As far as I can tell, the firmware version I'm using (3.4) is the latest.
It it the most recent version available from the SuperMicro Support page
for this motherboard:
https://www.supermicro.com/en/support/resources/downloadcenter/MBD-X10SLH-F

I also had a recent email conversation with their support for an unrelated
issue where they confirmed 3.4 is the current release. I believe this
motherboard is also EOL for SuperMicro, so further updates to support
secure boot are unlikely.

On Mon, Jul 13, 2026 at 9:48 AM Steve McIntyre <[email protected]> wrote:

> Also, while I think...
>
> Have you checked to see if there are any firmware updates for this
> machine? This may well be fixed there, if so.
>
> On Mon, Jul 13, 2026 at 01:55:33PM +0100, Steve McIntyre wrote:
> >Hi Steven,
> >
> >Thanks for your bug report!
> >
> >On Mon, Jul 13, 2026 at 12:30:19AM -0400, Steven Santamorena wrote:
> >>Package: shim-signed
> >>Version: 1.51~1+deb13u1+16.1-2~deb13u1
> >>Severity: important
> >>X-Debbugs-Cc: [email protected]
> >>
> >>Dear Maintainer,
> >>
> >>Upgrading shim-signed from 1.47+15.8-1 to
> >>1.51~1+deb13u1+16.1-2~deb13u1 fails in the package pre-installation
> >>script on a system whose firmware supports UEFI booting but
> >>apparently does not implement UEFI Secure Boot variables.
> >>
> >>The system is a Supermicro X10SLH-F. It is booted in UEFI mode, and
> >>efivarfs is mounted normally. However, the firmware does not expose
> >>the SetupMode or SecureBoot variables, and the Aptio firmware setup
> >>utility contains no Secure Boot configuration menus.
> >>
> >>The failure occurred during a routine upgrade:
> >>
> >>    apt update && apt upgrade -y
> >>
> >>The relevant output was:
> >>
> >>    Preparing to unpack
> .../shim-signed_1.51~1+deb13u1+16.1-2~deb13u1_amd64.deb ...
> >>    shim-signed: checking if we can safely install
> /usr/lib/shim/shimx64.efi.signed
> >>    Unexpected output from mokutil:
> >>    """
> >>    Failed to read "SetupMode" variable: No such file or directory
> >>    """
> >>    Please report this as a bug agsinst shim-signed, including the above
> information.
> >>    dpkg: error processing archive
> .../shim-signed_1.51~1+deb13u1+16.1-2~deb13u1_amd64.deb (--unpack):
> >>     new shim-signed:amd64 package pre-installation script subprocess
> returned error exit status 1
> >
> >Argh. That's annoying behaviour that I've not seen before despite a
> >lot of testing on a range of different systems. :-(
> >
> >I'll get working on a fix for this ASAP.
> >
> >Again, thanks for the bug report and thanks even more for the
> >diagnostics you've included here - it's just what I need.
> >
> >>The package upgrade therefore aborts and leaves dpkg in a partially
> >>completed transaction.
> >>
> >>   * What led up to the situation?
> >>   * What exactly did you do (or not do) that was effective (or
> >>     ineffective)?
> >>   * What was the outcome of this action?
> >>   * What outcome did you expect instead?
> >>
> >>The following checks confirm that the machine is booted using UEFI and
> that efivarfs is mounted:
> >>
> >>   $ test -d /sys/firmware/efi && echo UEFI
> >>   UEFI
> >>
> >>   $ findmnt /sys/firmware/efi/efivars
> >>   TARGET                    SOURCE   FSTYPE   OPTIONS
> >>   /sys/firmware/efi/efivars efivarfs efivarfs
> rw,nosuid,nodev,noexec,relatime
> >>
> >>mokutil produces:
> >>
> >>   $ mokutil --sb-state
> >>   Failed to read "SetupMode" variable: No such file or directory
> >>
> >>The motherboard firmware supports normal UEFI booting, EFI boot entries,
> and EFI runtime variables, but appears not to
> >>implement Secure Boot.
> >>There are no Secure Boot, Key Management, PK, KEK, db, or dbx settings
> in the motherboard's firmware setup utility.
> >>
> >>Expected result:
> >>
> >>The package should recognize firmware without Secure Boot support, or
> allow installation to continue with a warning or
> >>explicit administrator override.
> >>
> >>Actual result:
> >>
> >>The pre-installation script treats mokutil's failure to read SetupMode
> as fatal and blocks the complete apt/dpkg transaction.
> >>
> >>This system was originally installed by the Debian installer in UEFI
> mode.
> >>shim-signed was installed automatically as part of that installation;
> Secure Boot was not enabled.
> >>
> >>Motherboard:
> >>    Manufacturer: Supermicro
> >>    Model: X10SLH-F
> >>    BIOS version: 3.4
> >>    BIOS release date: 01/21/2021
> >>
> >>Please let me know if additional EFI variable or firmware information
> would be useful.
> >>
> >>
> >>-- System Information:
> >>Debian Release: 13.6
> >>  APT prefers stable-updates
> >>  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
> 'stable')
> >>Architecture: amd64 (x86_64)
> >>
> >>Kernel: Linux 6.12.95+deb13-amd64 (SMP w/8 CPU threads; PREEMPT)
> >>Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE
> not set
> >>Shell: /bin/sh linked to /usr/bin/dash
> >>Init: systemd (via /run/systemd/system)
> >>LSM: AppArmor: enabled
> >>
> >>Versions of packages shim-signed depends on:
> >>ii  grub-efi-amd64-bin         2.12-9+deb13u2
> >>ii  grub2-common               2.12-9+deb13u2
> >>ii  shim-helpers-amd64-signed  1+16.1+2~deb13u1
> >>ii  shim-signed-common         1.51~1+deb13u1+16.1-2~deb13u1
> >>
> >>shim-signed recommends no packages.
> >>
> >>shim-signed suggests no packages.
> >>
> >>-- debconf information:
> >>  shim-signed/revoked-sig:
> >>  shim-signed/no-valid-sigs:
> >>
> >--
> >Steve McIntyre, Cambridge, UK.
> [email protected]
> >"Every time you use Tcl, God kills a kitten." -- Malcolm Ray
> >
> --
> Steve McIntyre, Cambridge, UK.
> [email protected]
>   Mature Sporty Personal
>   More Innovation More Adult
>   A Man in Dandism
>   Powered Midship Specialty
>
>

Reply via email to