My lenovo X1 reboots and updates are not applied.

[lhirlimann]

Describe the bug I have firmware updates offered when I run fwupmgr :

[ludovic@saraan]~% sudo fwupdmgr update 
• Thunderbolt Controller has the latest available firmware version
• Embedded Controller has the latest available firmware version
Upgrade available for Intel Management Engine from 184.70.3626 to 184.77.3664
20KHCTO1WW must remain plugged into a power source for the duration of the update to avoid damage. Continue with update? [Y|n]: y
Downloading 184.77.3664 for Intel Management Engine...
Decompressing…           [***************************************]
Authenticating…          [***************************************]
Updating Intel Management Engine…                                ]
Scheduling…              [***************************************]
Successfully installed firmware
• SAMSUNG MZVLB512HAJQ-000L7 has the latest available firmware version
Upgrade available for System Firmware from 0.1.46 to 0.1.48
20KHCTO1WW must remain plugged into a power source for the duration of the update to avoid damage. Continue with update? [Y|n]: y
Downloading 0.1.48 for System Firmware...
Decompressing…           [***************************************]
Authenticating…          [***************************************]
Updating System Firmware…[            /                          ]
Scheduling…              [***************************************]
Successfully installed firmware

An update requires a reboot to complete. Restart now? [y|N]: n

When I reboot, I see messages about new capsule being found - it takes a while and then boot continues. firmware update don't seem to have been applied.

Steps to Reproduce sudo fwupmgr update reboot

Expected behavior

After the reboot running the update command returns that I'm up to date.

fwupd version information Please provide the version of the daemon and client.

[ludovic@saraan]~% fwupdmgr --version
client version: 1.4.2
compile-time dependency versions
    gusb:   0.3.4
    efivar: 37
daemon version: 1.4.2

Please note how you installed it (apt, dnf, pacman, source, etc):

dnf with enable-testing

fwupd device information Please provide the output of the fwupd devices recognized in your system.

[ludovic@saraan]~% fwupdmgr get-devices --show-all-devices
20KHCTO1WW
│
├─Thunderbolt Controller:
│     Device ID:           199c280418de0aa1347fc161a9df3c68dd5b0848
│     Summary:             Unmatched performance for high-speed I/O
│     Current version:     43.00
│     Vendor:              Lenovo (TBT:0x0109)
│     GUIDs:               2da42a33-cd30-5ef5-a8fb-2c800a4b760f
│                          96411853-9f56-53d2-b05c-a54fcad5ee62
│     Device Flags:        • Internal device
│                          • Updatable
│                          • Requires AC power
│                          • Supported on remote server
│                          • Device stages updates
│   
├─Embedded Controller:
│     Device ID:           9698faabddf0d7b18925cfbbda95f8b0d0dacc53
│     Current version:     0.1.20
│     Minimum Version:     0.1.20
│     Vendor:              DMI:LENOVO
│     GUID:                3babca5f-b2bf-4f4b-a72e-2bdc84eb4019
│     Device Flags:        • Internal device
│                          • Updatable
│                          • Requires AC power
│                          • Supported on remote server
│                          • Needs a reboot after installation
│                          • Device is usable for the duration of the update
│   
├─Intel AMT [unprovisioned]:
│     Device ID:           e2623122c99d58220498aacbfcfdb1baebbae3c5
│     Summary:             Hardware and firmware technology for remote out-of-band management
│     Current version:     11.8.77.3664
│     Bootloader Version:  11.8.77.3664
│     Vendor:              Intel Corporation
│     GUID:                2800f812-b7b4-2d4b-aca8-46e0ff65814c
│     Device Flags:        • Internal device
│   
├─Intel Management Engine:
│     Device ID:           e563ad307df81c99f0de8c26292afd71cf409673
│     Current version:     184.70.3626
│     Minimum Version:     184.70.3626
│     Vendor:              DMI:LENOVO
│     Update State:        success
│     Last modified:       2020-05-20 09:44
│     GUIDs:               42a0a96e-c9f3-438f-9687-7826be33e4ce
│                          375afb87-ea51-5a6e-96d5-c35cc342dc65
│     Device Flags:        • Internal device
│                          • Updatable
│                          • Requires AC power
│                          • Supported on remote server
│                          • Needs a reboot after installation
│                          • Device is usable for the duration of the update
│   
├─Intel(R) Core™ i7-8650U CPU @ 1.90GHz:
│     Device ID:           4bde70ba4e39b28f9eab1628f9dd6e6244c03027
│     Current version:     0xca
│     Vendor:              GenuineIntel
│     GUID:                b9a2dd81-159e-5537-a7db-e7101d164d3f
│     Device Flags:        • Internal device
│   
├─SAMSUNG MZVLB512HAJQ-000L7:
│     Device ID:           04e17fcf7d3de91da49a163ffe4907855c3648be
│     Summary:             NVM Express Solid State Drive
│     Current version:     5L2QEXA7
│     Vendor:              Samsung Electronics Co Ltd (NVME:0x144D)
│     GUIDs:               6e54c992-d302-59ab-b454-2d26ddd63e6d
│                          47335265-a509-51f7-841e-1c94911af66b
│                          79d6cfae-a5a2-5936-9248-5aebd23480f7
│     Device Flags:        • Internal device
│                          • Updatable
│                          • Requires AC power
│                          • Supported on remote server
│                          • Needs a reboot after installation
│                          • Device is usable for the duration of the update
│   
├─System Firmware:
│     Device ID:           1c53551e7da69d896138fac1ae131c83ad46d923
│     Current version:     0.1.46
│     Minimum Version:     0.0.1
│     Vendor:              LENOVO (DMI:LENOVO)
│     Update State:        success
│     Last modified:       2020-05-20 09:44
│     GUIDs:               a4b51dca-8f97-4310-8821-3330f83c9135
│                          230c8b18-8d9b-53ec-838b-6cfc0383493a
│                          6b3879ff-921f-5bc5-a0c2-5cec28f31d2f
│     Device Flags:        • Internal device
│                          • Updatable
│                          • Requires AC power
│                          • Supported on remote server
│                          • Needs a reboot after installation
│                          • Cryptographic hash verification is available
│                          • Device is usable for the duration of the update
│   
├─TPM:
│ │   Device ID:           c6a80ac3a22083423992a3cb15018989f37834d6
│ │   Current version:     7.63.12.18432
│ │   Vendor:              Infineon (TPM:IFX)
│ │   GUIDs:               ff71992e-52f7-5eea-94ef-883e56e034c6
│ │                        5eebb112-75ad-5536-b173-a11eb3399402
│ │                        ddf995da-1b32-5a8a-bc1b-8d5af4b38b51
│ │                        6d81ab63-db2e-50ac-934f-6be9accf5e02
│ │                        301555de-680d-5ddc-b995-7553fc9138f1
│ │   Device Flags:        • Internal device
│ │ 
│ └─Event Log:
│       Device ID:         58bd405f31c48e6eca290b425f530a94c91e955c
│       GUID:              a25657fe-b5dc-5be0-8b78-8b9dfec678ff
│       Device Flags:      • Internal device
│     
└─UHD Graphics 620:
      Device ID:           bbbf1ce3d1cf15550c3760b354592040292415bb
      Current version:     07
      Vendor:              Intel Corporation (PCI:0x8086)
      GUIDs:               fed2efa4-7045-55a1-b4fc-b29283d59fe5
                           8b72a10c-1279-5f8e-a28a-34fb11a58240
      Device Flags:        • Internal device
                           • Cryptographic hash verification is available

System UEFI configuration Please provide the output of the following commands:

