Surface Book 2 hangs at vendor logo after firmware upgrade

[megascrapper]

This was originally posted at linux-surface/linux-surface#1162 with reports that after upgrading the UEFI firmware to 394.651.768.0 it no longer able to boot any Linux system.

I recently upgraded to a (maybe) slightly newer firmware 394.779.368.0 and the issue still somewhat present. I used rEFInd + shim with locally generated keys (via rEFInd's --localkeys option).

My efibootmgr -v output:

BootCurrent: 0008
Timeout: 0 seconds
BootOrder: 0008,0006,0005,0004,0007,0001,0002,0003
Boot0000* SurfaceFrontPage	FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(4042708a-0f2d-4823-ac60-0d77b3111889)
      dp: 04 07 14 00 67 d5 81 a8 b0 6c ee 4e 84 35 2e 72 d3 3e 45 b5 / 04 06 14 00 8a 70 42 40 2d 0f 23 48 ac 60 0d 77 b3 11 18 89 / 7f ff 04 00
Boot0001* Internal Storage	FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(50670071-478f-4be7-ad13-8754f379c62f)53444400
      dp: 04 07 14 00 67 d5 81 a8 b0 6c ee 4e 84 35 2e 72 d3 3e 45 b5 / 04 06 14 00 71 00 67 50 8f 47 e7 4b ad 13 87 54 f3 79 c6 2f / 7f ff 04 00
    data: 53 44 44 00
Boot0002* USB Storage	FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(50670071-478f-4be7-ad13-8754f379c62f)55534200
      dp: 04 07 14 00 67 d5 81 a8 b0 6c ee 4e 84 35 2e 72 d3 3e 45 b5 / 04 06 14 00 71 00 67 50 8f 47 e7 4b ad 13 87 54 f3 79 c6 2f / 7f ff 04 00
    data: 55 53 42 00
Boot0003  PXE Network	FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(50670071-478f-4be7-ad13-8754f379c62f)50584500
      dp: 04 07 14 00 67 d5 81 a8 b0 6c ee 4e 84 35 2e 72 d3 3e 45 b5 / 04 06 14 00 71 00 67 50 8f 47 e7 4b ad 13 87 54 f3 79 c6 2f / 7f ff 04 00
    data: 50 58 45 00
Boot0004  rEFInd Boot Manager	HD(1,GPT,8e1a917b-a82d-4955-826e-bedfbec4bbce,0x800,0x82000)/File(\EFI\refind\refind_x64.efi)
      dp: 04 01 2a 00 01 00 00 00 00 08 00 00 00 00 00 00 00 20 08 00 00 00 00 00 7b 91 1a 8e 2d a8 55 49 82 6e be df be c4 bb ce 02 02 / 04 04 3a 00 5c 00 45 00 46 00 49 00 5c 00 72 00 65 00 66 00 69 00 6e 00 64 00 5c 00 72 00 65 00 66 00 69 00 6e 00 64 00 5f 00 78 00 36 00 34 00 2e 00 65 00 66 00 69 00 00 00 / 7f ff 04 00
Boot0005  rEFInd Boot Manager (direct)	HD(1,GPT,8e1a917b-a82d-4955-826e-bedfbec4bbce,0x800,0x82000)/File(\EFI\refind\grubx64.efi)
      dp: 04 01 2a 00 01 00 00 00 00 08 00 00 00 00 00 00 00 20 08 00 00 00 00 00 7b 91 1a 8e 2d a8 55 49 82 6e be df be c4 bb ce 02 02 / 04 04 34 00 5c 00 45 00 46 00 49 00 5c 00 72 00 65 00 66 00 69 00 6e 00 64 00 5c 00 67 00 72 00 75 00 62 00 78 00 36 00 34 00 2e 00 65 00 66 00 69 00 00 00 / 7f ff 04 00
Boot0006  rEFInd Boot Manager	HD(1,GPT,8e1a917b-a82d-4955-826e-bedfbec4bbce,0x800,0x82000)/File(\EFI\refind\shimx64.efi)
      dp: 04 01 2a 00 01 00 00 00 00 08 00 00 00 00 00 00 00 20 08 00 00 00 00 00 7b 91 1a 8e 2d a8 55 49 82 6e be df be c4 bb ce 02 02 / 04 04 34 00 5c 00 45 00 46 00 49 00 5c 00 72 00 65 00 66 00 69 00 6e 00 64 00 5c 00 73 00 68 00 69 00 6d 00 78 00 36 00 34 00 2e 00 65 00 66 00 69 00 00 00 / 7f ff 04 00
Boot0007  Windows Boot Manager	HD(1,GPT,8e1a917b-a82d-4955-826e-bedfbec4bbce,0x800,0x82000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)57494e444f5753000100000088000000780000004200430044004f0042004a004500430054003d007b00390064006500610038003600320063002d0035006300640064002d0034006500370030002d0061006300630031002d006600330032006200330034003400640034003700390035007d00000035000100000010000000040000007fff0400
      dp: 04 01 2a 00 01 00 00 00 00 08 00 00 00 00 00 00 00 20 08 00 00 00 00 00 7b 91 1a 8e 2d a8 55 49 82 6e be df be c4 bb ce 02 02 / 04 04 46 00 5c 00 45 00 46 00 49 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5c 00 42 00 6f 00 6f 00 74 00 5c 00 62 00 6f 00 6f 00 74 00 6d 00 67 00 66 00 77 00 2e 00 65 00 66 00 69 00 00 00 / 7f ff 04 00
    data: 57 49 4e 44 4f 57 53 00 01 00 00 00 88 00 00 00 78 00 00 00 42 00 43 00 44 00 4f 00 42 00 4a 00 45 00 43 00 54 00 3d 00 7b 00 39 00 64 00 65 00 61 00 38 00 36 00 32 00 63 00 2d 00 35 00 63 00 64 00 64 00 2d 00 34 00 65 00 37 00 30 00 2d 00 61 00 63 00 63 00 31 00 2d 00 66 00 33 00 32 00 62 00 33 00 34 00 34 00 64 00 34 00 37 00 39 00 35 00 7d 00 00 00 35 00 01 00 00 00 10 00 00 00 04 00 00 00 7f ff 04 00
Boot0008* rEFInd Boot Manager	HD(1,GPT,8e1a917b-a82d-4955-826e-bedfbec4bbce,0x800,0x82000)/File(\EFI\refind\PreLoader.efi)
      dp: 04 01 2a 00 01 00 00 00 00 08 00 00 00 00 00 00 00 20 08 00 00 00 00 00 7b 91 1a 8e 2d a8 55 49 82 6e be df be c4 bb ce 02 02 / 04 04 38 00 5c 00 45 00 46 00 49 00 5c 00 72 00 65 00 66 00 69 00 6e 00 64 00 5c 00 50 00 72 00 65 00 4c 00 6f 00 61 00 64 00 65 00 72 00 2e 00 65 00 66 00 69 00 00 00 / 7f ff 04 00

