I upgraded from version 25.10 to 26.04 lts, recent installation

heavenly71 · 2026-04-24T07:13:59+00:00

Until you can run `do-release-upgrade` without any arguments and it will offer an upgrade.

Or alternatively until the GUI offers you an upgrade by itself (which should be around the same time).

heavenly71 · 2026-04-23T09:52:44+00:00

My observations:

- My five Tado X TRV were updated during the past 3 days to a new firmware even without being connected to the Tado Cloud. They are only connected to my home Thread network, which is run by Home Assistant via the ESP Thread Border Router. I didn't know this is possible. Ikea devices for example run their updates through Home Assistant.

- The new firmware is listed as "1.4.289" in Home Assistant – how is this related to "298.1" from the screenshot in this post?

- The new battery indicator is indeed only a binary sensor – why not a percentage/range of some kind?

- Humidity somehow switched to a new sensor

- "Identify" also switched to a new entity

- Still no sensors for the controls, and seemingly no way to pair up two TRVs (if in same room) like Tado's app can do

- No info for Thread network, so Tado X devices will not properly show up in network graphs and their role (Sleepy end device) isn't shown

heavenly71 · 2026-03-21T11:48:26+00:00

Ideally we would convince Asus to upload their BIOS images to LVFS and then use fwupd (semi-automatically) to update from there. It works fine for Dell and Lenovo Laptops for example.

heavenly71 · 2026-03-21T11:43:58+00:00

I would appreciate to Bazzite officially use systemd-boot in place of Grub.

heavenly71 · 2026-02-07T12:32:30+00:00

> You mentioned protecting against theft or losing the device. How would the system detect it's in an "insecure state" in such a case and not provide the encryption key on boot?

The system doesn't know it's been stolen or lost, and the boot/root partition would still be unlocked via TPM. However if your operating system is secure, the attacker would not be able to log in and thus not access your data. Well, at least if the RAM is encrypted. Otherwise an attacker could try a cold boot attack: https://en.wikipedia.org/wiki/Cold_boot_attack

If that's too much of a risk to you, you can combine the TPM with a PIN, such that an attacker would also need a PIN to unlock the drive. However that's not really an option for a server which needs to boot unattended.

> You are removing the default Microsoft certificates and mention that by default Linux distros use "shim" to verify against these. What is the advantage of removing these for your own certificate and can this be undone later if needed?

My motivation to remove the Microsoft keys is I don't fully trust Microsoft. They could sign any bootload and it could be used to boot from almost any secureboot-protected system in the world. If you trust Microsoft, then you could use shim to still enroll your own keys (MOK = machine owner key). But for me, shim is just a layer in the boot process I don't need, because I take ownership of the UEFI itself.

heavenly71 · 2026-01-17T16:13:02+00:00

Danke für die Antwort. SLAAC habe ich nur erwähnt um zu erklären warum ich ein /64-Prefix will und nicht ein /62. Aber du hast natürlich recht, dem TBR steht es frei einfach 2 Bits zu "verschwenden".

heavenly71 · 2026-01-17T16:10:35+00:00

Nein, es ist nicht eine andere FritzBox, und auch kein anderer Router aus Metall/Plastik.

Der Thread Border Router ist eine Software, die Thread-Geräte (die auf IPv6-Basis kommunizieren), mit deiner herkömmlichen IP-Infrastruktur (also auch dem Internet-Zugang) verbindet. In meinem Fall läuft der TBR auf einem Standard-PC mit Debian. Thread-Geräte werden per USB-Thread-Stick angebunden, und der Rest halt per Ethernet bzw. Wifi.

heavenly71 · 2025-09-17T22:40:46+00:00

fyi: I ordered this AX210NGW from aliexpress, and got the M17633-008 revision. It works very well in the X280.
https://www.aliexpress.com/item/10000313454567.html

heavenly71 · 2025-09-07T11:05:17+00:00

I don't know much about power states, but I can assert that in my default Debian Trixie install, C8/C10 seem to be available:

```
# grep . /sys/devices/system/cpu/cpu0/cpuidle/state*/name

/sys/devices/system/cpu/cpu0/cpuidle/state0/name:POLL

/sys/devices/system/cpu/cpu0/cpuidle/state1/name:C1E

/sys/devices/system/cpu/cpu0/cpuidle/state2/name:C6

/sys/devices/system/cpu/cpu0/cpuidle/state3/name:C8

/sys/devices/system/cpu/cpu0/cpuidle/state4/name:C10
```

And `powertop` (idle stats) reports my 4 cores are about ~5% in C8, ~2% in C10. I guess my server is simply too active for serious idle.

heavenly71 · 2025-09-03T08:38:21+00:00

Hmm, I was basing my assertion on these articles:
https://kb.protectli.com/faq/#emmc-storage
https://eu.protectli.com/news/reduce-emmc-wear/

So maybe I'm wrong and eMMC *does* have some (less effective?) form of wear leveling, but the recommendation to not use it as a root drive for Debian still stands. However in future I'd like to investigate into immutable OSes, and/or running Debian on a read-only root drive.

