fwupd / firmware-lenovo

Missing firmware for Lenovo Thinkpad hardware
121 stars 4 forks source link

[ThinkPad X1 Carbon Gen 9] failed to verify System Firmware: For System Firmware 0.1.51 expected ... #203

Closed arno01 closed 11 months ago

arno01 commented 2 years ago

Describe the question

Got my ThinkPad X1 Carbon Gen 9 mobo replaced due to a faulty charging port. (Common issues with some gen9 models).

Used fwupdmgr update, worked like a charm!

image image

After upgrading FW, decided to check fwupdmgr verify command. It says there are two issues:

1) getting failed to verify System Firmware:

root@x1gen9:~# fwupdmgr verify
Choose a device:
0.  Cancel
1.  0d5d05911800242bb1f35287012cdcbd9b381148 (Prometheus)
2.  dcd4118aa968110eaae58bf95432c9736be3a74e (System Firmware)
2
failed to verify System Firmware: For System Firmware 0.1.51 expected af3218af1484c0a9395fbc59a4190a181f6c7582|a5bc5b90f2b1117ee4c58d2a54a4eeaa0d5c90fe, got 46edb020ca3caadf14c878f6329f953f9b9aa478|76d832469d0239d7dd2dee918ce767add76c6fbf0b5171c1ee57b83b17f1cb99

2) additionally seeing failed to verify Prometheus: No device checksums for 10.01.3478575:

root@x1gen9:~# fwupdmgr verify
Choose a device:
0.  Cancel
1.  0d5d05911800242bb1f35287012cdcbd9b381148 (Prometheus)
2.  dcd4118aa968110eaae58bf95432c9736be3a74e (System Firmware)
1
failed to verify Prometheus: No device checksums for 10.01.3478575

fwupd version information

root@x1gen9:~# fwupdmgr --version
client version: 1.5.11
compile-time dependency versions
    gusb:   0.3.5

daemon version: 1.5.11

root@x1gen9:~# dpkg -l fwupd
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version         Architecture Description
+++-==============-===============-============-=================================
ii  fwupd          1.5.11-0ubuntu2 amd64        Firmware update daemon
hughsie commented 2 years ago

Can you attach the output of fwupdmgr get-devices please.

hughsie commented 2 years ago

Lenovo specified the PCR0s of af3218af1484c0a9395fbc59a4190a181f6c7582 and a5bc5b90f2b1117ee4c58d2a54a4eeaa0d5c90fe for that firmware and model, but it appears your PCR0 isn't that for some reason. Also, (for Lenovo only) looking at https://fwupd.org/lvfs/components/10953/checksums it appears the PCR0 is not predictable at all -- @mrhpearson is there anything you can discover here? The PCR0 is supposed to be stable for a given system BIOS version...

