Beelink ME Mini - Secure Boot compromised?

Junior70

I checked the latest M1V307 firmware for the N150 12Gb version of the ME Mini which still holds the pkfail compromised secure boot certificates. I run Ubuntu Server on this device (which I’m very happy with) which gave me this message in the morning:

3 devices have a firmware upgrade available.
Run `fwupdmgr get-upgrades` for more information.

Last login: Wed Sep 24 18:32:08 2025 from 192.168.0.xxx
root@beelink:~# fwupdmgr get-upgrades
WARNING: UEFI capsule updates not available or enabled in firmware setup
See https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported for more information.
Devices with no available firmware updates:
 ~ KINGSTON xxx
 ~ Lexar SSD xxx
 ~ Lexar SSD xxx
 ~ Lexar SSD xxx
 ~ Windows Production PCA
AZW ME mini

tqKEK CA:
    Device ID:          b7a1d3d90faa1f6275d9a98da4fb3be7118e61c7
    Current version:    2011
    Vendor:             Microsoft (UEFI:Microsoft)
    GUIDs:              814e950f-1449-566a-a190-42c9d3a3a2df ? UEFI\VENDOR_Microsoft&NAME_Microsoft-KEK-CA
                        dfa66406-6568-5bdf-bb8e-b53ddb4be4cf ? UEFI\CRT_9F402B1CC0243CBEDC58A525789816CCCA7687A9
    Device Flags:       ~ Internal device
                        ~ Updatable
                        ~ Supported on remote server
                        ~ Needs a reboot after installation
                        ~ Device is usable for the duration of the update
                        ~ Signed Payload
                        ~ Can tag for emulation
 
 tqSecure Boot KEK Configuration Update:
      New version:      2023
      Remote ID:        lvfs
      Release ID:       113893
      Summary:          UEFI Secure Boot Key Exchange Key
      Variant:          AMI
      License:          Proprietary
      Size:             2.8 kB
      Created:          2025-04-29
      Urgency:          High
      Vendor:           Linux Foundation
      Release Flags:    ~ Trusted metadata
                        ~ Is upgrade
      Description:
      This updates the UEFI Signature Database (the "KEK") to the latest release from Microsoft, signed by DO NOT TRUST - AMI Test PK.
      Checksum:         103ebd21a803540296daff93fa7e1595bf323b4db78fbc6287aed945ab5965fb

The “DO NOT TRUST - AMI Test PK” is a known compromised firmware (see for instance https://www.binarly.io/blog/pkfail-untrusted-platform-keys-undermine-secure-boot-on-uefi-ecosystem for detailed info).

The M1V305 firmware seemed to suggest this was fixed given the name of the firmware zip file, but also that firmware has the compromised parts in it.

Is Beelink aware? Are you working on getting this structurally fixed?