efivarfs out of space when attempting firmware update
Opened this issue · 11 comments
Device Information
System Model or SKU
Framework Laptop 13 (AMD Ryzen™ 7040 Series)
BIOS VERSION
03.09
Standalone Operation
Are you running your mainboard as a standalone device. Is standalone mode enabled in the BIOS?
- Yes
- No
Describe the bug
The efivarfs filesystem mounted at /sys/firmware/efi/efivars (which, if I understand correctly, shows EFI variables stored in NVRAM) is nearly full: df -h reports the filesystem is 148 kB in size, with 135 kB used and only 8.4 kB free.
If I run fwupdmgr get-updates, it attempts to install a "Secure Boot Signature Database Configuration Update", but this fails with the following error:
Update Error: Not enough efivarfs space, requested 16.4 kB and got 13.6 kB
Steps To Reproduce
Run df -h to check available free space in the efivarfs. I don't know how you'd reproduce this if the system doesn't already have this issue, but multiple people on the community forum are reporting the same issue:
- https://community.frame.work/t/efivars-full-on-framework-13-amd-7040-series/72997
- https://community.frame.work/t/cant-update-the-3rd-party-uefi-signature-database-due-to-lack-of-space-in-efivarfs/73432
Expected behavior
Presumably the efivarfs should either have more space or, if that's not possible, should manage the use of NVRAM in a way that avoids running out of space.
Operating System (please complete the following information):
- OS/Distribution: Fedora
- Version: 42
- Linux Kernel Version: 6.15.9-201.fc42.x86_64
Additional context
The largest entries in the efivarfs (according to ls -lS /sys/firmware/efi/efivars) are:
dbx(20.7 kB)dbxDefault(17.8 kB)WIFI_MANAGER_IFR_NVDATA(4.7 kB)db(4.4 kB)dbDefault(4.4 kB)
All other entries are smaller than 3 kB each. There are 94 entries in total (most of them very small, under 100 bytes each), and adding up their sizes gives around 73 kB (notably much smaller than the 135 kB reported by df -h).
Hmm thanks, we'll look into it.
@quinchou77 has published BIOS 3.16, which updates the default DBX
https://community.frame.work/t/framework-laptop-13-ryzen-7040-bios-3-16-release-beta/73325
If you update to this BIOS and then go into the secureboot BIOS menu and reset to factory defaults, you'll get the new dbx entries and fwupd should show that you are up to date.
@JohnAZoidberg Thanks, that worked for me: I updated the BIOS to version 3.16, then reset secure boot to factory defaults from the BIOS menu, and now the efivarfs has only 49 kB used (34% full) and fwupd does indeed show that it's up to date.
I had the exact same issue.
fwupdmgr get-updates would produce the error in question.
Booting into EFI setup - Secure Boot Management => Reset Secure Boot Settings to Factory Defaults fixed the issue for me.
fwupdmgr get-updates no longer produced errors. fwupdmgr update and reboot worked as expected.
I have a Windows install using bitlocker that I don't actualy use and I had enrolled multiple keys testing distros via ventoy and assume those must have been what was taking up space. 🤷
$ df -h /sys/firmware/efi/efivars
Filesystem Size Used Avail Use% Mounted on
efivarfs 148K 77K 67K 54% /sys/firmware/efi/efivarsSame here
Log
$ df -h /sys/firmware/efi/efivars
Filesystem Size Used Avail Use% Mounted on
efivarfs 148K 137K 6.1K 96% /sys/firmware/efi/efivars
$ fwupdmgr get-updates
Devices with no available firmware updates:
• Windows Production PCA
• frame.work-LaptopAMDDB
• HDMI Expansion Card
• Hub
• KEK CA
• WD BLACK SN770 500GB
• frame.work-LaptopAMDKEK
Devices with the latest available firmware version:
• Fingerprint Sensor
Framework Laptop 16 (AMD Ryzen 7040 Series)
│
├─UEFI CA:
│ │ Device ID: 5bc922b7bd1adb5b6f99592611404036bd9f42d0
│ │ Current version: 2011
│ │ Vendor: Microsoft (UEFI:Microsoft)
│ │ Update Error: Not enough efivarfs space, requested 16.4 kB and got 11.3 kB
│ │ GUIDs: 26f42cba-9bf6-5365-802b-e250eb757e96 ← UEFI\VENDOR_Microsoft&NAME_Microsoft-UEFI-CA
│ │ c34a7e6a-bd86-5244-8bd0-7db66fd3c073 ← UEFI\CRT_E30CF09DABEAB32A6E3B07A7135245DE05FFB658
│ │ Device Flags: • Internal device
│ │ • Supported on remote server
│ │ • Needs a reboot after installation
│ │ • Updatable
│ │ • Signed Payload
│ │ • Can tag for emulation
│ │
│ └─Secure Boot Signature Database Configuration Update:
│ New version: 2023
│ Remote ID: lvfs
│ Release ID: 116503
│ Summary: UEFI Secure Boot Signature Database
│ License: Proprietary
│ Size: 10.0 kB
│ Created: 2025-04-29
│ Urgency: High
│ Tested: 2025-07-24
│ Distribution: nixos 25.11
│ Old version: 2011
│ Version[fwupd]: 2.0.12
│ Vendor: Linux Foundation
│ Release Flags: • Trusted metadata
│ • Is upgrade
│ Description:
│ This updates the 3rd Party UEFI Signature Database (the "db") to the latest release from Microsoft. It also adds the latest OptionROM UEFI Signature Database update.
