Closed gustafla closed 10 months ago
Out of interest, does it work if you enrol the default MS keys instead?
I'm having the exact same issue here:
TPM:
Device ID: f098ca39a715eccf184c23361aede08540bf345b
Previous version: 0.15.21
Update State: Failed
Update Error: failed to update to 0: error-unsuccessful
Last modified: 2023-07-10 10:52
GUID: 8d5056e5-7a0a-4bcd-bf92-7d16212b72aa
Device Flags: • Internal device
• Updatable
• System requires external power source
• Needs a reboot after installation
• Device is usable for the duration of the update
We also have custom Secure Boot keys enrolled.
Unfortunately, I can't use the default keys, that are shipped with my Lenovo ThinkPad T16 Gen1
, which would result in Arch not booting anymore.
Installed Software:
~ pacman -Q fwupd linux
fwupd 1.9.2-2
linux 6.4.1.arch2-1
as per ODM dev, can you please provide the following information... BIOS version Linux OS version fwupdmgr get-devices results
I was able to install this update. The solution is a bit cumbersome, but very much doable when you find a bit of extra time for it. First of all, disable SecureBoot and check that your PC still boots. Then reboot back to firmware setup and clear the security device. After that, run fwupdmgr update
, which now will finish successfully. Then, re-do SecureBoot setup again (for this, I use sbctl
).
Here is my get-devices
after the update.
LENOVO 21CMCTO1WW
│
├─Embedded Controller:
│ Device ID: 36efb79c255f402f619fa9eb53cd659db51f2a04
│ Summary: UEFI ESRT device
│ Current version: 0.1.27
│ Minimum Version: 0.1.27
│ Vendor: Lenovo (DMI:LENOVO)
│ Update State: Success
│ GUID: 66d6a3ef-a771-4302-9cd0-d062c79c5ef2
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│
├─Integrated Camera:
│ Device ID: 91c9a317b30acf7c0cd967f2ce6925d518ef19a7
│ Current version: 10.22
│ Vendor: (USB:0x174F)
│ Serial Number: 0001
│ GUID: 0cf3aef8-c29e-5cb8-997c-d498ed52b666 ← USB\VID_174F&PID_1812
│ Device Flags: • Updatable
│
├─MZVL21T0HCLR-00BL7:
│ Device ID: 03281da317dccd2b18de2bd1cc70a782df40ed7e
│ Summary: NVM Express solid state drive
│ Current version: EL2QGXA7
│ Vendor: Samsung (NVME:0x144D)
│ Serial Number: S64PNX0TC96079
│ GUIDs: bec63ed7-a95f-54fe-b8cc-8e9fee64ba5a ← NVME\VEN_144D&DEV_A80A
│ 310f81b5-6fce-501e-acfb-487d10501e78 ← NVME\VEN_144D&DEV_A80A&SUBSYS_144DA801
│ c0e40d86-e47a-57fe-8ed1-453e6d83a586 ← SAMSUNG MZVL21T0HCLR-00BL7
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│ • Signed Payload
│
├─System Firmware:
│ Device ID: d96de5c124b60ed6241ebcb6bb2c839cb5580786
│ Summary: UEFI ESRT device
│ Current version: 0.1.35
│ Vendor: Lenovo (DMI:LENOVO)
│ Update State: Success
│ GUIDs: 6ab943b7-f4d4-aaa1-2f40-cb03a0c8cf3c
│ 230c8b18-8d9b-53ec-838b-6cfc0383493a ← main-system-firmware
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Cryptographic hash verification is available
│ • Device is usable for the duration of the update
│
├─TPM:
│ Device ID: a083ebc5138e5e071ef7270cc9a8280722cc7adf
│ Summary: UEFI ESRT device
│ Current version: 15.22.16832
│ Minimum Version: 15.22.16832
│ Vendor: Lenovo (DMI:LENOVO)
│ Update State: Success
│ GUID: 0717eeac-f27a-4e2a-a95d-fecf6c6cc345
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│
├─TPM:
│ Device ID: c6a80ac3a22083423992a3cb15018989f37834d6
│ Current version: 15.22.65.49152
│ Vendor: Infineon (TPM:IFX)
│ GUIDs: ff71992e-52f7-5eea-94ef-883e56e034c6 ← system-tpm
│ 5eebb112-75ad-5536-b173-a11eb3399402 ← TPM\VEN_IFX&DEV_0000
│ 0df86b23-72b8-5128-9fc2-3377446e8ecf ← TPM\VEN_IFX&MOD_SLB9672