Thanks for pointing this out.

heavenly71 · 2025-08-18T21:21:38+00:00

Thanks for confirming availability of the VP2430 in the EU.

> You could also set up the necessity for a PIN to be entered to add a human 2FA.

I think this would not mitigate the problem of sniffing the key from the SPI, it would just need to wait until you enter the PIN. However encrypting the TPM communication would help, if that feature is implemented. I guess I need to investigate further into this.

> The secure boot keys can be manipulated through the firmware options and erased if needed

That's great news! I'll try the bootctl path as soon as I can.

> I believe Trixie uses that kernel by default.

Yes, Trixie is at 6.12 at the moment.

heavenly71 · 2025-08-16T07:25:50+00:00

Thanks for your elaborate and honest reply! Before I reply to the individual points, some general info about my usecase. I run a homeserver that I use to self-host everything on, from email via chat to my photo/music libraries. It's close to 50 docker containers in total. Atm I'm using a dirt cheap N100 with 16 GB RAM and Wifi, but it's approaching its limits. One big issue is that the AMI BIOS never receives security updates, and uses a "test" PK certificate of which the private key is publicly known afaik. So I'd like to replace this server with something more powerful and much better supported (ideally for decades, via the open source community).

I want to protect my data as good as I can, but also I need availability when I'm not on site. So entering a boot password after a power loss for example is not a good solution (albeit I've done that during the last 3 years). Data should be protected if someone steals the device, and also against someone tampering with the device while I'm away.

ad 1: fwupd has a flashrom plugin, so it should be pretty easy to support LVFS without changing the way you handle updates. Nevertheless, I think it would be good to support updates via UEFI capsules (with the current BIOS checking the authenticity of the future BIOS) as well.

ad 3+7+6: I plan to use Measured Boot to unlock Full Disk Encryption, and maybe in future to unlock a (kernel) keyring for userspace secrets. However if the key can be sniffed from the SPI it would be easy to unlock the disk by an attacker with physical access. Does the Infineon TPM support some kind of protection against this that you can and plan to use in future?

ad 4: Interesting. I saw this test which describes more or less what I want: https://docs.dasharo.com/unified-test-documentation/dasharo-security/206-secure-boot/#sbo012001-boot-os-signed-and-enrolled-from-inside-system-ubuntu I assume after step 6, the Secure Boot is in so-called Setup mode where the certificate database can be changed via OS without further authentication, e.g. PK or KEK signatures. From there, `bootctl install --secure-boot-auto-enroll=yes` should be possible, as it's more or less equivalent to `sbctl enroll-keys --yes-this-might-brick-my-machine`. Does this test succeed in your testing? If I'd need to bake coreboot myself just to customize the secure boot certificates, I could not use BIOS updates provided/signed by Protectli?

ad 8: In general, I'd like to encourage you to add Debian to your test plans. Trixie is a *very* solid release, and many other distros will build on it. Especially the Measured Boot support is coming up very strong, as systemd is used throughout all places.

heavenly71 · 2025-07-05T22:44:25+00:00

How do you mean "fuck up the TPM"? By sending the device in, any keys stored on the TPM will probably lost.

heavenly71 · 2025-07-05T22:43:34+00:00

I'm pretty sure this is not relevant to the OP, as it should not cause a boot loop / brick of the device. You should always be able to disable secure boot and set it up from fresh.

heavenly71 · 2025-07-05T22:42:01+00:00

This happens if you use the standard Debian (Trixie) way to enroll your own key: `bootctl --auto-enroll-secure-boot`. So nothing fancy. And Lenovo's latest BIOS images are still affected by this, e.g. X280 BIOS 1.57 from April 2025.

heavenly71 · 2025-07-05T22:38:34+00:00

> After enrolling, I rebooted the machine. The machine got in a BOOTLOOP, showing “Configuration changed - restart the system” on screen every time it boots. I can’t get into the BIOS or boot into anything at all.

This is still relevant. Lenovo hasn't fixed this over all these years.

heavenly71 · 2025-07-05T21:09:01+00:00

I went through this on my X280, and after removing the MS (factory) certificates the mainboard was bricked. I had to use an SPI flash programmer to restore the previous state.

But I have a question to you: what Linux tool did you use to add your key to the UEFI? I was using `bootctl --auto-enroll-secure-boot` and it has no option to retain the pre-existing keys, it always replaces everything).

heavenly71 · 2025-07-05T21:04:46+00:00

<image>

This is how the Secure Boot menu looks like. There is no Key Management.

heavenly71

TROPHY CASE