│ Checksum: 6819c8098f09f4332a102194df6a033563aa288073b16315c5b88860fefb7e74
│
├─UEFI dbx:
│ │ Device ID: 362301da643102b9f38477387e2193e57abaa590
│ │ Summary: UEFI revocation database
│ │ Current version: 20180401
│ │ Minimum Version: 20180401
│ │ Vendor: UEFI:Microsoft
│ │ Install Duration: 1 second
│ │ Update Error: Not enough efivarfs space, requested 30.7 kB and got 11.3 kB
│ │ GUIDs: f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
│ │ 115f7cac-f705-5d34-9a47-37177c3e8514 ← UEFI\CRT_B38FAD316F525F27B27A21B486456C3E4279748BF16893827BF16FE659C0F75E&ARCH_X64
│ │ Device Flags: • Internal device
│ │ • Supported on remote server
│ │ • Needs a reboot after installation
│ │ • Device is usable for the duration of the update
│ │ • Updatable
│ │ • Only version upgrades are allowed
│ │ • Signed Payload
│ │ • Can tag for emulation
│ │
│ ├─Secure Boot dbx Configuration Update:
│ │ New version: 20250507
│ │ Remote ID: lvfs
│ │ Release ID: 115586
│ │ Summary: UEFI Secure Boot Forbidden Signature Database
│ │ Variant: x64
│ │ License: Proprietary
│ │ Size: 24.0 kB
│ │ Created: 2025-01-17
│ │ Urgency: High
│ │ Tested: 2025-06-11
│ │ Distribution: fedora 42 (workstation)
│ │ Old version: 20241101
│ │ Version[fwupd]: 2.0.11
│ │ Vendor: Linux Foundation
│ │ Duration: 1 second
│ │ Release Flags: • Trusted metadata
│ │ • Is upgrade
│ │ • Tested by trusted vendor
│ │ Description:
│ │ This updates the list of forbidden signatures (the "dbx") to the latest release from Microsoft.
│ │
│ │ Some insecure versions of BiosFlashShell and Dtbios by DT Research Inc were added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
│ │ Issues: 806555
│ │ CVE-2025-3052
│ │ Checksum: 3ebe1c9be68b6c559ed2831a0bfd891c84e6d6db9af7c61156230d79f6466648
│ │
│ └─Secure Boot dbx Configuration Update:
│ New version: 20241101
│ Remote ID: lvfs
│ Release ID: 105821
│ Summary: UEFI Secure Boot Forbidden Signature Database
│ Variant: x64
│ License: Proprietary
│ Size: 15.1 kB
│ Created: 2025-01-17
│ Urgency: High
│ Vendor: Linux Foundation
│ Duration: 1 second
│ Release Flags: • Trusted metadata
│ • Is upgrade
│ Description:
│ This updates the list of forbidden signatures (the "dbx") to the latest release from Microsoft.
