Unsolved
1 Rookie
•
8 Posts
1
3374
November 3rd, 2022 00:00
Unable to upgrade UEFI dbx from 77 to 217
In trying to keep my system up to date I also install firmware updates on my Dell Precision 3561 with Ubuntu 22.04.1 LTS. I use the fwupdtool command on the commandline:
sudo fwupdtool update
Having already updated the NVMe controller and system firmware, it now prompts to update the UEFI dbx:
$ sudo fwupdtool update
Loading… [***************************************]
Devices with no available firmware updates:
• TPM 2.0
• UEFI Device Firmware
• UEFI Device Firmware
Devices with the latest available firmware version:
• BC711 NVMe SK hynix 512GB
• BC711 NVMe SK hynix 512GB
• System Firmware
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 77 to 217? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the dbx to the latest release from Microsoft which adds ║
║ insecure versions of grub and shim to the list of forbidden signatures due ║
║ to multiple discovered security updates. ║
║ ║
║ Before installing the update, fwupd will check for any affected executables ║
║ in the ESP and will refuse to update if it finds any boot binaries signed ║
║ with any of the forbidden signatures.If the installation fails, you will ║
║ need to update shim and grub packages before the update can be deployed. ║
║ ║
║ Once you have installed this dbx update, any DVD or USB installer images ║
║ signed with the old signatures may not work correctly.You may have to ║
║ temporarily turn off secure boot when using recovery or installation media, ║
║ if new images have not been made available by your distribution. ║
║ ║
║ UEFI dbx and all connected devices may not be usable while updating. ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: y
Decompressing [***************************************]
Decompressing [***************************************]
Blocked executable in the ESP, ensure grub and shim are up to date:
/media/root/ESP/EFI/ubuntu/shimx64.efi
Authenticode checksum [ ] is present in dbx
An update requires a reboot to complete. Restart now? [y|N]:
The system reboots since there was an error during the installation, no update was installed. I even retried running fwupdtool but without any success.
Fwupdtool versions in case it is relevant:
$ fwupdtool --version
compile org.freedesktop.fwupd 1.7.9
runtime org.freedesktop.gusb 0.3.10
runtime org.kernel 5.14.0-1048-oem
compile org.freedesktop.gusb 0.3.10
compile com.hughsie.libjcat 0.1.9
runtime org.freedesktop.fwupd 1.7.9
The whole /media/root/ESP directory is nonexistent and so perhaps that could be a reason for the failure.
I briefly looked online to find others with this issue but there wasn't a clear answer that stood out. Working with proprietary firmware in this way is new to me, my personal laptops are mostly running Free Software firmware so that works just fine. I hope you can either fix things upstream and provide a guide to compensate if things don't fix themselves. I'd like to keep my system up to date.
Volodymyr Zaiets
1 Rookie
1 Rookie
•
4 Posts
0
April 30th, 2024 22:21
As a workaround I moved a malformed file /boot/efi/efi.factory/boot/bootx64.efi somewhere else: `sudo mv /boot/efi/efi.factory/boot/bootx64.efi /tmp/bootx64.efi`.
Then I performed a command `sudo fwupdtool update` without reboot. I don't like to loose the file.
Afterwards the file have been returned back: `sudo mv /tmp/bootx64.efi /boot/efi/efi.factory/boot/bootx64.efi`
After the above manipulations a version looks updated. It is necessary to reboot.
That's it!
(edited)