arno01 commented 2 years ago

fwupdmgr get-devices

root@x1gen9:~# fwupdmgr get-devices
20XXS3JC1Q
│
├─Embedded Controller:
│     Device ID:          0dcf00f0d9fd0bb13798a121c27a2832d24e005e
│     Current version:    0.1.31
│     Minimum Version:    0.1.31
│     Vendor:             DMI:LENOVO
│     GUIDs:              61b65ccc-0116-4b62-80ed-ec5f089ae523
│                         d990bf20-e6c9-5ec7-adb6-876fa0dc613c ← UEFI\RES_{61B65CCC-0116-4B62-80ED-EC5F089AE523}
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Supported on remote server
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─Integrated Camera:
│     Device ID:          3fa281ddf80d8a06b8ee5d8beb48d38ee95a9627
│     Current version:    60.18
│     Vendor:             Chicony Electronics Co.,Ltd. (USB:0x04F2)
│     Serial Number:      0001
│     GUIDs:              08f48dd6-d6a2-5b4a-8108-8cdf5d247284 ← USB\VID_04F2&PID_B6EA&REV_6018
│                         30bb6882-12ea-5e20-84a6-29bb797a7b76 ← USB\VID_04F2&PID_B6EA
│     Device Flags:       • Updatable
│   
├─Intel Management Engine:
│     Device ID:          f5ce9130680686e23b90534dbe39aac2f20b1886
│     Current version:    240.23.1706
│     Minimum Version:    0.0.1
│     Vendor:             DMI:LENOVO
│     GUIDs:              c1b2be54-d7ed-4e24-a577-7c5f32bb7587
│                         1b208050-d03c-513f-9842-c59a40cb61b1 ← UEFI\RES_{C1B2BE54-D7ED-4E24-A577-7C5F32BB7587}
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Supported on remote server
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─Prometheus:
│     Device ID:          0d5d05911800242bb1f35287012cdcbd9b381148
│     Summary:            Fingerprint reader
│     Current version:    10.01.3478575
│     Vendor:             Synaptics (USB:0x06CB)
│     Install Duration:   2 seconds
│     Serial Number:      30823683517983
│     GUIDs:              896bb9a6-a8be-5727-8a3a-43ca249f6933 ← USB\VID_06CB&PID_00FC&REV_0000
│                         448868f0-e05d-5849-8fc4-b8fa1ec16bf5 ← USB\VID_06CB&PID_00FC
│     Device Flags:       • Updatable
│                         • Supported on remote server
│                         • Cryptographic hash verification is available
│   
├─SAMSUNG MZVL2512HCJQ-00BL7:
│     Device ID:          04e17fcf7d3de91da49a163ffe4907855c3648be
│     Summary:            NVM Express Solid State Drive
│     Current version:    AL2QGXA7
│     Vendor:             Samsung Electronics Co Ltd (NVME:0x144D)
│     Serial Number:      S64KNF0R326080
│     GUIDs:              4d7a2791-106b-5e72-9cfb-8ea3d89f5421 ← NVME\VEN_144D&DEV_A80A&SUBSYS_144DA801&REV_00
│                         310f81b5-6fce-501e-acfb-487d10501e78 ← NVME\VEN_144D&DEV_A80A&SUBSYS_144DA801
│                         60c89aac-f321-515b-b419-3cf02aa9d375 ← NVME\VEN_144D&DEV_A80A&REV_00
│                         bec63ed7-a95f-54fe-b8cc-8e9fee64ba5a ← NVME\VEN_144D&DEV_A80A
│                         af35834a-86e9-5d6e-af3b-78ce4a42cf4a ← SAMSUNG MZVL2512HCJQ-00BL7
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Supported on remote server
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─System Firmware:
│ │   Device ID:          dcd4118aa968110eaae58bf95432c9736be3a74e
│ │   Current version:    0.1.51
│ │   Minimum Version:    0.1.39
│ │   Vendor:             LENOVO (DMI:LENOVO)
│ │   GUIDs:              14f3350e-cf63-4e68-a0d9-0af1d5389a17
│ │                       230c8b18-8d9b-53ec-838b-6cfc0383493a ← main-system-firmware
│ │                       59a02609-1196-5aae-8f0b-bc8d5757a603 ← UEFI\RES_{14F3350E-CF63-4E68-A0D9-0AF1D5389A17}
│ │   Device Flags:       • Internal device
│ │                       • Updatable
│ │                       • System requires external power source
│ │                       • Supported on remote server
│ │                       • Needs a reboot after installation
│ │                       • Cryptographic hash verification is available
│ │                       • Device is usable for the duration of the update
│ │ 
│ └─UEFI dbx:
│       Device ID:        362301da643102b9f38477387e2193e57abaa590
│       Summary:          UEFI Revocation Database
│       Current version:  267
│       Minimum Version:  267
│       Vendor:           UEFI:Linux Foundation
│       Install Duration: 1 second
│       GUIDs:            14503b3d-73ce-5d06-8137-77c68972a341 ← UEFI\CRT_A9087D1044AD18F7A94916D284CBC01827CF23CD8F60B79072C9CAA1FEF4D649
│                         5971a208-da00-5fce-b5f5-1234342f9cf7 ← UEFI\CRT_A9087D1044AD18F7A94916D284CBC01827CF23CD8F60B79072C9CAA1FEF4D649&ARCH_X64