│
│ An insecure version of Howyar's SysReturn software was added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
│ Issues: 529659
│ CVE-2024-7344
│ Checksum: 093e6913dfecefbdaa9374a2e1caee7bf7e74c7eda847624e456e344884ba5f6
│
└─System Firmware:
│ Device ID: 7010981714ee5c9258de42216cae163ef272c7ab
│ Summary: UEFI System Resource Table device (Updated via capsule-on-disk)
│ Current version: 0.0.3.5
│ Minimum Version: 0.0.3.5
│ Vendor: Framework (DMI:INSYDE Corp.)
│ Update State: Success
│ GUID: 6ae76af1-c002-5d64-8e18-658d205acf34
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Cryptographic hash verification is available
│ • Device is usable for the duration of the update
│ Device Requests: • Message
│
└─Laptop 16 AMD Ryzen 7040 System Update:
New version: 0.0.3.6
Remote ID: lvfs-testing
Release ID: 120662
Summary: Framework Laptop 16 System Firmware for AMD Ryzen 7040 Mainboards
License: Proprietary
Size: 36.1 MB
Created: 2025-07-28
Urgency: High
Tested: 2025-07-31
Distribution: fedora 41 (workstation)
Old version: 0.0.3.6
Version[fwupd]: 1.9.30
Vendor: Framework
Duration: 2 minutes
Release Flags: • Trusted metadata
• Is upgrade
• Tested by trusted vendor
Description:
Update AMD PI1.2.0.0c; Added Framework's dbx key and update Windows Secure Boot CA;
Fixed hardware encryption on OPAL drives causes a missing boot drive issue on the next boot; Implement Battery Charge Limiting battery status; Implement the Framework EC device in BIOS;
Fixed Battery Drains on Balanced Power Profile; Fixed CPU power limits should not be limited when GPU is in boco mode
Issues: CVE-2025-4275
CVE-2025-2884
CVE-2024-49200
CVE-2024-21925
CVE-2024-0179
CVE-2024-36347
CVE-2024-36357
CVE-2024-36350
CVE-2024-36349
CVE-2024-36348
Checksum: 2e983ce287988168f816536d641a4f33d0733892f02964e819cccebdbf30e8a4Same here with 11th-gen Intel FW Laptop 13 with BIOS 3.22 installed, running Debian testing w/ sid Security patches.
Not enough efivarfs space, requested 16,4 KB and got 10,4 KB
Reset Secure Boot Settings did not work form me.
EDIT: What worked was applying it with GNOME Software via a reboot.
We're updating the default secureboot database one by one on all systems to include the latest keys and revocations.
Once your system has the update you can update the BIOS and then reset secureboot settings to the new "factory settings".
We're also investigating the low space in efivarfs.
Some of us don't run GNOME and thus don't have GNOME Software. Any suggestions?
Some of us don't run GNOME and thus don't have GNOME Software. Any suggestions?
GNOME Software does not do anything special, it just invokes the fwupd dbus API.
@quinchou77 have we published the table of which BIOS versions include the new microsoft secureboot config?
@mshappe, like I said above, if you're on Framework 13 AMD Ryzen 7040 Series, you can update to BIOS 3.16 and reset secureboot settings. That'll get you the latest microsoft secureboot config and make fwupd happy.
Reset Secure Boot Settings did not work form me.
@quiteBold That's expected with BIOS 3.22. On the 11th Gen mainboard we added the new secureboot config (dbx, keys, certificates) into 3.24, see here:
https://community.frame.work/t/framework-laptop-13-11th-gen-intel-core-bios-3-24-release-beta/75534
same error on Framework 13 with AMD AI 300 and Bazzite, and reset secureboot settings did the trick for me.
After the reset and upgrade, the efivarfs used a bit more than 90KB of space, and also the Bazzite installed MoK is not affected during the reset.
We probably just have to document this somewhere.
It's a fundamental limitation of the secureboot and firmware update process. DBX updates willl fill up the efivars over time - the UEFI forum and Microsoft try to slim it down and only a reset can clear the space.
Same issue on framework 12. I'm not sure what would be taking up the space.. it's a new pc and i've only installed bazzite on it..?
alluren@lavender-laptop:~$ df -h /sys/firmware/efi/efivars
Filesystem Size Used Avail Use% Mounted on
efivarfs 268K 246K 18K 94% /sys/firmware/efi/efivars
also I.. don't quite understand what I'm supposed to do to resolve this issue, sorry x.x.
Edit: Figured it out with a bit of help from nemo, ty!