[ludovic@saraan]~% efibootmgr -v
BootNext: 0001
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,0018,0019,001A,001B,001C,001D,001E,001F,0001
Boot0000* Fedora    HD(1,GPT,f1ddcb07-23c0-4704-93b0-87a7d7608980,0x800,0x64000)/File(\EFI\fedora\shimx64.efi)
Boot0001* Linux-Firmware-Updater    HD(1,GPT,f1ddcb07-23c0-4704-93b0-87a7d7608980,0x800,0x64000)/File(\EFI\fedora\fwupdx64.efi)
Boot0010  Setup FvFile(721c8b66-426c-4e86-8e99-3457c46ab0b9)
Boot0011  Boot Menu FvFile(126a762d-5758-4fca-8531-201a7f57f850)
Boot0012  Diagnostic Splash Screen  FvFile(a7d8d9a6-6ab0-4aeb-ad9d-163e59a7a380)
Boot0013  Lenovo Diagnostics    FvFile(3f7e615b-0d45-4f80-88dc-26b234958560)
Boot0014  Regulatory Information    FvFile(478c92a0-2622-42b7-a65d-5894169e4d24)
Boot0015  Startup Interrupt Menu    FvFile(f46ee6f4-4785-43a3-923d-7f786c3c8479)
Boot0016  Rescue and Recovery   FvFile(665d3f60-ad3e-4cad-8e26-db46eee9f1b5)
Boot0017  MEBx Hot Key  FvFile(ac6fd56a-3d41-4efd-a1b9-870293811a28)
Boot0018* USB CD    VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,86701296aa5a7848b66cd49dd3ba6a55)
Boot0019* USB FDD   VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,6ff015a28830b543a8b8641009461e49)
Boot001A* NVMe0 VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,001c199932d94c4eae9aa0b6e98eb8a400)
Boot001B* ATA HDD0  VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f601)
Boot001C* USB HDD   VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,33e821aaaf33bc4789bd419f88c50803)
Boot001D* PCI LAN   VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,78a84aaf2b2afc4ea79cf5cc8f3d3803)
Boot001E  Other CD  VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,aea2090adfde214e8b3a5e471856a35406)
Boot001F  Other HDD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f606)
Boot0020* USBR BOOT CDROM   PciRoot(0x0)/Pci(0x14,0x0)/USB(11,1)
Boot0021* USBR BOOT Floppy  PciRoot(0x0)/Pci(0x14,0x0)/USB(11,0)
Boot0022* ATA HDD   VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f6)
Boot0023* ATAPI CD  VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,aea2090adfde214e8b3a5e471856a354)
Boot0024* PCI LAN   VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,78a84aaf2b2afc4ea79cf5cc8f3d3803)
[ludovic@saraan]~% 

[ludovic@saraan]~% efivar -l | grep fw
0abba7dc-e516-4167-bbf5-4d9d1c739416-fwupd-a4b51dca-8f97-4310-8821-3330f83c9135-0
0abba7dc-e516-4167-bbf5-4d9d1c739416-fwupd-42a0a96e-c9f3-438f-9687-7826be33e4ce-0
0abba7dc-e516-4167-bbf5-4d9d1c739416-fwupd-ux-capsule
[ludovic@saraan]~% efivar -l | grep fw
0abba7dc-e516-4167-bbf5-4d9d1c739416-fwupd-a4b51dca-8f97-4310-8821-3330f83c9135-0
0abba7dc-e516-4167-bbf5-4d9d1c739416-fwupd-42a0a96e-c9f3-438f-9687-7826be33e4ce-0
0abba7dc-e516-4167-bbf5-4d9d1c739416-fwupd-ux-capsule

[ludovic@saraan]~% tree /boot
/boot
├── config-5.6.11-300.fc32.x86_64
├── config-5.6.12-300.fc32.x86_64
├── config-5.6.13-300.fc32.x86_64
├── efi [error opening dir]
├── elf-memtest86+-5.01
├── extlinux
│   ├── cat.c32
│   ├── chain.c32
│   ├── cmd.c32
│   ├── cmenu.c32
│   ├── config.c32
│   ├── cptime.c32
│   ├── cpu.c32
│   ├── cpuid.c32
│   ├── cpuidtest.c32
│   ├── debug.c32
│   ├── dhcp.c32
│   ├── dir.c32
│   ├── disk.c32
│   ├── dmi.c32
│   ├── dmitest.c32
│   ├── elf.c32
│   ├── ethersel.c32
│   ├── gfxboot.c32
│   ├── gpxecmd.c32
│   ├── hdt.c32
│   ├── hexdump.c32
│   ├── host.c32
│   ├── ifcpu64.c32
│   ├── ifcpu.c32
│   ├── ifmemdsk.c32
│   ├── ifplop.c32
│   ├── kbdmap.c32
│   ├── kontron_wdt.c32
│   ├── ldlinux.c32
│   ├── lfs.c32
│   ├── libcom32.c32
│   ├── libgpl.c32
│   ├── liblua.c32
│   ├── libmenu.c32
│   ├── libutil.c32
│   ├── linux.c32
│   ├── ls.c32
│   ├── lua.c32
│   ├── mboot.c32
│   ├── memdisk
│   ├── meminfo.c32
│   ├── menu.c32
│   ├── pci.c32
│   ├── pcitest.c32
│   ├── pmload.c32
│   ├── poweroff.c32
│   ├── prdhcp.c32
│   ├── pwd.c32
│   ├── pxechn.c32
│   ├── reboot.c32
│   ├── rosh.c32
│   ├── sanboot.c32
│   ├── sdi.c32
│   ├── sysdump.c32
│   ├── syslinux.c32
│   ├── vesa.c32
│   ├── vesainfo.c32
│   ├── vesamenu.c32
│   ├── vpdtest.c32
│   ├── whichsys.c32
│   └── zzjson.c32
├── grub2 [error opening dir]
├── initramfs-0-rescue-881a595ec75941a3b85457f68d10cd38.img
├── initramfs-5.6.11-300.fc32.x86_64.img
├── initramfs-5.6.12-300.fc32.x86_64.img
├── initramfs-5.6.13-300.fc32.x86_64.img
├── loader
│   └── entries [error opening dir]
├── lost+found [error opening dir]
├── memtest86+-5.01
├── System.map-5.6.11-300.fc32.x86_64
├── System.map-5.6.12-300.fc32.x86_64
├── System.map-5.6.13-300.fc32.x86_64
├── vmlinuz-0-rescue-881a595ec75941a3b85457f68d10cd38
├── vmlinuz-5.6.11-300.fc32.x86_64
├── vmlinuz-5.6.12-300.fc32.x86_64
└── vmlinuz-5.6.13-300.fc32.x86_64

6 directories, 77 files

Additional questions

• Operating system and version: Fedora 32 + some updates-testing
• Have you tried rebooting?

twice

• Is this a regression?

I think so.

• Are you using an NVMe disk?

I believe so.

• Is secure boot enabled? I think so.

[sudomateo]

I'm also unable to apply the ThinkPad T480 Corporate ME Update 184.77.3664 to my ThinkPad T480. I've tried via GNOME Software and fwupdmgr multiple times with no success. When rebooting I see the "Adding capsule" message but the update does not go through. I'm running Fedora 32 with the following fwupdmgr version.

$ fwupdmgr --version
client version: 1.4.1
compile-time dependency versions
    gusb:   0.3.4
    efivar: 37
daemon version: 1.4.1

[heldchen]

same on my X1C6 - https://github.com/fwupd/fwupd/issues/2114#issuecomment-631078883 - but with different fwupdmgr version:

fwupdmgr --version
client version: 1.3.9
compile-time dependency versions
    gusb:   0.3.4
    efivar: 37
daemon version: 1.3.9

[mweinelt]

Same issue with X1C6 and fwupd 1.4.2.

Details: https://github.com/NixOS/nixpkgs/pull/88506#issuecomment-632218227

[damentz]

I was able to update my firmware by rolling back to the last fwupd version in Arch that would run at all (1.3.9-2) [1].

However, despite fwupd updating the EFI folder, my X1 Carbon still wasn't automatically picking up the capsules. I rebooted again and used F12 to boot to a temporary device and found something that looked like Linux-Firmware-Updater (might be different, I forgot to take a picture). Picking this option immediately added the two capsules for the most recent update. Now I'm running the latest firmware for the X1 Carbon 7th.

Here's some data after the output:

$ inxi -M
Machine:   Type: Laptop System: LENOVO product: 20QD001VUS v: ThinkPad X1 Carbon 7th 
           serial: <superuser/root required> 
           Mobo: LENOVO model: 20QD001VUS v: SDK0J40697 WIN 
           serial: <superuser/root required> UEFI: LENOVO v: N2HET50W (1.33 ) 
           date: 05/13/2020

And after running fwupdmgr get-devices and being prompted whether to report:

Devices that have been updated successfully:

 • System Firmware (0.1.30 → 0.1.33)
 • UEFI Device Firmware (0.1.15 → 0.1.17)

[1] https://git.archlinux.org/svntogit/community.git/plain/trunk/PKGBUILD?h=packages/fwupd&id=4830366284630fac9fe33273adc1d435bef7f427

[heldchen]

• System Firmware (0.1.30 → 0.1.33) • UEFI Device Firmware (0.1.15 → 0.1.17)

those updated both for me without problems in ubuntu 20.04 (fwupd 1.3.9) - Intel Management Engine seems to be the update that causes problems for my system, even with 1.3.9.