│                         c6682ade-b5ec-57c4-b687-676351208742 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503
│                         f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
│       Device Flags:     • Internal device
│                         • Updatable
│                         • Needs a reboot after installation
│     
├─UEFI Device Firmware:
│     Device ID:          b31d36d75483eb0d4699561f2beccb300f997177
│     Current version:    1509034
│     Vendor:             DMI:LENOVO
│     GUIDs:              7716d876-a9a6-4901-aa97-e3baef2813a9
│                         53a6d478-a91d-5ebf-a788-267d86cd808e ← UEFI\RES_{7716D876-A9A6-4901-AA97-E3BAEF2813A9}
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─UEFI Device Firmware:
│     Device ID:          951659b7b7e5881998be9c8bf806032f121717ea
│     Current version:    1
│     Vendor:             DMI:LENOVO
│     GUIDs:              76ca0ad8-4a14-4389-b7e5-fd88791762ad
│                         c2e0f0f3-b5df-5db2-af1c-90610dc32b12 ← UEFI\RES_{76CA0AD8-4A14-4389-B7E5-FD88791762AD}
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─UEFI Device Firmware:
│     Device ID:          ac0b52f7899799eb9156fd482b2dc8262b755c89
│     Current version:    16842761
│     Minimum Version:    1
│     Vendor:             DMI:LENOVO
│     GUIDs:              d115756c-5710-49db-a367-cf59e98db5a0
│                         d7b5f2be-e156-50fc-bc8d-68d02ea90fdb ← UEFI\RES_{D115756C-5710-49DB-A367-CF59E98DB5A0}
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─UEFI Device Firmware:
│     Device ID:          366b468f7a3942aaad8f67a27a8b76dcf0e3af3b
│     Current version:    1409356129
│     Minimum Version:    1
│     Vendor:             DMI:LENOVO
│     GUIDs:              11fe9275-9b06-4c8d-853e-c6c61dd05891
│                         c73c595a-b009-5eb9-83f4-594867138af2 ← UEFI\RES_{11FE9275-9B06-4C8D-853E-C6C61DD05891}
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─UEFI Device Firmware:
│     Device ID:          84c3b9112d5830c15a280a5555b60a2fd4926e69
│     Current version:    1.2.22.0
│     Vendor:             DMI:LENOVO
│     GUIDs:              aa096a98-94e6-479b-92f7-5771f6f2d96f
│                         3edab8fc-a48d-5066-92c4-cbdb22f60cb0 ← UEFI\RES_{AA096A98-94E6-479B-92F7-5771F6F2D96F}
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Supported on remote server
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─UEFI Device Firmware:
│     Device ID:          7b3df58892d71279869e1a3b86b2bbcd0365da33
│     Current version:    1
│     Vendor:             DMI:LENOVO
│     GUIDs:              626d93db-2c42-48c3-915a-71f968a81b04
│                         e9688c87-579e-59f0-8541-70ac22424169 ← UEFI\RES_{626D93DB-2C42-48C3-915A-71F968A81B04}
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─UEFI Device Firmware:
│     Device ID:          21b5590c66352fa4eaf2a915004b22d0dd9bf9b1
│     Current version:    0
│     Vendor:             DMI:LENOVO
│     GUIDs:              3dd84775-ec79-4ecb-8404-74de030c3f77
│                         c646684a-e042-5b7e-b767-ae2d910e4dfd ← UEFI\RES_{3DD84775-EC79-4ECB-8404-74DE030C3F77}
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─UEFI Device Firmware:
│     Device ID:          280bfd19f3ebb661441c6e47269186598fba2b7c
│     Current version:    1
│     Minimum Version:    1
│     Vendor:             DMI:LENOVO
│     GUIDs:              69585d92-b50a-4ad7-b265-2eb1ae066574
│                         b8b66c3c-cf18-5678-8475-88601a3dc2f4 ← UEFI\RES_{69585D92-B50A-4AD7-B265-2EB1AE066574}
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─UEFI Device Firmware:
│     Device ID:          d90a8d506a2c5d5891093d6dfc35c9b0536d2a8e
│     Current version:    69145
│     Vendor:             DMI:LENOVO
│     GUIDs:              4e88068b-41b2-4e05-893c-db0b43f7d348
│                         c90427cb-e5e5-56c9-b056-959c3960fbf2 ← UEFI\RES_{4E88068B-41B2-4E05-893C-DB0B43F7D348}
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
└─UEFI Device Firmware:
      Device ID:          cff90200d7272bbe4f1049501f5383a4b6c1b37b
      Current version:    24600
      Minimum Version:    1
      Vendor:             DMI:LENOVO
      GUIDs:              0d803ee9-f231-4ad7-9cb8-563bcbe75c13
                          a59d25e6-7e2d-519b-96a8-3a0d53d28708 ← UEFI\RES_{0D803EE9-F231-4AD7-9CB8-563BCBE75C13}
      Device Flags:       • Internal device
                          • Updatable
                          • System requires external power source
                          • Needs a reboot after installation
                          • Device is usable for the duration of the update

