Debian 11's version of the Secure Boot shim is a bugged version (< 15.7) that doesn't parse arguments properly [1] . fwupdmgr uses these arguments to boot an EFI application that then triggers a system firmware update.

To do my firmware update, I need to obtain a working / patched version of the shim, and swap it in. Because I'll be building it, it's not going to be signed correctly, so I need to un-wind the changes once the firmware update has finished.

  1. sudo apt-get build-dep shim
  2. sudo apt-get install libefivar-dev # New dependency that apt won't be aware of yet
  3. git clone
  4. dpkg-buildpackage -uc -b
  5. sudo dpkg -i ../shim-unsigned_15.7-1~deb11u1_amd64.deb
  6. sudo mv /boot/efi/EFI/debian/shimx64.efi /boot/efi/EFI/debian/shimx64-154.efi
  7. sudo cp /usr/lib/shim/shimx64.efi /boot/efi/EFI/debian/shimx64.efi
  8. Now reboot into your EFI firmware's setup / configuration tool, and disable Secure Boot. Save and exit.
    • Alternatively try sudo mokutil --disable-validation
  9. Next, boot the Linux-Firmware-Updater entry in your EFI boot menu. The system will probably immediately reboot, and start a firmware update.
  10. Once that is complete, boot back into debian again.
  11. sudo apt-get install shim-unsigned=15.4-7
  12. sudo mv /boot/efi/EFI/debian/shimx64-154.efi /boot/efi/EFI/debian/shimx64.efi
  13. Re-enable Secureboot.
    • Again, might be possible with sudo mokutil --enable-validation