Ubuntu

Unable to update firmware with fwupdmgr

Asked by Jon Anders Skorpen

When attempting to update the OptiPlex 5070 firmware, everything seems okay, but after reboot the firmware has not updated.

dmesg reports this when running fwupdmgr update:
[ 1933.303824] Lockdown: fwupdtool: /dev/mem,kmem,port is restricted; see man kernel_lockdown.7

I can't find any way to disable the kernel lockdown. Sysrq + x does not do anything.

I am running Ubuntu server 20.04 (updated from 19.10). I believe this is a bug, but wanted to ask here before filing a report.

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

Are you running the command prefixed with sudo?

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#2

What is the output of:

lsb_release -a; uname -a; apt-cache policy fwupd

Thanks

Revision history for this message
Jon Anders Skorpen (jaskorpe) said : 		#3

Yes, I do run that command with sudo prefixed.

Output of lsb_release -a; uname -a; apt-cache policy fwupd:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu Focal Fossa (development branch)
Release: 20.04
Codename: focal
Linux achilles 5.4.0-21-generic #25-Ubuntu SMP Sat Mar 28 13:10:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
fwupd:
  Installed: 1.3.9-3
  Candidate: 1.3.9-3
  Version table:
 *** 1.3.9-3 500
        500 http://no.archive.ubuntu.com/ubuntu focal/main amd64 Packages
        100 /var/lib/dpkg/status

Revision history for this message
Manfred Hampl (m-hampl) said : 		#4

Do you have secure boot enabled? There were discussions that kernel lockdown is automatically enabled and cannot be disabled when secure boot is active.

Revision history for this message
Jon Anders Skorpen (jaskorpe) said : 		#5

Yes, I have secure boot enabled. There was previously a sysrq combo to disable the kernel lockdown, but that does not seem to work any more (and is not listed in the sysrq help either).

My aim for asking this here was to double check, but I do want to file this as a bug.

Revision history for this message
Manfred Hampl (m-hampl) said : 		#6

That was I meant in my previous message:
It seems that starting with a certain kernel version kernel_lockdown can no more be disabled, when the system is started with secure boot. Apparently focal's kernel version is high enough to have this "feature".

Revision history for this message
Manfred Hampl (m-hampl) said : 		#7

Reference to the discussion that I meant above: https://mjg59.dreamwidth.org/50577.html

Can you help with this problem?

Provide an answer of your own, or ask Jon Anders Skorpen for more information if necessary.

To post a message you must log in.