│ 6d81ab63-db2e-50ac-934f-6be9accf5e02 ← TPM\VEN_IFX&DEV_0000&VER_2.0
│ 13249df8-c159-574a-b877-b045aa40bc54 ← TPM\VEN_IFX&MOD_SLB9672&VER_2.0
│ Device Flags: • Internal device
│ • System requires external power source
│ • Needs a reboot after installation
│ • Device can recover flash failures
│ • Full disk encryption secrets may be invalidated when updating
│ • Signed Payload
│
├─UEFI Device Firmware:
│ Device ID: a45df35ac0e948ee180fe216a5f703f32dda163f
│ Summary: UEFI ESRT device
│ Current version: 4130
│ Minimum Version: 1
│ Vendor: DMI:LENOVO
│ Update State: Success
│ GUID: 37176ab3-1c3f-4164-be2c-d3512d5ba15e
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│
├─UEFI Device Firmware:
│ Device ID: 349bb341230b1a86e5effe7dfe4337e1590227bd
│ Summary: UEFI ESRT device
│ Current version: 10551296
│ Minimum Version: 57374
│ Vendor: DMI:LENOVO
│ Update State: Success
│ GUID: 2a197802-e469-4fa7-a37b-2d681bcf416f
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│
├─UEFI Device Firmware:
│ Device ID: 2292ae5236790b47884e37cf162dcf23bfcd1c60
│ Summary: UEFI ESRT device
│ Current version: 532
│ Vendor: DMI:LENOVO
│ Update State: Success
│ GUID: 88523ddf-3aac-41f6-b15f-dc7bea434b39
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│
├─UEFI Device Firmware:
│ Device ID: f95c9218acd12697af946874bfe4239587209232
│ Summary: UEFI ESRT device
│ Current version: 3344935
│ Vendor: DMI:LENOVO
│ Update State: Success
│ GUID: 023a338b-246f-47e0-b4e5-304203184ec1
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│
├─UEFI Device Firmware:
│ Device ID: f37fb01122dd62c773f4e84ec89737e059712d59
│ Summary: UEFI ESRT device
│ Current version: 1
│ Minimum Version: 1
│ Vendor: DMI:LENOVO
│ Update State: Success
│ GUID: 75d78aef-5e7f-0afe-b68a-aef4c52ccddd
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│
└─UEFI Device Firmware:
Device ID: 11a7fbdd09ce583e58b899660fe10f147fd155a2
Summary: UEFI ESRT device
Current version: 16859233
Minimum Version: 1
Vendor: DMI:LENOVO
Update State: Success
GUID: 98700de8-2296-4294-97a6-04b0b6b385eb
Device Flags: • Internal device
• Updatable
• System requires external power source
• Needs a reboot after installation
• Device is usable for the duration of the update
I think this issue is probably a non-issue and may be closed now, since there is a reasonable way to get this update installed. What do you think?
I think this issue is probably a non-issue and may be closed now, since there is a reasonable way to get this update installed. What do you think?
Well imo, it's a workaround, but not a clean solution. For me using a corporate device, I can't clear the security device, update TPM and then reconfigure it again, only to just wait, until the next TPM update gets released and to do it again.
I need a usable solution, where a fwupdmgr update
just works out of the box, with foreign security keys.
@VeldoraTheDragon can you please show complete results of fwupdmgr get-devices
@kmauleon Here you go
@VeldoraTheDragon forwarded to ODM... thank you very much...will let you know once i get an update
@gustafla let's close this one... thank you very much! @VeldoraTheDragon let's track this here #378 since this is handled by different TPM owner. thank you very much!
My device is a 21CMCTO1WW laptop (ThinkPad X13 Gen 3 AMD). I have SecureBoot enabled with my own keys. Microsoft Pluton is completely Disabled in firmware settings. TPM update from 15.21.16430 to 15.22.16832 won't work.
get-results shows this result:
I'm running following version: