sbctl icon indicating copy to clipboard operation
sbctl copied to clipboard
verified publisher icon Foxboron

Interaction between "Option ROM" hash and fwupd

Open VannTen opened this issue 3 years ago • 1 comments

The FAQ mentions that we can enroll the checksums of firmware usually signed by the microfost CA.

What happen if the firmware is upgraded, for example with fwupd ? I'd presume the checksum would need to be updated but maybe I'm missing something (like: it's not the same firmwares we're talking about ?).

VannTen avatar Jun 04 '22 13:06 VannTen

The checksum would likely change. So you would need to disable Secure Boot. I think this can be done with a simple sbctl reset before doing a fwupdmgr update. Then you can do sbctl enroll-keys --tpm-eventlog when you have rebooted. But I would probably just try that before using fwudpmgr.

Foxboron avatar Jun 27 '22 18:06 Foxboron

Now followup so considering this solved.

Foxboron avatar Dec 14 '22 22:12 Foxboron