Skip to content

Framework 13 / 13th Gen BIOS 3.0.7 -> 3.08 BIOS upgrade results in failure to read EFI vars when dbx is empty (or has been altered) #76

New issue
New issue
Open
Open
Framework 13 / 13th Gen BIOS 3.0.7 -> 3.08 BIOS upgrade results in failure to read EFI vars when dbx is empty (or has been altered)#76
@jyundt

Description

@jyundt
jyundt
opened on Jun 29, 2025

Device Information

FRANDECP07 / FRANMCCP07

System Model or SKU

Please select one of the following

  • Framework Laptop 13 (11th Gen Intel® Core™)
  • Framework Laptop 13 (12th Gen Intel® Core™)
  • Framework Laptop 13 (13th Gen Intel® Core™)
  • Framework Laptop 13 (AMD Ryzen™ 7040 Series)
  • Framework Laptop 13 (Intel® Core™ Ultra Series 1)
  • Framework Laptop 16 (AMD Ryzen™ 7040 Series)

BIOS VERSION

Upgrading from 3.07 -> 3.08

# dmidecode 3.3
Getting SMBIOS data from sysfs.
SMBIOS 3.4 present.

Handle 0x0000, DMI type 0, 26 bytes
BIOS Information
	Vendor: INSYDE Corp.
	Version: 03.08
	Release Date: 05/29/2025
	Address: 0xE0000
	Runtime Size: 128 kB
	ROM Size: 16 MB
	Characteristics:
		PCI is supported
		BIOS is upgradeable
		BIOS shadowing is allowed
		Boot from CD is supported
		Selectable boot is supported
		8042 keyboard services are supported (int 9h)
		CGA/mono video services are supported (int 10h)
		ACPI is supported
		USB legacy is supported
		BIOS boot specification is supported
		Targeted content distribution is supported
		UEFI is supported
	BIOS Revision: 3.8

DIY Edition information

N/A

Port/Peripheral information

N/A

Standalone Operation

N/A

Describe the bug

I upgraded to BIOS 3.08 (from 3.07) via LVFS. After the upgrade, I'm unable to check SecureBoot status, read EFI vars or read/modify efibootmgr settings.

Example:

root@athena:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 22.04.5 LTS
Release:	22.04
Codename:	jammy
root@athena:~# uname -a
Linux athena 6.8.0-60-generic #63~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 22 19:00:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
root@athena:~# efibootmgr -v
No BootOrder is set; firmware will attempt recovery
root@athena:~# efi-readvar 
Variable PK has no entries
Variable KEK has no entries
Variable db has no entries
Variable dbx has no entries
Variable MokList has no entries
root@athena:~# mokutil --sb-state
This system doesn't support Secure Boot
root@athena:~# dmidecode -t 0
# dmidecode 3.3
Getting SMBIOS data from sysfs.
SMBIOS 3.4 present.

Handle 0x0000, DMI type 0, 26 bytes
BIOS Information
	Vendor: INSYDE Corp.
	Version: 03.08
	Release Date: 05/29/2025
	Address: 0xE0000
	Runtime Size: 128 kB
	ROM Size: 16 MB
	Characteristics:
		PCI is supported
		BIOS is upgradeable
		BIOS shadowing is allowed
		Boot from CD is supported
		Selectable boot is supported
		8042 keyboard services are supported (int 9h)
		CGA/mono video services are supported (int 10h)
		ACPI is supported
		USB legacy is supported
		BIOS boot specification is supported
		Targeted content distribution is supported
		UEFI is supported
	BIOS Revision: 3.8

root@athena:~# mount | grep -i efivarfs
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
root@athena:~# ls /sys/firmware/efi/efivars/
dbDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c   H2OFormDialogConfig-98ae8272-ce5a-46be-9f5d-d9f9cbbb99f2    MebxCfg-ed6d18b3-16bd-40d8-8950-f0c592f6fa16         SecureBootData-aa1305b9-01f3-4afb-920e-c9b979a852fd
dbxDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c  IP6_CONFIG_IFR_NVDATA-02eea107-98db-400e-9830-460a1542d799  PasswordConfig-f72deef6-13ef-4958-b027-0e45ce7fa45e  Tcg2ConfigInfo-07a66697-d400-4903-b3da-67a61d2b7058
FeData-1f2d63e1-febd-4dc7-9cc5-ba2b1cef9c5b      KEKDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c             PKDefault-8be4df61-93ca-11d2-aa0d-00e098032b8c       WIFI_MANAGER_IFR_NVDATA-3441803e-5a88-4941-82f0-858a1085276c
root@athena:~#

Steps To Reproduce

Steps to reproduce the behavior:

  1. Upgrade BIOS from 3.07 -> 3.08 via LVFS
  2. reboot

Expected behavior

I would expect these SB/efibootmgr/efi-readvar commands to work, similar to 3.07 and other BIOS versions.

Screenshots

n/a

Operating System (please complete the following information):

See above, but

root@athena:~# uname -a
Linux athena 6.8.0-60-generic #63~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Apr 22 19:00:15 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
root@athena:~# cat /etc/os-release 
PRETTY_NAME="Ubuntu 22.04.5 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.5 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
root@athena:~#

Additional context

I'm going to try to downgrade to 3.07, but given that efibmootmgr doesn't work, I don't think LVFS will be able to modify the boot order to flash FW.

I manually rebooted into the Insyde BIOS menu and confirmed that my boot order settings and SecureBoot setup was still present / configured properly, this just appears to be an issue with querying/modifying this via an OS.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions