From 5d913ea80c688c838282914d1014dac576875990 Mon Sep 17 00:00:00 2001
From: Kévin Le Gouguec <kevin.legouguec@gmail.com>
Date: Sat, 8 Feb 2025 12:22:44 +0100
Subject: Do the thing

Current regret level: mild.
---
 guides/sysadmin/machines/amdahl30/maintenance.org | 52 +++++++++++++++++++++++
 1 file changed, 52 insertions(+)

(limited to 'guides/sysadmin')

diff --git a/guides/sysadmin/machines/amdahl30/maintenance.org b/guides/sysadmin/machines/amdahl30/maintenance.org
index 3fcd3fe..53d25db 100644
--- a/guides/sysadmin/machines/amdahl30/maintenance.org
+++ b/guides/sysadmin/machines/amdahl30/maintenance.org
@@ -19,6 +19,7 @@ So the thing is loud, it always spins at full speed, and if one day it
 decides to become even louder than usual, you're SOL.
 * Motherboard
 ** Firmware updates
+*** Prologue
 Quoth ~fwupdmgr get-devices~:
 
 #+begin_example
@@ -93,6 +94,57 @@ my desktop station… not bricked?
 
 Pity, because otherwise I've had smooth and incident-free firmware
 updates on other stations with ~fwupdmgr~ 🤷
+*** But then
+{{{narrator(waves vaguely toward [[file:killing-time.org][that whole debacle]])}}}
+*** Our protagonist sets forth
+Put the =.2G1= file on the USB stick, rebooted into UEFI, rebooted
+into "M-Flash", did the thing, rebooted.
+
+Predictably:
+#+begin_example
+Entering rescue mode...
+grub rescue> help
+Unknown command `help'.
+grub rescue>
+#+end_example
+
+=ls='d and =set='d around, browsed a couple of online posts from
+similarly marooned comrades.  QWERTY wore me down before I could
+damage things further; disabled Secure Boot on a whim and lo!  It
+Booteþ Again!
+*** But doþ it fwupdate þough?
+#+begin_example
+$ fwupdmgr update
+WARNING: UEFI capsule updates not available or enabled in firmware setup
+See https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported for more information.
+#+end_example
+😾
+
+{{{ad(But wait\, there's more!)}}}
+
+#+begin_example
+╔══════════════════════════════════════════════════════════════════════════════╗
+║ Upgrade UEFI dbx from 20230501 to 20241101?                                  ║
+╠══════════════════════════════════════════════════════════════════════════════╣
+║ This updates the list of forbidden signatures (the "dbx") to the latest      ║
+║ release from Microsoft.                                                      ║
+║                                                                              ║
+║ An insecure version of Howyar's SysReturn software was added, due to a       ║
+║ security vulnerability that allowed an attacker to bypass UEFI Secure Boot.  ║
+║                                                                              ║
+╚══════════════════════════════════════════════════════════════════════════════╝
+Perform operation? [Y|n]: n
+Devices with no available firmware updates:
+ • SA400S37480G
+ • SSD 980 500GB
+#+end_example
+
+Getting mixed signals here.
+*** Can I have Secure Boot back though?
+Off the top of my head:
+- that dbx update?
+- ~sudo blarney-grub2 --pretty -pls --with-sugar=top --with-sugar=top~?
+- dracut?
 * SSD
 LDLC's off-brand SSD died, fortunately within the warranty period.
 Replaced it, and… I guess I should shoehorn a joke about "a descent
-- 
cgit v1.2.3