Debian 11's version of the Secure Boot shim is a bugged version (< 15.7) that doesn't parse arguments properly [1] . fwupdmgr uses these arguments to boot an EFI application that then triggers a system firmware update.

To do my firmware update, I need to obtain a working / patched version of the shim, and swap it in. Because I'll be building it, it's not going to be signed correctly, so I need to un-wind the changes once the firmware update has finished.

1. sudo apt-get build-dep shim
2. sudo apt-get install libefivar-dev # New dependency that apt won't be aware of yet
3. git clone https://salsa.debian.org/efi-team/shim.git
4. dpkg-buildpackage -uc -b
5. sudo dpkg -i ../shim-unsigned_15.7-1~deb11u1_amd64.deb
6. sudo mv /boot/efi/EFI/debian/shimx64.efi /boot/efi/EFI/debian/shimx64-154.efi
7. sudo cp /usr/lib/shim/shimx64.efi /boot/efi/EFI/debian/shimx64.efi
8. Now reboot into your EFI firmware's setup / configuration tool, and disable Secure Boot. Save and exit.
   • Alternatively try sudo mokutil --disable-validation
9. Next, boot the Linux-Firmware-Updater entry in your EFI boot menu. The system will probably immediately reboot, and start a firmware update.
10. Once that is complete, boot back into debian again.
11. sudo apt-get install shim-unsigned=15.4-7
12. sudo mv /boot/efi/EFI/debian/shimx64-154.efi /boot/efi/EFI/debian/shimx64.efi
13. Re-enable Secureboot.
    • Again, might be possible with sudo mokutil --enable-validation