[LinuxOnTheDesktop]

Me too, on an X1CG6, and not for the first time (see: https://github.com/fwupd/fwupd/issues/1192; the bug reports remind one, in their recurrence, of the very problem at issue). Here are the updates concerned:

 $ fwupdmgr get-updates
• Thunderbolt Controller has the latest available firmware version
• Embedded Controller has the latest available firmware version
• LENSE20512GMSP34MEAT2TA has the latest available firmware version
• UEFI Device Firmware has no available firmware updates
• Unifying Receiver has the latest available firmware version
20KHCTO1WW
│
├─Intel Management Engine:
│ │   Device ID:           29749712e93b58730ecd1b8537a5503ff5b7fb27
│ │   Current version:     184.70.3626
│ │   Minimum Version:     0.0.1
│ │   Vendor:              DMI:LENOVO
│ │   Update State:        success
│ │   GUID:                9c9d9769-32fa-4841-b550-ea998e754e99
│ │   Device Flags:        • Internal device
│ │                        • Updatable
│ │                        • Requires AC power
│ │                        • Supported on remote server
│ │                        • Needs a reboot after installation
│ │                        • Device is usable for the duration of the update
│ │ 
│ └─ThinkPad X1 Carbon 6th Consumer ME Update:
│       New version:       184.77.3664
│       Remote ID:         lvfs
│       Summary:           Lenovo ThinkPad X1 Carbon 6th Consumer ME Firmware
│       License:           Proprietary
│       Size:              2.2 MB
│       Created:           2016-07-08
│       Urgency:           High
│       Vendor:            Lenovo Ltd.
│       Flags:             is-upgrade
│       Description:       Version 11.8.77.3664 (LVFS: 184.77.3664)
│       
│       2020.01 Q1 Intel Platform Update (IPU), formerly known as Quarterly security release (QSR)
│       
│       Several security fixes and enhancements are on this release.
│       
│       Security issues fixed:
│       
│        • CVE-2020-0531
│        • CVE-2020-0532
│        • CVE-2020-0533
│        • CVE-2020-0535
│        • CVE-2020-0536
│        • CVE-2020-0537
│        • CVE-2020-0538
│        • CVE-2020-0539
│        • CVE-2020-0540
│        • CVE-2020-0545
│        • CVE-2020-0594
│        • CVE-2020-0595
│        • CVE-2020-0596
│        • CVE-2020-8674
│     
└─System Firmware:
  │   Device ID:           1c53551e7da69d896138fac1ae131c83ad46d923
  │   Current version:     0.1.46
  │   Minimum Version:     0.0.1
  │   Vendor:              LENOVO (DMI:LENOVO)
  │   Update State:        success
  │   GUID:                a4b51dca-8f97-4310-8821-3330f83c9135
  │   Device Flags:        • Internal device
  │                        • Updatable
  │                        • Requires AC power
  │                        • Supported on remote server
  │                        • Needs a reboot after installation
  │                        • Cryptographic hash verification is available
  │                        • Device is usable for the duration of the update
  │ 
  └─ThinkPad X1 Carbon 6th System Update:
        New version:       0.1.48
        Remote ID:         lvfs
        Summary:           Lenovo ThinkPad X1 Carbon 6th System Firmware
        License:           Proprietary
        Size:              9.5 MB
        Created:           2016-07-08
        Urgency:           High
        Vendor:            Lenovo Ltd.
        Flags:             is-upgrade
        Description:       Lenovo ThinkPad X1 Carbon 6th System Firmware

        Update includes a security fix.

My system

Linux Mint 19. Nvme disk. Secure boot disabled.

$ fwupdmgr --version
client version: 1.4.2
compile-time dependency versions
    gusb:   0.2.11
    efivar: 34
daemon version: 1.4.2

The fix, and a comment

In order to install the updates, I had to:

• reboot and choose a temporary boot device
• choose the firmware updator

and then do all that again to install the second update. In this time, I could have used Windows-to-Go to install the updates, which rather defeats the point of fwupd.

[daenney]

I'm facing the same issue with an X1C6, the updates just don't seem to want to get installed at all:

[daenney@yunikoni ~]$ fwupdmgr --version
client version: 1.4.2
compile-time dependency versions
    gusb:   0.3.4
    efivar: 37
daemon version: 1.4.2

I've even tried making the Linux Firmware Updater my first boot device, but no joy.

[daenney@yunikoni ~]$ fwupdmgr get-updates
• TS3 Plus has no available firmware updates
• Thunderbolt Controller has the latest available firmware version
• Embedded Controller has the latest available firmware version
• UEFI Device Firmware has no available firmware updates
• Unifying Receiver has no available firmware updates
• WDS100T3X0C-00SJG0 has no available firmware updates
20KHCTO1WW
│
├─Intel Management Engine:
│ │   Device ID:           29749712e93b58730ecd1b8537a5503ff5b7fb27
│ │   Current version:     184.70.3626
│ │   Minimum Version:     184.70.3626
│ │   Vendor:              DMI:LENOVO
│ │   Update State:        success
│ │   GUID:                9c9d9769-32fa-4841-b550-ea998e754e99
│ │   Device Flags:        • Internal device
│ │                        • Updatable
│ │                        • Requires AC power
│ │                        • Supported on remote server
│ │                        • Needs a reboot after installation
│ │                        • Device is usable for the duration of the update
│ │
│ └─ThinkPad X1 Carbon 6th Consumer ME Update:
│       New version:       184.77.3664
│       Remote ID:         lvfs
│       Summary:           Lenovo ThinkPad X1 Carbon 6th Consumer ME Firmware
│       Licence:           Proprietary
│       Size:              2.2 MB
│       Created:           2016-07-08
│       Urgency:           High
│       Vendor:            Lenovo Ltd.
│       Flags:             is-upgrade
│       Description:       Version 11.8.77.3664 (LVFS: 184.77.3664)
│
│       2020.01 Q1 Intel Platform Update (IPU), formerly known as Quarterly security release (QSR)
│
│       Several security fixes and enhancements are on this release.
│
│       Security issues fixed:
│
│        • CVE-2020-0531
│        • CVE-2020-0532
│        • CVE-2020-0533
│        • CVE-2020-0535
│        • CVE-2020-0536
│        • CVE-2020-0537
│        • CVE-2020-0538
│        • CVE-2020-0539
│        • CVE-2020-0540
│        • CVE-2020-0545
│        • CVE-2020-0594
│        • CVE-2020-0595
│        • CVE-2020-0596
│        • CVE-2020-8674
│
└─System Firmware:
  │   Device ID:           1c53551e7da69d896138fac1ae131c83ad46d923
  │   Current version:     0.1.46
  │   Minimum Version:     0.0.1
  │   Vendor:              LENOVO (DMI:LENOVO)
  │   Update State:        success
  │   GUID:                a4b51dca-8f97-4310-8821-3330f83c9135
  │   Device Flags:        • Internal device
  │                        • Updatable
  │                        • Requires AC power
  │                        • Supported on remote server
  │                        • Needs a reboot after installation
  │                        • Cryptographic hash verification is available
  │                        • Device is usable for the duration of the update
  │
  └─ThinkPad X1 Carbon 6th System Update:
        New version:       0.1.48
        Remote ID:         lvfs
        Summary:           Lenovo ThinkPad X1 Carbon 6th System Firmware
        Licence:           Proprietary
        Size:              9.5 MB
        Created:           2016-07-08
        Urgency:           High
        Vendor:            Lenovo Ltd.
        Flags:             is-upgrade
        Description:       Lenovo ThinkPad X1 Carbon 6th System Firmware

        Update includes a security fix.

[LinuxOnTheDesktop]

Perhaps it will be useful to collate the following information from the material people have posted on this page.

Machines affected

• T480
• X1CG6
• X1CG7

OSs affected

• Arch
• Fedora
• Mint
• NixOS
• Pop
• Ubuntu

Has this problem occurred before, with Lenovo computers? Yes

Reports of whether the affected machine has 'boot order lock' set in the BIOS Set/enabled: none Not set/disabled: five [but I am going to stop updating this total now]

EDITED for grammar and to add information about 'boot order lock'.

[hughsie]

Perhaps it will be useful to collate the following information from the material people have posted on this page.

That's helpful, thanks. Some people have reported success by resetting all the firmware options back the factory defaults.

[LinuxOnTheDesktop]

@hughsie

'Some people have reported success by resetting all the firmware options back the factory defaults.' That may be a successful work-around, as might be booting (twice if there are two updates) to the firmware boot option thing. Yet, it is, only, a work-around. I trust that you and/or Intel and/or Lenovo will actually fix the problem. I note that my previous report is now a year old. I note also that the current report seems to falsify a hypothesis made in the previous report, namely, that the problem is specific to Mint or to SELinux.