root@x1gen9:~# 
arno01 commented 2 years ago

Have just gotten 84c3b9112d5830c15a280a5555b60a2fd4926e69 UEFI device FW update 1.2.22.0 -> 1.2.24.0, after:

root@x1gen9:~# fwupdmgr refresh --force
root@x1gen9:~# fwupdmgr update
# + reboot
root@x1gen9:~# diff -Nur get-devices.1 get-devices.2
--- get-devices.1   2022-02-09 14:51:14.504254782 +0100
+++ get-devices.2   2022-02-09 14:51:28.982925313 +0100
@@ -151,7 +151,8 @@
 │   
 ├─UEFI Device Firmware:
 │     Device ID:          84c3b9112d5830c15a280a5555b60a2fd4926e69
-│     Current version:    1.2.22.0
+│     Current version:    1.2.24.0
+│     Minimum Version:    0.0.0.1
 │     Vendor:             DMI:LENOVO
 │     GUIDs:              aa096a98-94e6-479b-92f7-5771f6f2d96f
 │                         3edab8fc-a48d-5066-92c4-cbdb22f60cb0 ← UEFI\RES_{AA096A98-94E6-479B-92F7-5771F6F2D96F}
arno01 commented 2 years ago

Oh, and the CPU voltage seem to have dropped from 1.0 V down to 0.8 V after the latest fwupdmgr update:

root@x1gen9:~# diff -Nur dmidecode.after.mobo.replacement.plus.fwupd-3rd-run dmidecode.after.mobo.replacement.plus.fwupd-4th-run 
--- dmidecode.after.mobo.replacement.plus.fwupd-3rd-run 2022-02-09 14:25:10.272641751 +0100
+++ dmidecode.after.mobo.replacement.plus.fwupd-4th-run 2022-02-09 14:40:28.843897855 +0100
@@ -485,7 +485,7 @@
        TM (Thermal monitor supported)
        PBE (Pending break enabled)
    Version: 11th Gen Intel(R) Core(TM) i7-1185G7 @ 3.00GHz
-   Voltage: 1.0 V
+   Voltage: 0.8 V
    External Clock: 100 MHz
    Max Speed: 3000 MHz
    Current Speed: 3000 MHz
@@ -740,7 +740,7 @@
 Handle 0x0035, DMI type 219, 106 bytes
 OEM-specific Type
    Header and Data:
-       DB 6A 35 00 01 04 01 45 02 00 A4 06 81 85 38 30
+       DB 6A 35 00 01 04 01 45 02 00 90 06 81 85 3B 30
        00 00 00 00 40 00 00 03 1F 00 00 C9 03 40 C4 02
        FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
        FF FF FF FF FF FF FF FF 03 00 00 00 80 00 00 00
@@ -863,8 +863,8 @@
 Handle 0x0045, DMI type 141, 30 bytes
 OEM-specific Type
    Header and Data:
-       8D 1E 45 00 54 48 4E 4B 00 00 50 00 00 00 76 2F
-       4E 01 00 00 00 00 06 CE 85 04 00 00 00 00
+       8D 1E 45 00 54 48 4E 4B 00 00 50 00 00 00 DB 94
+       4E 01 00 00 00 00 DF DF 85 04 00 00 00 00

 Handle 0x0046, DMI type 140, 15 bytes
 ThinkPad Embedded Controller Program

Not sure if that's expected.

hughsie commented 2 years ago

Not sure if that's expected.

