Beebox N3000 KEK Certificate update issue

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   With the impending expiry of Microsoft's Secure Boot certificates, I have been trying to update them with fwupdmgr on my Barebones Beebox N3000 running Lubuntu 24.04 (which has worked perfectly since I bought it). Both the UEFI db and dbx certificates have been updated successfully but the KEK certificate consistently fails. I have tried resetting the certificates in the BIOS (which meant I had to reinstall the db and dbx certificates) but the KEK one still fails.

As you'll see below, I do get a message "UEFI capsule updates not available or enabled in firmware setup". The link given and other information I've found suggests ensuring CSM is disabled (which it is) to correct this. It also mentions a setting for UEFI capsule updates, which doesn't appear to exist in my BIOS (v1.90).

The truncated progress bar and other info I've found suggests that the efivars storage space is insufficient. Here's the relevant output from df -h:

Filesystem      Size  Used Avail Use% Mounted on
efivarfs        128K   89K   35K  73% /sys/firmware/efi/efivars

Here's the console output when trying to update the KEK certs:

steve@beebox:~$ fwupdmgr update
WARNING: UEFI capsule updates not available or enabled in firmware setup
See https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported for more information.
?��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��?
??Upgrade KEK CA from 2011 to 2023?                                            ??
?��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??�╣
??This updates the UEFI Signature Database (the "KEK") to the latest release   ??
??from Microsoft, signed by Root Agency.                                       ??
??                                                                             ??
?��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��?
Perform operation? [Y|n]:
Authenticating??         [***************************************]==== AUTHENTICATING FOR org.freedesktop.fwupd.update-internal-trusted ====
Authentication is required to update the firmware on this machine
Authenticating as: Steve Russell (steve)
Password:
==== AUTHENTICATION COMPLETE ====
Writing??                [******************************         ]
failed to write-firmware: failed to write (null): failed to write data to efivarsfs: Error writing to file descriptor: Invalid argument

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
raichea Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 12 hours 36 minutes ago Status: Offline Points: 60	Post Options Post Reply Quote raichea Report Post Thanks(0) Quote Reply Topic: Beebox N3000 KEK Certificate update issue Posted: 8 hours 59 minutes ago at 10:01pm
	With the impending expiry of Microsoft's Secure Boot certificates, I have been trying to update them with fwupdmgr on my Barebones Beebox N3000 running Lubuntu 24.04 (which has worked perfectly since I bought it). Both the UEFI db and dbx certificates have been updated successfully but the KEK certificate consistently fails. I have tried resetting the certificates in the BIOS (which meant I had to reinstall the db and dbx certificates) but the KEK one still fails. As you'll see below, I do get a message "UEFI capsule updates not available or enabled in firmware setup". The link given and other information I've found suggests ensuring CSM is disabled (which it is) to correct this. It also mentions a setting for UEFI capsule updates, which doesn't appear to exist in my BIOS (v1.90). The truncated progress bar and other info I've found suggests that the efivars storage space is insufficient. Here's the relevant output from df -h: Filesystem Size Used Avail Use% Mounted on efivarfs 128K 89K 35K 73% /sys/firmware/efi/efivars Here's the console output when trying to update the KEK certs: steve@beebox:~$ fwupdmgr update WARNING: UEFI capsule updates not available or enabled in firmware setup See https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported for more information. ?��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��? ??Upgrade KEK CA from 2011 to 2023? ?? ?��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??�╣ ??This updates the UEFI Signature Database (the "KEK") to the latest release ?? ??from Microsoft, signed by Root Agency. ?? ?? ?? ?��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��??��? Perform operation? [Y\|n]: Authenticating?? [*************************************]==== AUTHENTICATING FOR org.freedesktop.fwupd.update-internal-trusted ==== Authentication is required to update the firmware on this machine Authenticating as: Steve Russell (steve) Password: ==== AUTHENTICATION COMPLETE ==== Writing?? [**************************** ] failed to write-firmware: failed to write (null): failed to write data to efivarsfs: Error writing to file descriptor: Invalid argument

Xaltar Members Profile Send Private Message Find Members Posts Add to Buddy List Moderator Group Joined: 16 May 2015 Location: Europe Status: Offline Points: 39808	Post Options Post Reply Quote Xaltar Report Post Thanks(0) Quote Reply Posted: 7 hours 5 minutes ago at 11:55pm
	I loved the Beebox when it launched, neat little machine. Really great for low power tasks. Unfortunately I can't offer you any suggestions regarding your issue, I am only a forum moderator and as such do not speak for ASRock nor have access to their testing labs etc. That said, it may be worth opening a support ticket with them and inquiring about the "UEFI Capsule Update" setting. It may be a dead end with the Beebox N3000 being "End of Life" and thus no longer supported but it's worth a shot. Failing that, you might have some luck checking out BIOS modding forums for tools/hacks that can enable or disable hidden UEFI settings and switches. I haven't played with this myself for a long time now, pre UEFI, but I believe there are tools out there that let you customize a BIOS from a BIOS dump. You can open a support ticket with ASRock here: https://tw.asrock.com/events/tsd.asp?kind=MB


raichea Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 12 hours 36 minutes ago Status: Offline Points: 60	Post Options Post Reply Quote raichea Report Post Thanks(0) Quote Reply Posted: 5 hours 39 minutes ago at 1:21am
	Thanks for your thoughts... I tried to raise a ticket but the Beebox N3000 is so old that its SNID/serial number isn't recognised. I think I bought it in 2015 and it's been absolutely rock solid as a backup and media server. I've certainly had my money's worth from it but I'm loathe to scrap it when it's still doing all I need. I'll explore some of the options you've suggested but, if all else fails, I'll just disable Secure Boot - it's in a fairly secure environment anyway.

Xaltar Members Profile Send Private Message Find Members Posts Add to Buddy List Moderator Group Joined: 16 May 2015 Location: Europe Status: Offline Points: 39808	Post Options Post Reply Quote Xaltar Report Post Thanks(0) Quote Reply Posted: 4 hours 19 minutes ago at 2:41am
	That's pretty much what I have done with all my older systems. I can't bring myself to throw out perfectly good hardware that still does everything I ask of it.