[hughsie]

The key BIOS option that seems to cause the main problem is the "boot order lock" that's sometimes set on Lenovo hardware. I'm working with Lenovo on a way to detect this without using WMI so we can inform the user before the update is deployed.

[bmeira]

@hughsie Pretty sure that option is not causing it. I have that option disabled (always had) and I'm also affected by this issue (Lenovo T480 with Pop)

[LinuxOnTheDesktop]

@hughsie: thank you for your work. Yet - data point - like @bmeira, I have 'boot order lock' disabled (on my X1CG6) [edit: whilst having the problem described in this thread; indeed, I posted in the thread to that effect].

One can only hope that the forthcoming Lenovo-Fedora partnership will make Lenovo less dreadful in its Linux support. (So, yes, I am inclined to blame Lenovo for the current problem. That company has form in this regard.)

EDIT: we have had now, on this page, so far, three reports of boot order lock not being set (and none of it being set). I have updated my informational post, which is above, to record that.

[sudomateo]

I also have "boot order lock" disabled and I cannot install any firmware updates. I also tried again with default BIOS settings and no luck. I'm running Fedora 32 on a T480.

[vancanhuit]

My BIOS has "boot order lock" disabled and I also cannot install firmware updates. And no luck with resetting BIOS to factory defaults. I'm running Pop!_OS 20.04 on T480.

[heldchen]

have "boot order lock" disabled as well.

additionally, resetting bios options did not help. problem only occurs for me when the "Lenovo ThinkPad X1 Carbon 6th Consumer ME Firmware" update is scheduled, so I'm not surprised that resetting the bios values isn't helping as it is my understanding that the ME Firmware is not controlled by the bios.

[renffah]

X1CG6, Ubuntu 20.04

System firmware was successfully updated from 1.46 to 1.48:

$ inxi -M
Machine:   Type: Laptop System: LENOVO product: 20KGS2A900 v: ThinkPad X1 Carbon 6th serial: <superuser/root required> 
           Mobo: LENOVO model: 20KGS2A900 v: SDK0J40697 WIN serial: <superuser/root required> UEFI: LENOVO v: N23ET73W (1.48 ) 
           date: 04/30/2020

$ fwupdmgr get-devices 
20KGS2A900
│
├─[…]
│
├─System Firmware:
│     Device ID:           1c53551e7da69d896138fac1ae131c83ad46d923
│     Current version:     0.1.48
│     Minimum Version:     0.0.1
│     Vendor:              LENOVO (DMI:LENOVO)
│     GUID:                a4b51dca-8f97-4310-8821-3330f83c9135
│     Device Flags:        • Internal device
│                          • Updatable
│                          • Requires AC power
│                          • Supported on remote server
│                          • Needs a reboot after installation
│                          • Cryptographic hash verification is available
│                          • Device is usable for the duration of the update
│
├─UEFI Device Firmware:
│     Device ID:           e563ad307df81c99f0de8c26292afd71cf409673
│     Current version:     184.70.3626
│     Minimum Version:     184.70.3626
│     Vendor:              DMI:LENOVO
│     Update State:        success
│     Last modified:       2020-05-23 16:06
│     GUIDs:               42a0a96e-c9f3-438f-9687-7826be33e4ce
│                          375afb87-ea51-5a6e-96d5-c35cc342dc65
│     Device Flags:        • Internal device
│                          • Updatable
│                          • Requires AC power
│                          • Supported on remote server
│                          • Needs a reboot after installation
│                          • Device is usable for the duration of the update
│
└─[…]

UEFI Device firmware update from 184.70.3626 to 184.77.3664

After executing fwupdmgr update and reboot, the boot screen is showing in the top left corner, that it has found two capsules (0abba7dc-e516-4167-bbf5-4d9d1c739416-fwupd-42a0a96e-c9f3-438f-9687-7826be33e4ce-0 and 0abba7dc-e516-4167-bbf5-4d9d1c739416-fwupd-ux-capsule), is adding those capsules and resetting the system.

After that — it looks like a second reboot — it shows for a very short time (< 1 sec), right below the Lenovo logo, that it is updating the firmware (translated message, so it should come from ubuntu).

Than I tried to reinstall 184.70.3626, the Updating firmware message is displayed for about 1 minute and a spinner is rotating.

The cab archive for 184.77.3664 contains an additional file. At a quick look, the metadata of 184.70.3626 and 184.77.3664 are differently structured — no checksums in 184.70.3626, I than replaced the .77-metadata with the .70-metadata, removed the additional file and repacked the files. No difference, if I try to install the newly created update file, but no error message either.

Booting of Linux-Firmware-Updater is definitely working. When I reboot later and select another boot device and than Linux-Firmware-Updater (the boot entry isn't removed after an update) it displays in the top left corner (same as in adding capsule) that it can't find any updates and returns to the boot menu.

Manually installing the downloaded cab archive in ~/.cache/fwupd, I got different results with fwupdtool and fwupdmgr:

$ sudo fwupdtool install dccab103af545a66e515b415d4d88b13b6db130842f11362dc9db85ffc63fbe4-Lenovo-ThinkPad-X1Carbon6th-CorporateMEFirmware-11.8.77.3664.cab e563ad307df81c99f0de8c26292afd71cf409673
Loading…                 [***************************************]
Decompressing…           [***************************************]
Installing on UEFI Device Firmware…                              ]
Scheduling…              [  -                                    ]16:06:02:0662 FuPluginUefi         missing or invalid embedded capsule header
Scheduling…              [***************************************]

An update requires a reboot to complete. Restart now? [y|N]: n

$ fwupdmgr install dccab103af545a66e515b415d4d88b13b6db130842f11362dc9db85ffc63fbe4-Lenovo-ThinkPad-X1Carbon6th-CorporateMEFirmware-11.8.77.3664.cab e563ad307df81c99f0de8c26292afd71cf409673
Decompressing…           [***************************************]
Authenticating…          [***************************************]
Installing on UEFI Device Firmware…                              ]
Scheduling…              [***************************************]
Successfully installed firmware

An update requires a reboot to complete. Restart now? [y|N]: n

Reinstalling .70 with fwupdtool displays no error message:

$ sudo fwupdtool install --allow-reinstall 08bd61f562c26ca1b8cdbd5a0ede1bb9818cfa00-Lenovo-ThinkPad-X1Carbon6th-CorporateMEFirmware-11.8.70.3626.cab 
Loading…                 [***************************************]
Decompressing…           [***************************************]
Installing on UEFI Device Firmware…                              ]
Scheduling…              [***************************************]

An update requires a reboot to complete. Restart now? [y|N]:

So, it really looks like a broken update.

[kleinph]

I have the same issue on my T480s (it says Adding new capsule but after reboot the update is shown again). Someone on reddit said that it may have to do with deactivated IME.

[sdroege]

I have the same problem on my X1 Carbon 6th generation. fwupd updated some components, but it always wants to update the ME firmware from 184.70.3626 to 184.77.3664. Doing so causes it to shortly show the "updating firmware" screen on reboot after showing it added the capsules, but it immediately reboots again and is stuck with the old version then.

[dbasinge]

I did get a bios upgrade on my X1 Carbon 6th gen to work by downloading the bios cabs file from Lenovo website and running fwupdmgr against the files.

fwupdmgr install N23ET73W.cab
fwupdmgr install N23HT35W.cab

It would fail if only running fwupdmgr update or via Gnome Software. This method only works for firmware upgrades that are in a cab format.

[vancanhuit]

@dbasinge How can I download those cabs?

[heldchen]

you can get them from https://pcsupport.lenovo.com/ - but the currently broken update is not available in this format.

[renffah]

Those Updates got installed with fwupdmgr, but the ME update did not.

Go to the Lenovo support site of your Model, Downloads, BIOS. There should be a "BIOS update utility (Linux)" — a Zip file. This zip contains those cab archives.

The update for my X1 6th contains 3 cab files. Two ending in W, one ending in P.

One is the BIOS update, the other one the embedded controller update. The P-File is also a BIOS update file, which removes the Computrace option completely from the BIOS settings — and probably breaks TPM.

[daenney]

Dowloading and installing the cab files directly does indeed work, and the update completes successfully.

The ME firmware keeps showing, and failing. The metadata also seems kinda weird on that one:

└─ThinkPad X1 Carbon 6th Consumer ME Update:
        New version:       184.77.3664
        Remote ID:         lvfs
        Summary:           Lenovo ThinkPad X1 Carbon 6th Consumer ME Firmware
        Licence:           Proprietary
        Size:              2.2 MB
        Created:           2016-07-08
        Urgency:           High
        Vendor:            Lenovo Ltd.
        Flags:             is-upgrade
        Description:       Version 11.8.77.3664 (LVFS: 184.77.3664)

Created: 2016-07-08 ... that can't be right?

It also appears as though there's another ME update incoming, b/c I'm also seeing 2014.14.0.154 on the Lenovo website, issued May 15th. 11.8.77.3664 was issued May 5th. Nvm, "software" vs "firmware.

[vancanhuit]

Unfortunately, the new firmware version is not available for T480 on the Lenovo Support website.

[cpt-kernel-afk]

Boot manually into "Linux Firmware Updater" on my X1CG6 get this:

Found update fwupd-...
Found update fwupd-...
WARNING: No updates to process. Called in error?

The message is for half an secound viewable. This Update should be the one to be applied:

ThinkPad X1 Carbon 6th Corporate ME Update:
        New version:       184.77.3664
        Remote ID:         lvfs
        Summary:           Lenovo ThinkPad X1 Carbon 6th Corporate ME Firmware
        License:           Proprietary
        Size:              7,5 MB
        Vendor:            Lenovo Ltd.
        Flags:             is-upgrade
        Description:       Version 11.8.77.3664 (LVFS: 184.77.3664)
        ...

[ankostis]

@cpt-kernel-afk the message you captured corroborates just reported @vorpalBlade's comment @ #2114, that Windows do not use UEFI at all to apply this capsule, and install it directly from within the OS instead.

[TylerBrock]

Any ideas about what you would do to resolve this if you don't have a windows partition?

[renffah]

As I had written, System firmware update is working using the capsule.

Reinstalling 184.70.3626 seems to work too, because the System is showing Applying Firmware Update for about one Minute.

Installing 184.77.3664 through fwupdtool instead of fwupdmgr produces an Error message: FuPluginUefi missing or invalid embedded capsule header. In either case, after a reboot Applying Firmware is just flickering for about one second on the screen.

From my point of view, the capsule is broken and if there's any bug in fwupd, its a broken error checking.

[fcelda]

I got to the same conclusion as @renffah. The Intel ME 11.8.77.3664 update is started, the firmware update message just flickers on the screen, and the machine reboots immediately. The current Intel ME firmware can be reinstalled without any issues.

[VorpalBlade]

From my point of view, the capsule is broken and if there's any bug in fwupd, its a broken error checking.

Would be good if someone with engineering contacts at Lenovo could contact them about this issue. (I would guess that the LVFS project would have a contact person at Lenovo?)

I doubt it would do much good if I as a customer called their support. They are not likely to know much about Linux.

[hughsie]

I would guess that the LVFS project would have a contact person at Lenovo

I've made Lenovo aware about this issue. When the update aborts before starting, and then you go back into Linux, do you get the opportunity to send a "failed report" when doing "fwupdmgr get-devices" on the CLI? At the moment on the LVFS I only see successful reports.

[vancanhuit]

I've just seen a newer version of system firmware on the Lenovo website for ThinkPad T480 and updated it from version 1.31 to 1.33 using the cab file. And I see a weird issue: When I enter into the BIOS, it shows the correct version of BIOS (1.33) but it shows the ME version is 11.8.77.3664 while I check via fwupdmgr, it still shows the older version 11.8.70.3626.

[kleinph]

@hughsie I just reran the update again to be sure:
fwupd doesn't seem to be aware that the update failed. It's like the update was never started.

[lhirlimann]

I would guess that the LVFS project would have a contact person at Lenovo

I've made Lenovo aware about this issue. When the update aborts before starting, and then you go back into Linux, do you get the opportunity to send a "failed report" when doing "fwupdmgr get-devices" on the CLI? At the moment on the LVFS I only see successful reports.

Nope, and fwudpmgr -report history says nothing to report.

[hughsie]

If you schedule the update and don't reboot, what does sqlite3 /var/lib/fwupd/pending.db .d say?

[kleinph]

PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE schema (created timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP,version INTEGER DEFAULT 0);
INSERT INTO schema VALUES('2018-10-31 05:11:11',5);
CREATE TABLE history (device_id TEXT,update_state INTEGER DEFAULT 0,update_error TEXT,filename TEXT,display_name TEXT,plugin TEXT,device_created INTEGER DEFAULT 0,device_modified INTEGER DEFAULT 0,checksum TEXT DEFAULT NULL,flags INTEGER DEFAULT 0,metadata TEXT DEFAULT NULL,guid_default TEXT DEFAULT NULL,version_old TEXT,version_new TEXT, checksum_device TEXT DEFAULT NULL, protocol TEXT DEFAULT NULL);
INSERT INTO history VALUES('a97ad68e51daaa05cd084c8685e67ff2a76ab017',2,NULL,NULL,'Unifying Receiver','logitech_hidpp',1577444384,0,'dcb67c5c079971ee5fc1662c42dea4bee8e1165d',4194818,'RuntimeVersion(org.freedesktop.gusb)=0.3.1;CompileVersion(org.freedesktop.gusb)=0.3.1;RuntimeVersion(com.redhat.fwupdate)=12;CpuArchitecture=x86_64;RuntimeVersion(org.freedesktop.fwupd)=1.3.5;RuntimeVersion(org.kernel)=5.4.6-arch3-1;DistroId=arch;RuntimeVersion(org.freedesktop.appstream-glib)=0.7.14;CompileVersion(org.freedesktop.fwupd)=1.3.5;BootTime=1577444316;CompileVersion(com.redhat.efivar)=37;RuntimeVersion(com.dell.libsmbios)=2.4;CompileVersion(com.redhat.fwupdate)=12','cc4cbfa9-bf9d-540b-b92b-172ce31013c1','RQR24.07_B0030','RQR24.11_B0036',NULL,NULL);
INSERT INTO history VALUES('f5401d94c86c965c7250fdd83decdbb60d2adaa9',2,NULL,NULL,'Thunderbolt Controller','thunderbolt',1580634532,0,'52c5967087e9af9b33d8778e06485b56807b8a6d',138412555,'RuntimeVersion(org.freedesktop.gusb)=0.3.3;CompileVersion(org.freedesktop.gusb)=0.3.1;RuntimeVersion(com.redhat.fwupdate)=12;CpuArchitecture=x86_64;RuntimeVersion(org.freedesktop.fwupd)=1.3.6;RuntimeVersion(org.kernel)=5.4.15-arch1-1;DistroId=arch;ThunderboltNative=True;RuntimeVersion(org.freedesktop.appstream-glib)=0.7.14;CompileVersion(org.freedesktop.fwupd)=1.3.6;BootTime=1580634503;CompileVersion(com.redhat.efivar)=37;RuntimeVersion(com.dell.libsmbios)=2.4;CompileVersion(com.redhat.fwupdate)=12','061f2847-061b-5cfb-9c39-3dbfe2b49d69','14.00','20.00',NULL,NULL);
INSERT INTO history VALUES('323bda90831520867f8c02544efb9711dfca9fb6',2,NULL,NULL,'UEFI Device Firmware','uefi',1581605582,1581605684,'058d3ef2218ce6d547cb67a706a357398c878140',541065995,replace('BootMgrDesc=legacy;RuntimeVersion(org.freedesktop.gusb)=0.3.3;CompileVersion(com.redhat.fwupdate)=12;RuntimeVersion(com.redhat.fwupdate)=12;CompileVersion(org.freedesktop.fwupd)=1.3.6;SecureBoot=Disabled;CompileVersion(com.redhat.efivar)=37;UEFIUXCapsule=Disabled;RuntimeVersion(org.kernel)=5.5.3-arch1-1;ESPMountPoint=/boot;MissingCapsuleHeader=False;CompileVersion(org.freedesktop.gusb)=0.3.1;RuntimeVersion(com.dell.libsmbios)=2.4;DistroId=arch;CpuArchitecture=x86_64;BootTime=1581499307;RuntimeVersion(org.freedesktop.appstream-glib)=0.7.14;TpmEventLog=0x00000008 e4f8e2238bf3fb160a1308ff4276b32c2ed33aac [N.2.2.E.T.6.0.W. ...]\n0x80000008 28bb7d7835be0b174ac8a9a68e3ec34c3f40510a\n0x80000008 e5d295f0dd61b08e97bdcdd67801a4c1e6e630a2\n0x80000008 89d6094a189cd610dfb89cb1df39bad84232d59f\n0x80000008 1ceb7d189e0886a5a43a96b47c7561848697e163 [..........C.....]\n0x00000001 3666adabd611f55bd0fc8251bb1671c51804d971 [ACPI DATA]\n0x00000001 b0469aa139a98ebeae9693588554bab11e19724c [ACPI DATA]\n0x00000004 9069ca78e7450a285173431b3e52c5c25299e473;RuntimeVersion(org.freedesktop.fwupd)=1.3.6','\n',char(10)),'4d254d6e-cd67-477b-97d5-bc3048af45c4','0.1.19','0.1.20',NULL,NULL);
INSERT INTO history VALUES('e7cc234e82d08b6a14e246beb6b5f8142091e570',2,'TPM PCR0 differs from reconstruction, please see https://github.com/fwupd/fwupd/wiki/TPM-PCR0-differs-from-reconstruction',NULL,'System Firmware','uefi',1583714384,1583752809,'5ab7e1af7a0bebad5c7f87cf7c47b612fe6d8788',574620427,replace('BootMgrDesc=legacy;RuntimeVersion(org.freedesktop.gusb)=0.3.4;CompileVersion(com.redhat.fwupdate)=12;RuntimeVersion(com.redhat.fwupdate)=12;CompileVersion(org.freedesktop.fwupd)=1.3.9;SecureBoot=Disabled;CompileVersion(com.redhat.efivar)=37;UEFIUXCapsule=Disabled;RuntimeVersion(org.kernel)=5.5.8-arch1-1;CompileVersion(org.freedesktop.gusb)=0.3.4;RuntimeVersion(com.dell.libsmbios)=2.4;DistroId=arch;CpuArchitecture=x86_64;BootTime=1583710632;RuntimeVersion(org.freedesktop.appstream-glib)=0.7.14;TpmEventLog=0x00000008 5c4be5bd65b9a5578c0b6c6a21418cdcdb1194b1 [N.2.2.E.T.6.1.W. ...]\n0x80000008 80c744ce3256fa4ccd9fb114f7da208ea14270a3\n0x80000008 ef080e4bb90671abde7d41352eb8e98cd510d75a\n0x80000008 89d6094a189cd610dfb89cb1df39bad84232d59f\n0x80000008 a3cfbf000bb1946b2f4d081b1cf58e6dd5c27642 [..........C.....]\n0x00000001 3666adabd611f55bd0fc8251bb1671c51804d971 [ACPI DATA]\n0x00000001 b0469aa139a98ebeae9693588554bab11e19724c [ACPI DATA]\n0x00000004 9069ca78e7450a285173431b3e52c5c25299e473\nPCR0: 285c3f0a00d2db0582ca8025c897d561ed15a805;RuntimeVersion(org.freedesktop.fwupd)=1.3.9','\n',char(10)),'ebfe8df8-dee7-4692-a721-cbcf5095c5cf','0.1.38','0.1.39','285c3f0ad2db0582ca8025c897d561ed15a805',NULL);
INSERT INTO history VALUES('cf3ad1e5e6838b09cba64bb5ccb1142dd44995d2',4,NULL,NULL,'Intel Management Engine','uefi',1591802779,1591803770,'ed98b99477d9786f3677cdafbca9e7da645ca1d2',536871179,replace('BootMgrDesc=legacy;RuntimeVersion(org.freedesktop.gusb)=0.3.4;CompileVersion(com.redhat.fwupdate)=12;RuntimeVersion(com.redhat.fwupdate)=12;CompileVersion(org.freedesktop.fwupd)=1.4.2;SecureBoot=Disabled;CompileVersion(com.redhat.efivar)=37;UEFIUXCapsule=Disabled;RuntimeVersion(org.kernel)=5.6.15-arch1-1;CompileVersion(org.freedesktop.gusb)=0.3.4;RuntimeVersion(com.dell.libsmbios)=2.4;DistroId=arch;CpuArchitecture=x86_64;BootTime=1591802749;RuntimeVersion(org.freedesktop.appstream-glib)=0.7.14;TpmEventLog=0x00000008 12eb7c36444565b6829623948faba1ae40b78555 [N.2.2.E.T.6.2.W. ...]\n0x80000008 e0438c6973feae4797415be3d8b67f9c58fb1e10\n0x80000008 ac12ae1bcd3b4d0d502037d804fc4698054f155d\n0x80000008 89d6094a189cd610dfb89cb1df39bad84232d59f\n0x80000008 a7f10b2356da645df8ab00407bc202c0e50f38b6 [..........C.....]\n0x00000001 3666adabd611f55bd0fc8251bb1671c51804d971 [ACPI DATA]\n0x00000001 b0469aa139a98ebeae9693588554bab11e19724c [ACPI DATA]\n0x00000004 9069ca78e7450a285173431b3e52c5c25299e473\nPCR0: fe3d21d7cb407bc9ea55381b9c063343c3739a13;RuntimeVersion(org.freedesktop.fwupd)=1.4.2','\n',char(10)),'676af093-2a5c-4238-9c29-db8063a33532','184.70.3626','184.77.3664',NULL,NULL);
CREATE TABLE approved_firmware (checksum TEXT);
COMMIT;

[lhirlimann]

