, on an HP Pavilion 14 - ce2014nf laptop that I have since 2020. This year, I first dual booted Win10 and Mint in April 19, then erased Windows and had only Mint for few days last week, then dual booted Mint and Fedora last week on Thursday. It’s an AMD/Intel laptop so I don’t think I have Nvidia linked issues.
❯ sudo fwupdmgr refresh
[sudo] Mot de passe de louise :
Mise à jour lvfs
Téléchargement… [***************************************]
Successfully downloaded new metadata: Updates have been published for 1 local device
~ took 7s
❯ sudo fwupdmgr update
Devices with no available firmware updates:
• CT500P1SSD8
• HP UEFI Secure Boot DB
• HP UEFI Secure Boot KEK
• KEK CA
• System Firmware
• UEFI CA
• Windows Production PCA
Devices with firmware updates that need user action:
• UEFI dbx
‣ System power is too low
What do that all mean ?
Should I keep on or is this a bad idea ?
Knowing that CT500P1SSD8 is the laptop’s internal SSD which runs everything…
And ‘power too low’ (I’m at 20% battery so it needs charging regardless) was showed in the gui below the ‘subtitle’ too.
Is it really risky to use Fedora without secure boot by the way? If it didn’t install, I guess it’s what I’ve been doing until now.
Outside of those commands I didn’t do anything. I just restarted my laptop to be sure Fedora still launches and it does.
Secure boot hasn’t been all that secure in recent history. I think it is much better now, but if anything can get into your system with sufficient access to infect your boot files, it’s probably “game over” anyway for that system. The purpose of secure boot is to disallow booting from unsigned/untrusted boot files. But there are other mechanisms that should prevent such files from being present in the first place (under your /boot directory). As for them being loaded from other sources such as CDROMs, ideally, you wouldn’t boot your system with an untrustworthy drive connected.
I wouldn’t worry too much about secure boot. Secure boot is not a bad idea … unless the concept is abused to lock users out from using the software they want to use on their personal machines.
It looks like maybe the update is refusing to proceed on battery power? Does it work if your system is plugged-in?
I’ll try tomorrow with more power. I must admit that the other entries about secure boot in the forum freaked me out lol it dissuaded me for today when it didn’t want doing it
sudo fwupdmgr refresh
sudo fwupdmgr update
[sudo] Mot de passe de louise :
Metadata is up to date; use --force to refresh again.
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 20230501 to 20241101? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the list of forbidden signatures (the "dbx") to the latest ║
║ release from Microsoft. ║
║ ║
║ An insecure version of Howyar's SysReturn software was added, due to a ║
║ security vulnerability that allowed an attacker to bypass UEFI Secure Boot. ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
Effectuer l'opération ? [Y|n]:
Knowing that I have no windows file in my boot EFI anymore (erased it when I went on full Linux to have no Windows boot manager), is that message a good sign or a warning not to do it ?
Devices with no available firmware updates:
• CT500P1SSD8
• HP UEFI Secure Boot DB
• HP UEFI Secure Boot KEK
• KEK CA
• System Firmware
• UEFI CA
• Windows Production PCA
I see. I may do a clean install of Fedora after some time. If I activate it now, the USB boot wouldn’t be allowed in right ? What about when I have a problem and would need it to possibly clean up/restore my OS ?
The Fedora live system USB is also bootable with secure boot enabled. The only tricky point is to boot the system in the right mode, as the USB live system can also boot in classical legacy BIOS mode.
Yeah. So far I went to UEFI from grub multiple times, especially to boot the Fedora USB install so I guess that part is fine. My BIOS seems locked, anytime I go to it I can’t modify anything, it just does strident beeps.
If the Fedora USB launches even with secure boot, I may just wait until I do the reinstall and then activate it I guess.
Because of the BIOS being not cooperative, I admit I’m scared a bit lol but maybe since I can access UEFI it’s fine though.
Nah I meant, if someday the only solution I’d get is ‘go to bios’ but I can’t do anything, I’ll be sincerely lost lol but maybe I worry out of nothing since UEFI is accessible through grub and works no problem?
I’m not documented on how an OS works behind the scene at all, I’m really learning from scratch since I’ve moved to Linux one month ago and haven’t done any development/informatics job/studies before lol so sorry if I ask very basic questions. It’s the first time I actually document myself on this since well, before if anything weird I just went to the computer shop because windows didn’t give chances nor info to understand what all meant lol