What works

• Booting directly to rEFInd (entries Boot0004 or Boot0005 of above output) with Secure Boot disabled
• Using PreLoader (Boot0008) to replace shim
  • Since PreLoader doesn't work with keys, you'll need to enrol the hashes of refind and any kernel images

What doesn't work

• Booting directly to rEFInd with Secure Boot enabled. The binaries are silently rejected and it automatically boots to Windows instead.
  • This is normal behaviour when you're trying to execute unsigned EFI binaries
• Booting via shim (Boot0006) with or without Secure Boot. Stuck at Microsoft logo

I should also mention that Ventoy worked perfectly even with shim + Secure Boot, so could be something with combination of refind + shim + firmware 394.779.368.0 wreaking havoc on things. Since booting directly to refind works, I don't have any reason to believe the issue is with refind.

Environment

• Shim version: 15.6 (from AUR which in turn uses the Fedora binaries)
• rEFInd version: 0.14.0.2
• Hardware model: Surface Book 2 13"
• Kernel version: 6.5.6-arch2-1-surface
• Distribution: Arch Linux

[TriMoon]

If the only change you did was upgrading your BIOS, then most likely it also updated the SecureBoot database files.
In that update they must have blacklisted the hashes/signatures that worked prior to your BIOS upgrade...

[jsetje]

I suspect that this firmware update enabled NX at boot time. There are a couple of pieces of work underway to fully enable NX at boot time for Linux distros.

I don't know what, if any, fallback compatibility the firmware may implement, if it does, its behavior may change from boot to boot.