Debian 11's version of the Secure Boot shim is a bugged version (< 15.7) that doesn't parse arguments properly  . fwupdmgr uses these arguments to boot an EFI application that then triggers a system firmware update.
To do my firmware update, I need to obtain a working / patched version of the shim, and swap it in. Because I'll be building it, it's not going to be signed correctly, so I need to un-wind the changes once the firmware update has finished.
- sudo apt-get build-dep shim
- sudo apt-get install libefivar-dev # New dependency that apt won't be aware of yet
- git clone https://salsa.debian.org/efi-team/shim.git
- dpkg-buildpackage -uc -b
- sudo dpkg -i ../shim-unsigned_15.7-1~deb11u1_amd64.deb
- sudo mv /boot/efi/EFI/debian/shimx64.efi /boot/efi/EFI/debian/shimx64-154.efi
- sudo cp /usr/lib/shim/shimx64.efi /boot/efi/EFI/debian/shimx64.efi
- Now reboot into your EFI firmware's setup / configuration tool, and disable Secure Boot. Save and exit.
- Alternatively try sudo mokutil --disable-validation
- Next, boot the Linux-Firmware-Updater entry in your EFI boot menu. The system will probably immediately reboot, and start a firmware update.
- Once that is complete, boot back into debian again.
- sudo apt-get install shim-unsigned=15.4-7
- sudo mv /boot/efi/EFI/debian/shimx64-154.efi /boot/efi/EFI/debian/shimx64.efi
- Re-enable Secureboot.
- Again, might be possible with sudo mokutil --enable-validation