[ludovic@saraan]~% sqlite3 /var/lib/fwupd/pending.db .d
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE schema (created timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP,version INTEGER DEFAULT 0);
INSERT INTO schema VALUES('2018-09-13 19:15:29',5);
CREATE TABLE history (device_id TEXT,update_state INTEGER DEFAULT 0,update_error TEXT,filename TEXT,display_name TEXT,plugin TEXT,device_created INTEGER DEFAULT 0,device_modified INTEGER DEFAULT 0,checksum TEXT DEFAULT NULL,flags INTEGER DEFAULT 0,metadata TEXT DEFAULT NULL,guid_default TEXT DEFAULT NULL,version_old TEXT,version_new TEXT, checksum_device TEXT DEFAULT NULL, protocol TEXT DEFAULT NULL);
INSERT INTO history VALUES('199c280418de0aa1347fc161a9df3c68dd5b0848',2,NULL,NULL,'X1 Carbon Thunderbolt Controller','thunderbolt',1572859088,0,'1e75dfb3e3b2b69c48c601101a4552033b4a775f',523,'DistroVariant=workstation;CompileVersion(org.freedesktop.gusb)=0.3.0;DistroVersion=31;RuntimeVersion(com.redhat.fwupdate)=12;CpuArchitecture=x86_64;RuntimeVersion(org.freedesktop.fwupd)=1.2.11;DistroId=fedora;RuntimeVersion(com.dell.libsmbios)=2.4;ThunderboltNative=True;RuntimeVersion(org.freedesktop.appstream-glib)=0.7.14;CompileVersion(org.freedesktop.fwupd)=1.2.11;BootTime=1572859050;CompileVersion(com.redhat.efivar)=37;KernelVersion=5.3.7-301.fc31.x86_64;CompileVersion(com.redhat.fwupdate)=12','2da42a33-cd30-5ef5-a8fb-2c800a4b760f','30.00','43.0.0',NULL,NULL);
INSERT INTO history VALUES('9698faabddf0d7b18925cfbbda95f8b0d0dacc53',2,NULL,NULL,'UEFI Device Firmware','uefi',1582376629,1582376797,'5126c313a1e0079f8f8267cb11aeacb5db981f9a',541065995,replace('BootMgrDesc=legacy;RuntimeVersion(org.freedesktop.gusb)=0.3.3;CompileVersion(com.redhat.fwupdate)=12;RuntimeVersion(com.redhat.fwupdate)=12;CompileVersion(org.freedesktop.fwupd)=1.3.8;SecureBoot=Disabled;CompileVersion(com.redhat.efivar)=37;UEFIUXCapsule=Enabled;RuntimeVersion(org.kernel)=5.4.20-200.fc31.x86_64;ESPMountPoint=/boot/efi;MissingCapsuleHeader=False;CompileVersion(org.freedesktop.gusb)=0.3.3;RuntimeVersion(com.dell.libsmbios)=2.4;DistroId=fedora;CpuArchitecture=x86_64;BootTime=1582376596;RuntimeVersion(org.freedesktop.appstream-glib)=0.7.14;TpmEventLog=0x00000008 2b4bf7e243e7ed4730fbff11fa427ad0f83abd47 [N.2.3.E.T.6.9.W. ...]\n0x80000008 df2cb785a9c4432318a8ad7edf32fe8d4575fe65\n0x80000008 c5072646bb5f6e7695f4ef9c3d5b3bc6adc0a703\n0x80000008 d676c5573e13d45a86dcc36f7bd5b50187da70c7\n0x80000008 540ad44daaaf4d211d35209fe36f91e865a6210c [..........C.....]\n0x00000001 3666adabd611f55bd0fc8251bb1671c51804d971 [ACPI DATA]\n0x00000001 b0469aa139a98ebeae9693588554bab11e19724c [ACPI DATA]\n0x00000004 9069ca78e7450a285173431b3e52c5c25299e473\nPCR0: decf46987dd007dd6125db6f45cc0b2409f82d45;DistroVariant=workstation;RuntimeVersion(org.freedesktop.fwupd)=1.3.8;DistroVersion=31','\n',char(10)),'3babca5f-b2bf-4f4b-a72e-2bdc84eb4019','0.1.19','0.1.20',NULL,NULL);
INSERT INTO history VALUES('04e17fcf7d3de91da49a163ffe4907855c3648be',2,NULL,NULL,'SAMSUNG MZVLB512HAJQ-000L7','nvme',1583915005,1584345555,'fce1d842cdfd56586a1418917bc304f85dea62dd',541065995,'RuntimeVersion(org.freedesktop.gusb)=0.3.3;CompileVersion(org.freedesktop.gusb)=0.3.3;RuntimeVersion(com.redhat.fwupdate)=12;CpuArchitecture=x86_64;RuntimeVersion(org.freedesktop.fwupd)=1.3.8;RuntimeVersion(org.kernel)=5.5.8-200.fc31.x86_64;DistroId=fedora;DistroVersion=31;RuntimeVersion(org.freedesktop.appstream-glib)=0.7.14;CompileVersion(org.freedesktop.fwupd)=1.3.8;BootTime=1583914800;CompileVersion(com.redhat.efivar)=37;RuntimeVersion(com.dell.libsmbios)=2.4;DistroVariant=workstation;CompileVersion(com.redhat.fwupdate)=12','6e54c992-d302-59ab-b454-2d26ddd63e6d','4L2QEXA7','5L2QEXA7',NULL,NULL);
INSERT INTO history VALUES('e563ad307df81c99f0de8c26292afd71cf409673',4,NULL,NULL,'Intel Management Engine','uefi',1591620693,1591805462,'29f3983ae57fa9b336a9aa33ed3db068081d1f8c',536871179,replace('BootMgrDesc=legacy;RuntimeVersion(org.freedesktop.gusb)=0.3.4;CompileVersion(com.redhat.fwupdate)=12;RuntimeVersion(com.redhat.fwupdate)=12;CompileVersion(org.freedesktop.fwupd)=1.4.2;SecureBoot=Disabled;CompileVersion(com.redhat.efivar)=37;UEFIUXCapsule=Enabled;RuntimeVersion(org.kernel)=5.6.16-300.fc32.x86_64;CompileVersion(org.freedesktop.gusb)=0.3.4;RuntimeVersion(com.dell.libsmbios)=2.4;DistroId=fedora;CpuArchitecture=x86_64;BootTime=1591620622;RuntimeVersion(org.freedesktop.appstream-glib)=0.7.14;TpmEventLog=0x00000008 05d951591cc064eadc65251c7f9538e65cfae05b [N.2.3.E.T.7.1.W. ...]\n0x80000008 408444351bc8232b37994fc143b04e5437ec7a3b\n0x80000008 0128cacfd393a4a310bd8a743aa3d49403cd2d57\n0x80000008 d676c5573e13d45a86dcc36f7bd5b50187da70c7\n0x80000008 36f61f37f3b44d8ea475a0d41170709f6ce64801 [..........C.....]\n0x00000001 3666adabd611f55bd0fc8251bb1671c51804d971 [ACPI DATA]\n0x00000001 b0469aa139a98ebeae9693588554bab11e19724c [ACPI DATA]\n0x00000004 9069ca78e7450a285173431b3e52c5c25299e473\nPCR0: 5d4b82aea54bcae523e836d3d48b603f260c78a0;DistroVariant=workstation;RuntimeVersion(org.freedesktop.fwupd)=1.4.2;DistroVersion=32','\n',char(10)),'42a0a96e-c9f3-438f-9687-7826be33e4ce','184.70.3626','184.77.3664',NULL,NULL);
INSERT INTO history VALUES('1c53551e7da69d896138fac1ae131c83ad46d923',4,NULL,NULL,'System Firmware','uefi',1591620693,1591805466,'8fb89cdcf5ff5d9d5cb6a1441b59a71150f7b091',570425611,replace('BootMgrDesc=legacy;RuntimeVersion(org.freedesktop.gusb)=0.3.4;CompileVersion(com.redhat.fwupdate)=12;RuntimeVersion(com.redhat.fwupdate)=12;CompileVersion(org.freedesktop.fwupd)=1.4.2;SecureBoot=Disabled;CompileVersion(com.redhat.efivar)=37;UEFIUXCapsule=Enabled;RuntimeVersion(org.kernel)=5.6.16-300.fc32.x86_64;ESPMountPoint=/boot/efi;MissingCapsuleHeader=True;CompileVersion(org.freedesktop.gusb)=0.3.4;RuntimeVersion(com.dell.libsmbios)=2.4;DistroId=fedora;CpuArchitecture=x86_64;BootTime=1591620622;RuntimeVersion(org.freedesktop.appstream-glib)=0.7.14;TpmEventLog=0x00000008 05d951591cc064eadc65251c7f9538e65cfae05b [N.2.3.E.T.7.1.W. ...]\n0x80000008 408444351bc8232b37994fc143b04e5437ec7a3b\n0x80000008 0128cacfd393a4a310bd8a743aa3d49403cd2d57\n0x80000008 d676c5573e13d45a86dcc36f7bd5b50187da70c7\n0x80000008 36f61f37f3b44d8ea475a0d41170709f6ce64801 [..........C.....]\n0x00000001 3666adabd611f55bd0fc8251bb1671c51804d971 [ACPI DATA]\n0x00000001 b0469aa139a98ebeae9693588554bab11e19724c [ACPI DATA]\n0x00000004 9069ca78e7450a285173431b3e52c5c25299e473\nPCR0: 5d4b82aea54bcae523e836d3d48b603f260c78a0;DistroVariant=workstation;RuntimeVersion(org.freedesktop.fwupd)=1.4.2;DistroVersion=32','\n',char(10)),'a4b51dca-8f97-4310-8821-3330f83c9135','0.1.46','0.1.48','5d4b82aea54bcae523e836d3d48b603f260c78a0',NULL);
CREATE TABLE approved_firmware (checksum TEXT);
COMMIT;

[bin101]

I think I have the same problem on my T490 with fwupd 1.4.0/1.4.2. I scheduled updates and on reboot manually started the boot option to install the capsules. First I get this output:

and after a direct retry, I get this:

PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE schema (created timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP,version INTEGER DEFAULT 0);
INSERT INTO schema VALUES('2020-05-18 20:14:58',5);
CREATE TABLE history (device_id TEXT,update_state INTEGER DEFAULT 0,update_error TEXT,filename TEXT,display_name TEXT,plugin TEXT,device_created INTEGER DEFAULT 0,device_modified INTEGER DEFAULT 0,checksum TEXT DEFAULT NULL,flags INTEGER DEFAULT 0,metadata TEXT DEFAULT NULL,guid_default TEXT DEFAULT NULL,version_old TEXT,version_new TEXT,checksum_device TEXT DEFAULT NULL,protocol TEXT DEFAULT NULL);
INSERT INTO history VALUES('489f23b2ba9c1adf3e9f9f10598c98ba5c6bba39',4,NULL,NULL,'Embedded Controller','uefi',1591807252,1591807259,'4280e0af1d49b2c3b7f780f8238ee6b383b26df2',536871179,'BootMgrDesc=legacy;RuntimeVersion(org.freedesktop.gusb)=0.3.4;CompileVersion(com.redhat.fwupdate)=12;RuntimeVersion(com.redhat.fwupdate)=12;CompileVersion(org.freedesktop.fwupd)=1.4.0;SecureBoot=Disabled;CompileVersion(com.redhat.efivar)=37;UEFIUXCapsule=Enabled;RuntimeVersion(org.kernel)=5.6.15-1-MANJARO;CompileVersion(org.freedesktop.gusb)=0.3.4;RuntimeVersion(com.dell.libsmbios)=2.4;DistroId=manjaro;CpuArchitecture=x86_64;BootTime=1591807213;RuntimeVersion(org.freedesktop.appstream-glib)=0.7.14;RuntimeVersion(org.freedesktop.fwupd)=1.4.0','38ea6335-29ca-417b-8cd4-6b4e5e866f92','0.1.17','0.1.19',NULL,NULL);
INSERT INTO history VALUES('6150dd1f7291b0709289ab8a53cc85a17e117ef2',4,NULL,NULL,'System Firmware','uefi',1591807252,1591807260,'57ee7ea7b28da5c14ac3a3a5ba258b28eaa07fa4',570425611,'BootMgrDesc=legacy;RuntimeVersion(org.freedesktop.gusb)=0.3.4;CompileVersion(com.redhat.fwupdate)=12;RuntimeVersion(com.redhat.fwupdate)=12;CompileVersion(org.freedesktop.fwupd)=1.4.0;SecureBoot=Disabled;CompileVersion(com.redhat.efivar)=37;UEFIUXCapsule=Enabled;RuntimeVersion(org.kernel)=5.6.15-1-MANJARO;ESPMountPoint=/boot/efi;MissingCapsuleHeader=True;CompileVersion(org.freedesktop.gusb)=0.3.4;RuntimeVersion(com.dell.libsmbios)=2.4;DistroId=manjaro;CpuArchitecture=x86_64;BootTime=1591807213;RuntimeVersion(org.freedesktop.appstream-glib)=0.7.14;RuntimeVersion(org.freedesktop.fwupd)=1.4.0','603baf73-b997-45b5-86b4-2f981a008e18','0.1.65','0.1.66','160b89545d700a05fefaef170964f18d9f52d6ad',NULL);
CREATE TABLE approved_firmware (checksum TEXT);
COMMIT;

[fcelda]

My history table seems to have a record for the failed update:

INSERT INTO history VALUES('e563ad307df81c99f0de8c26292afd71cf409673',4,'failed to update to 3091598890: unsuccessful',NULL,'Intel Management Engine','uefi',1591767329,1591767405,'29f3983ae57fa9b336a9aa33ed3db068081d1f8c',541065483,replace('BootMgrDesc=legacy;RuntimeVersion(org.freedesktop.gusb)=0.3.4;CompileVersion(com.redhat.fwupdate)=12;RuntimeVersion(com.redhat.fwupdate)=12;CompileVersion(org.freedesktop.fwupd)=1.4.2;SecureBoot=Disabled;CompileVersion(com.redhat.efivar)=37;UEFIUXCapsule=Enabled;RuntimeVersion(org.kernel)=5.6.16-300.fc32.x86_64;CompileVersion(org.freedesktop.gusb)=0.3.4;RuntimeVersion(com.dell.libsmbios)=2.4;DistroId=fedora;CpuArchitecture=x86_64;BootTime=1591767296;RuntimeVersion(org.freedesktop.appstream-glib)=0.7.14;TpmEventLog=0x00000008 3ce88c5d04b2344974b25bedc2632a76596fe6c8 [N.2.3.E.T.7.3.W. ...]\n0x80000008 2f30062a8057055e5b206183ece1731aa3d519be\n0x80000008 e7188b86c4ea2fbadb527013169ca9c9ef6edae3\n0x80000008 d676c5573e13d45a86dcc36f7bd5b50187da70c7\n0x80000008 ccd1e7b9cc8632b146600f656a11f076a6dc7a34 [..........C.....]\n0x00000001 6f346d6577a514e47971240313fcb51704d0dd6a [ACPI DATA]\n0x00000001 b0469aa139a98ebeae9693588554bab11e19724c [ACPI DATA]\n0x00000004 9069ca78e7450a285173431b3e52c5c25299e473\nPCR0: ccde86410bd4f8ed8ee316665cfa9abc6af8b963;DistroVariant=workstation;RuntimeVersion(org.freedesktop.fwupd)=1.4.2;DistroVersion=32','\n',char(10)),'42a0a96e-c9f3-438f-9687-7826be33e4ce','184.70.3626','184.77.3664',NULL,NULL);

[hughsie]

@bin101 the "Unsupported" error is where your system BIOS is too old to apply the ME update. Lenovo should have added a suitable requirement on the system firmware version for the ME update.

[hughsie]

INSERT INTO history VALUES('e563ad307df81c99f0de8c26292afd71cf409673',4,'failed to update to 3091598890: unsuccessful',

4 means FWUPD_UPDATE_STATE_NEEDS_REBOOT which is correct. Can you share the same thing when you've scheduled the update, rebooted, and then booted back into Linux please.

[hughsie]

I'd also appreciate if anyone hitting this could install the wip/hughsie/fu_engine_update_history_device branch and see if that correctly detects the case where the firmware does not set LastAttemptStatus.

[bin101]

@bin101 the "Unsupported" error is where your system BIOS is too old to apply the ME update. Lenovo should have added a suitable requirement on the system firmware version for the ME update.

@hughsie I am not trying to update the ME, I got the response for an EC (0.1.17 to 0.1.19) and system firmware (1.65 to 1.66) update. But I think this will not change anything? Can I keep waiting for a fix from lenovo or do I need to update "manually" via a bootable usb-stick etc.?

[fcelda]

INSERT INTO history VALUES('e563ad307df81c99f0de8c26292afd71cf409673',4,'failed to update to 3091598890: unsuccessful',

4 means FWUPD_UPDATE_STATE_NEEDS_REBOOT which is correct. Can you share the same thing when you've scheduled the update, rebooted, and then booted back into Linux please.

What do you mean by scheduling the update? I just run fwupdmgr update. Is that OK or should I try something else?

# fwupdmgr update 
• Thunderbolt Controller has the latest available firmware version
• Embedded Controller has the latest available firmware version
Upgrade available for Intel Management Engine from 184.70.3626 to 184.77.3664
20KH002RUS must remain plugged into a power source for the duration of the update to avoid damage. Continue with update? [Y|n]: y
Downloading 184.77.3664 for Intel Management Engine...
Decompressing…           [***************************************]
Authenticating…          [***************************************]
Updating Intel Management Engine…                                ]
Scheduling…              [***************************************]
Successfully installed firmware
• System Firmware has the latest available firmware version
• UEFI Device Firmware has no available firmware updates
• WDC PC SN720 SDAQNTW-512G-1001 has the latest available firmware version

An update requires a reboot to complete. Restart now? [y|N]: y

The laptop rebooted into the fwupdx64.efi, the capsule was found, then the machine restarted again, the Lenovo firmware update screen just flashed, and finally the machine rebooted back to Linux.

The firmware is still at the old version and I don't see any new entry in the history table. The last entry is the one I shared previously.

I'd also appreciate if anyone hitting this could install the wip/hughsie/fu_engine_update_history_device branch and see if that correctly detects the case where the firmware does not set LastAttemptStatus.

I'm going to try if I manage to build an RPM with the updated sources. I will report back.

[pschichtel]

I'm also affected. Archlinux with both fwupd 1.3.9 and and 1.4.2 and boot order lock disabled.

@hughsie I also rebuilt the Arch package using the branch you mentioned and it detected the failure now. I reported the history.

[fcelda]

I'd also appreciate if anyone hitting this could install the wip/hughsie/fu_engine_update_history_device branch and see if that correctly detects the case where the firmware does not set LastAttemptStatus.

I'm going to try if I manage to build an RPM with the updated sources. I will report back.

I can confirm that the failure is correctly recorded with this branch. I've submitted the report as well.

Also, RPM for Fedora 32 built from wip/hughsie/fu_engine_update_history_device is in my COPR repo. It will be deleted in 60 days.

[johannbg]

(X1CG6) Got a start invalid parameter error. Did a factory bios configuration reset and still got the error so that workaround does not work. The boot order lock was not enable as well.

[xvitaly]

How can I remove these broken UEFI capsules and UEFI Boot entry?

[kmauleon]

Perhaps it will be useful to collate the following information from the material people have posted on this page.

Machines affected

• T480
• X1CG6
• X1CG7

OSs affected

• Arch
• Fedora
• Mint
• NixOS
• Pop
• Ubuntu

Has this problem occurred before, with Lenovo computers? Yes

Reports of whether the affected machine has 'boot order lock' set in the BIOS Set/enabled: none Not set/disabled: five [but I am going to stop updating this total now]

EDITED for grammar and to add information about 'boot order lock'.

Hi, Are you sure X1CG7 has this problem? MEFW version of this system should be 192.xx.xxxx And I have not set the latest version to stable yet... please confirm...Thank you very much.