¯_(ツ)_/¯

mrhpearson commented 2 years ago

Sorry for the slow reply - inbox got the better of me. I can reproduce the issue and have flagged it to the FW team for investigation. Internal ticket LO-1576 Thanks! Mark

lauaviin commented 2 years ago

mrhpearson Any updates on the issue?

arno01 commented 1 year ago

@mrhpearson any updates please?

updated logs

root@x1:~# fwupdmgr verify
0.  Cancel
1.  5792b48846ce271fab11c4a545f7a3df0d36e00a (Alder Lake-P Integrated Graphics Controller)
2.  65a54fb6ce182f0e75edf0e43047d547a0d61f0e (Prometheus)
3.  a083ebc5138e5e071ef7270cc9a8280722cc7adf (System Firmware)
Choose device [0-3]: 1
failed to verify Alder Lake-P Integrated Graphics Controller: failed to read firmware: Error reading from file: Input/output error
root@x1:~# fwupdmgr verify
0.  Cancel
1.  5792b48846ce271fab11c4a545f7a3df0d36e00a (Alder Lake-P Integrated Graphics Controller)
2.  65a54fb6ce182f0e75edf0e43047d547a0d61f0e (Prometheus)
3.  a083ebc5138e5e071ef7270cc9a8280722cc7adf (System Firmware)
Choose device [0-3]: 2
failed to verify Prometheus: No device checksums for 10.01.3478575
root@x1:~# fwupdmgr verify
0.  Cancel
1.  5792b48846ce271fab11c4a545f7a3df0d36e00a (Alder Lake-P Integrated Graphics Controller)
2.  65a54fb6ce182f0e75edf0e43047d547a0d61f0e (Prometheus)
3.  a083ebc5138e5e071ef7270cc9a8280722cc7adf (System Firmware)
Choose device [0-3]: 3
failed to verify System Firmware: No stored checksums for 0.1.37
root@x1:~# fwupdmgr --version
compile   org.freedesktop.fwupd         1.8.12
compile   com.hughsie.libxmlb           0.3.10
compile   com.hughsie.libjcat           0.1.9
runtime   org.freedesktop.fwupd-efi     1.4
compile   org.freedesktop.gusb          0.3.10
runtime   com.dell.libsmbios            2.4
runtime   org.freedesktop.gusb          0.4.5
runtime   org.freedesktop.fwupd         1.8.12
runtime   org.kernel                    6.2.0-26-generic

