4

There is update of Secure Boot, DBX - from 77 to 217. It cannot be installed because grub is old. I have switched Secure Boot off in bios. What is DBX update? I am not going to install it. Ubuntu 22.04.1.

sudo fwupdmgr update
Devices with no available firmware updates: 
 • 670p ******************* 512GB
 • UEFI Device Firmware
 • UEFI Device Firmware
Devices with the latest available firmware version:
 • System Firmware
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 77 to 217?                                             ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the dbx to the latest release from Microsoft which adds         ║
║ insecure versions of grub and shim to the list of forbidden signatures due   ║
║ to multiple discovered security updates.                                     ║
║                                                                              ║
║ Before installing the update, fwupd will check for any affected executables  ║
║ in the ESP and will refuse to update if it finds any boot binaries signed    ║
║ with any of the forbidden signatures.If the installation fails, you will     ║
║ need to update shim and grub packages before the update can be deployed.     ║
║                                                                              ║
║ Once you have installed this dbx update, any DVD or USB installer images     ║
║ signed with the old signatures may not work correctly.You may have to        ║
║ temporarily turn off secure boot when using recovery or installation media,  ║
║ if new images have not been made available by your distribution.             ║
║                                                                              ║
║ UEFI dbx and all connected devices may not be usable while updating.         ║
╚══════════════════════════════════════════════════════════════════════════════╝

Perform operation? [Y|n]: y
Downloading…             [***************************************]
Распаковка…              [***************************************]
Распаковка…              [***************************************]
Authenticating…          [***************************************]
Authenticating…          [***************************************]
Перезапуск устройства…   [***************************************]
Запись…                  [***************************************]
Распаковка…              [***************************************]
Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/efi.factory/boot/bootx64.efi Authenticode checksum [***************************] is present in dbx
Mahler
  • 739

1 Answers1

2

As someone said in one of the comments to your question, this looks very similar to other questions on many forums. The solution seems to be the removal of an old file that isn't being updated anymore. Which cause the upgrade manager (fwupdmg) to block the update because one of the files of the boot directory is going to be suppressed by the dbx update for not being signed as required. This is a security thing to avoid your machine being unable to boot after upgrade. The solution I've seen to this is to move the file into your documents for example, and deleted once you've made sure everything still works fine. See the topic Impossible to update UEFI dbx for the detail, where the problematic file is /boot/efi/EFI/Boot/shimx64.efi

dilwynlala
  • 33