Open osresearch opened 4 years ago
osresearch
commented
4 years ago fwupdmgr update tries to write to /root/.cache/fwupd, which fails on a read-only root filesystem. Providing a fake one with mount -t tmpfs none /root allows it store its data (#64)
It schedules a reboot automatically via capsules, although the debug log disappeared before I could see it. ~Disabling secure boot is necessary.~
osresearch
commented
4 years ago This page shows how to use sbsign with the platform keys to sign /usr/lib/fwupd/efi/fwupdx64.efi: https://wiki.archlinux.org/index.php/Fwupd#Secure_Boot
The config files are in /etc/fwupd/uefi.conf.
There is a merged PR that computes updated PCR0: https://github.com/fwupd/fwupd/pull/1311
osresearch
commented
4 years ago And updating my X1 Gen 5 to 1.48 wouldn't reboot until I entered setup and exited with no changes. This broke all the PCRs, as expected, including the tpm2-totp values. Also remember that the PCRs need to be signed on a clean boot; entering setup or the boot menu guarantees broken PCR4 since the boot path isn't directly into the kernel EFI stub.
sudo safeboot pcrs-sign
sudo tpm2-totp -p abcd reseal
The Linux firmware update service uses an EFI executable to orchestrate firmware updates, which will require that it be signed by the platform key to work with safeboot. Signing the new PCRs in recovery mode (#56) will also need to be fixed since the PCR0 and others will change.