root@x1:~# dpkg -l fwupd
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
+++-==============-============-============-=================================
ii  fwupd          1.8.12-2     amd64        Firmware update daemon
root@x1:~# fwupdmgr get-devices
LENOVO 21CB007WCK
│
├─12th Gen Intel Core™ i7-1260P:
│     Device ID:          4bde70ba4e39b28f9eab1628f9dd6e6244c03027
│     Current version:    0x00000429
│     Vendor:             Intel
│     GUIDs:              b9a2dd81-159e-5537-a7db-e7101d164d3f ← cpu
│                         30249f37-d140-5d3e-9319-186b1bd5cac3 ← CPUID\PRO_0&FAM_06
│                         ab855c04-4ff6-54af-8a8a-d8193daa0cd8 ← CPUID\PRO_0&FAM_06&MOD_9A
│                         3ebbde86-d03e-549a-a8fd-02ebf9aa537a ← CPUID\PRO_0&FAM_06&MOD_9A&STP_3
│     Device Flags:       • Internal device
│   
├─Alder Lake-P Integrated Graphics Controller:
│     Device ID:          5792b48846ce271fab11c4a545f7a3df0d36e00a
│     Current version:    0c
│     Vendor:             Intel Corporation (PCI:0x8086)
│     GUIDs:              eaad9970-8e4d-56da-88ab-41a8c1e2811f ← PCI\VEN_8086&DEV_46A6
│                         ed0b9458-c2f1-54c5-9063-dea8f75b4039 ← PCI\VEN_8086&DEV_46A6&REV_0C
│                         15bf9dad-22cf-57a8-9ca1-eb3b08e0070e ← PCI\VEN_8086&DEV_46A6&SUBSYS_17AA22E7
│                         f9c988f0-e65e-5c87-9045-aa22a751c22f ← PCI\VEN_8086&DEV_46A6&SUBSYS_17AA22E7&REV_0C
│                         c4625510-a985-517c-8800-0ecfc6f68c8f ← PCI\VEN_8086&DEV_46A6&REV_00
│                         d7a0b6c6-3253-598e-9195-49093094c89a ← PCI\VEN_8086&DEV_46A6&SUBSYS_17AA22E7&REV_00
│     Device Flags:       • Internal device
│                         • Cryptographic hash verification is available
│   
├─Battery:
│     Device ID:          97b6fe9b220c7b9e1a3a1d9f404c00d4fe77ae7e
│     Summary:            UEFI ESRT device
│     Current version:    1.9.2
│     Minimum Version:    0.0.1
│     Vendor:             Lenovo (DMI:LENOVO)
│     Update State:       Success
│     GUID:               25364b56-a8fe-4ef6-b35e-874ae4a83eb4
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Supported on remote server
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─Embedded Controller:
│     Device ID:          632acf4927c0b5fb53519d6beed3b60adb73f1d5
│     Summary:            UEFI ESRT device
│     Current version:    0.1.18
│     Minimum Version:    0.1.18
│     Vendor:             Lenovo (DMI:LENOVO)
│     Update State:       Success
│     GUID:               ec01fae4-c67a-42b4-bada-a7c1b9900897
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Supported on remote server
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─Intel Management Engine:
│     Device ID:          2292ae5236790b47884e37cf162dcf23bfcd1c60
│     Summary:            UEFI ESRT device
│     Current version:    1.25.1932
│     Vendor:             Lenovo (DMI:LENOVO)
│     Update State:       Success
│     GUID:               23192307-d667-4bdf-af1a-6059db171246
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Supported on remote server
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─MZVL21T0HCLR-00BL7:
│     Device ID:          04e17fcf7d3de91da49a163ffe4907855c3648be
│     Summary:            NVM Express solid state drive
│     Current version:    EL2QGXA7
│     Vendor:             Samsung (NVME:0x144D)
│     Serial Number:      S64PNX0TA26888
│     GUIDs:              bec63ed7-a95f-54fe-b8cc-8e9fee64ba5a ← NVME\VEN_144D&DEV_A80A
│                         60c89aac-f321-515b-b419-3cf02aa9d375 ← NVME\VEN_144D&DEV_A80A&REV_00
│                         310f81b5-6fce-501e-acfb-487d10501e78 ← NVME\VEN_144D&DEV_A80A&SUBSYS_144DA801
│                         4d7a2791-106b-5e72-9cfb-8ea3d89f5421 ← NVME\VEN_144D&DEV_A80A&SUBSYS_144DA801&REV_00
│                         c0e40d86-e47a-57fe-8ed1-453e6d83a586 ← SAMSUNG MZVL21T0HCLR-00BL7
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Supported on remote server
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│                         • Signed Payload
│   
├─Prometheus:
│ │   Device ID:          65a54fb6ce182f0e75edf0e43047d547a0d61f0e
│ │   Summary:            Fingerprint reader
│ │   Current version:    10.01.3478575
│ │   Vendor:             Synaptics (USB:0x06CB)
│ │   Install Duration:   2 seconds
│ │   Serial Number:      25291814075439
│ │   GUIDs:              448868f0-e05d-5849-8fc4-b8fa1ec16bf5 ← USB\VID_06CB&PID_00FC
│ │                       896bb9a6-a8be-5727-8a3a-43ca249f6933 ← USB\VID_06CB&PID_00FC&REV_0000
│ │   Device Flags:       • Updatable
│ │                       • Supported on remote server
│ │                       • Cryptographic hash verification is available
│ │                       • Signed Payload
│ │ 
│ └─Prometheus IOTA Config:
│       Device ID:        2ccad74a4991f166f0c971c0a1ededb9e3f4130b
│       Summary:          Fingerprint reader config
│       Current version:  0008
│       Minimum Version:  0008
│       Vendor:           Synaptics (USB:0x06CB)
│       GUIDs:            5cfe6094-5ba5-5713-b5a4-bc9d9c0f55df ← USB\VID_06CB&PID_00FC-cfg
│                         d9fbfaa0-2fc3-5225-aaf4-6c640029b473 ← USB\VID_06CB&PID_00FC&CFG1_3698&CFG2_0
│       Device Flags:     • Updatable
│                         • Only version upgrades are allowed
│                         • Signed Payload
│     
├─System Firmware:
│ │   Device ID:          a083ebc5138e5e071ef7270cc9a8280722cc7adf
│ │   Summary:            UEFI ESRT device
│ │   Current version:    0.1.37
│ │   Vendor:             Lenovo (DMI:LENOVO)
│ │   Update State:       Success
│ │   GUIDs:              34d84f45-4685-4019-b7e3-dba67b96ef7d
│ │                       230c8b18-8d9b-53ec-838b-6cfc0383493a ← main-system-firmware
│ │   Device Flags:       • Internal device
│ │                       • Updatable
│ │                       • System requires external power source
│ │                       • Supported on remote server
│ │                       • Needs a reboot after installation
│ │                       • Cryptographic hash verification is available
│ │                       • Device is usable for the duration of the update
│ │ 
│ ├─BootGuard Configuration:
│ │     Device ID:        b0d4430dfa6bde9f0c22680df36dbc8c15c80753
│ │     Current version:  01
│ │     Vendor:           Intel Corporation (MEI:0x8086)
│ │     GUIDs:            dd17041c-09ea-4b17-a271-5b989867ec65
│ │                       fccad2fe-62ae-5879-b7a9-4ead7bce50f4 ← MEI\VEN_8086&DEV_51E0
│ │                       4837b81a-56c3-501f-8b4c-1e71882379fe ← MEI\VEN_8086&DEV_51E0&REV_01
│ │                       eae67b2f-2bc2-5c4f-8b82-b1b30ad69fff ← MEI\VEN_8086&DEV_51E0&SUBSYS_17AA22E7
│ │                       42b0c9e1-978e-5214-b3a0-8e0919f722c1 ← MEI\VEN_8086&DEV_51E0&SUBSYS_17AA22E7&REV_01
│ │     Device Flags:     • Internal device
│ │   
│ └─UEFI dbx:
│       Device ID:        362301da643102b9f38477387e2193e57abaa590
│       Summary:          UEFI revocation database
│       Current version:  217
│       Minimum Version:  217
│       Vendor:           UEFI:Linux Foundation
│       Install Duration: 1 second
│       GUIDs:            14503b3d-73ce-5d06-8137-77c68972a341 ← UEFI\CRT_A9087D1044AD18F7A94916D284CBC01827CF23CD8F60B79072C9CAA1FEF4D649
│                         5971a208-da00-5fce-b5f5-1234342f9cf7 ← UEFI\CRT_A9087D1044AD18F7A94916D284CBC01827CF23CD8F60B79072C9CAA1FEF4D649&ARCH_X64
│                         c6682ade-b5ec-57c4-b687-676351208742 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503
│                         f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
│       Device Flags:     • Internal device
│                         • Updatable
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│                         • Only version upgrades are allowed
│                         • Signed Payload
│     
├─TPM:
│     Device ID:          c6a80ac3a22083423992a3cb15018989f37834d6
│     Current version:    1.512.0.0
│     Vendor:             ST Microelectronics (TPM:STM)
│     GUIDs:              ff71992e-52f7-5eea-94ef-883e56e034c6 ← system-tpm
│                         84df3581-f896-54d2-bd1a-372602f04c32 ← TPM\VEN_STM&DEV_0001
│                         bfaed10a-bbc1-525b-a329-35da2f63e918 ← TPM\VEN_STM&MOD_
│                         70b7b833-7e1a-550a-a291-b94a12d0f319 ← TPM\VEN_STM&DEV_0001&VER_2.0
│                         06f005e9-cb62-5d1a-82d9-13c534c53c48 ← TPM\VEN_STM&MOD_&VER_2.0
│     Device Flags:       • Internal device
│   
├─UEFI Device Firmware:
│     Device ID:          a45df35ac0e948ee180fe216a5f703f32dda163f
│     Summary:            UEFI ESRT device
│     Current version:    70151
│     Vendor:             DMI:LENOVO
│     Update State:       Success
│     GUID:               4e88068b-41b2-4e05-893c-db0b43f7d348
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─UEFI Device Firmware:
│     Device ID:          349bb341230b1a86e5effe7dfe4337e1590227bd
│     Summary:            UEFI ESRT device
│     Current version:    1
│     Minimum Version:    1
│     Vendor:             DMI:LENOVO
│     Update State:       Success
│     GUID:               69585d92-b50a-4ad7-b265-2eb1ae066574
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─UEFI Device Firmware:
│     Device ID:          ae1abd099407b1d95698d69b7273f7fed5c6f35c
│     Summary:            UEFI ESRT device
│     Current version:    1410863573
│     Minimum Version:    1
│     Vendor:             DMI:LENOVO
│     Update State:       Success
│     GUID:               04cb082c-77e9-4fd8-8832-94e0bdd2dfce
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─UEFI Device Firmware:
│     Device ID:          4b78f537b7d3e281a2ecbc83048b8856fb9eb98e
│     Summary:            UEFI ESRT device
│     Current version:    1.3.16.0
│     Vendor:             Lenovo (DMI:LENOVO)
│     Update State:       Success
│     GUID:               7e5534a3-2069-414b-90b6-3e365d2ccd09
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Supported on remote server
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─UEFI Device Firmware:
│     Device ID:          2656b5b7e7c4f91fef1537f93095449cda5fb264
│     Summary:            UEFI ESRT device
│     Current version:    66048
│     Minimum Version:    66048
│     Vendor:             DMI:LENOVO
│     Update State:       Success
│     GUID:               dcde6a43-bdd2-4da4-ace7-d005c112bd13
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─UEFI Device Firmware:
│     Device ID:          f95c9218acd12697af946874bfe4239587209232
│     Summary:            UEFI ESRT device
│     Current version:    1
│     Vendor:             DMI:LENOVO
│     Update State:       Success
│     GUID:               76ca0ad8-4a14-4389-b7e5-fd88791762ad
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─UEFI Device Firmware:
│     Device ID:          d96de5c124b60ed6241ebcb6bb2c839cb5580786
│     Summary:            UEFI ESRT device
│     Current version:    1
│     Vendor:             DMI:LENOVO
│     Update State:       Success
│     GUID:               626d93db-2c42-48c3-915a-71f968a81b04
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─UEFI Device Firmware:
│     Device ID:          f37fb01122dd62c773f4e84ec89737e059712d59
│     Summary:            UEFI ESRT device
│     Current version:    1
│     Vendor:             DMI:LENOVO
│     Update State:       Success
│     GUID:               86a885ee-d71e-2ed6-0fc1-9d6ccc9677eb
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─UEFI Device Firmware:
│     Device ID:          36efb79c255f402f619fa9eb53cd659db51f2a04
│     Summary:            UEFI ESRT device
│     Current version:    12713984
│     Minimum Version:    57374
│     Vendor:             DMI:LENOVO
│     Update State:       Success
│     GUID:               09f77c9f-1c5d-4616-bafb-bbb19f557480
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
├─UEFI Device Firmware:
│     Device ID:          11a7fbdd09ce583e58b899660fe10f147fd155a2
│     Summary:            UEFI ESRT device
│     Current version:    3552440
│     Vendor:             DMI:LENOVO
│     Update State:       Success
│     GUID:               6fbaaaff-982b-4b54-aae6-b82c5d89db22
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
└─UEFI Device Firmware:
      Device ID:          5bfc5b91c18ef8b751d3d052af77b69ebf738038
      Summary:            UEFI ESRT device
      Current version:    18417548
      Minimum Version:    1
      Vendor:             DMI:LENOVO
      Update State:       Success
      GUID:               62036a80-3968-4bf1-ab13-175eabbc4901
      Device Flags:       • Internal device
                          • Updatable
                          • System requires external power source
                          • Needs a reboot after installation
                          • Device is usable for the duration of the update
mrhpearson commented 1 year ago

The original issue of the PCR changing got closed and reviewing the above it seems there is something different going on so I have a separate ticket to track that (LO-2605). I can reproduce (and see the same on other platforms)

@hughsie - I haven't dug into what fwupdmgr is actually doing under the hood but given the different failure conditions highlighted above (File IO, no device checksums, no stored checksums) it looks like there might be multiple things going on and I'm guessing the FW team might need some guidelines into what they are missing from the process. Maybe we can take offline?

mrhpearson commented 1 year ago

Under investigation by the FW team. Something changed in the process so PCR0 checksum isn't listed - we're figuring out what and why that was

mrhpearson commented 1 year ago

The conclusion is that using PCR0 is a problem - it includes measurements of FW and the FW can change. For example the ME FW may be updated, and that is measured. Not sure exactly who/why/when the decision of removing PCR0 was made - but I suspect it was related to getting too many tickets where the measurement was incorrect.

Not sure what the answer is - but for now I think this issue has to be closed as effectively the FW team have chosen to not support this feature.

@hughsie - if we should have an offline conversation on how to address this let me know. Especially if I'm missing something critical :)