Start a Conversation

Unsolved

EP

1 Rookie

 • 

8 Posts

3374

November 3rd, 2022 00:00

Unable to upgrade UEFI dbx from 77 to 217

In trying to keep my system up to date I also install firmware updates on my Dell Precision 3561 with Ubuntu 22.04.1 LTS. I use the fwupdtool command on the commandline:

sudo fwupdtool update

 Having already updated the NVMe controller and system firmware, it now prompts to update the UEFI dbx:

$ sudo fwupdtool update
Loading… [***************************************]
Devices with no available firmware updates:
• TPM 2.0
• UEFI Device Firmware
• UEFI Device Firmware
Devices with the latest available firmware version:
• BC711 NVMe SK hynix 512GB
• BC711 NVMe SK hynix 512GB
• System Firmware
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 77 to 217? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the dbx to the latest release from Microsoft which adds ║
║ insecure versions of grub and shim to the list of forbidden signatures due ║
║ to multiple discovered security updates. ║
║ ║
║ Before installing the update, fwupd will check for any affected executables ║
║ in the ESP and will refuse to update if it finds any boot binaries signed ║
║ with any of the forbidden signatures.If the installation fails, you will ║
║ need to update shim and grub packages before the update can be deployed. ║
║ ║
║ Once you have installed this dbx update, any DVD or USB installer images ║
║ signed with the old signatures may not work correctly.You may have to ║
║ temporarily turn off secure boot when using recovery or installation media, ║
║ if new images have not been made available by your distribution. ║
║ ║
║ UEFI dbx and all connected devices may not be usable while updating. ║
╚══════════════════════════════════════════════════════════════════════════════╝

Perform operation? [Y|n]: y
Decompressing [***************************************]
Decompressing [***************************************]
Blocked executable in the ESP, ensure grub and shim are up to date:
/media/root/ESP/EFI/ubuntu/shimx64.efi
Authenticode checksum [ ] is present in dbx
An update requires a reboot to complete. Restart now? [y|N]:

The system reboots since there was an error during the installation, no update was installed. I even retried running fwupdtool but without any success.

Fwupdtool versions in case it is relevant:

$ fwupdtool --version
compile org.freedesktop.fwupd 1.7.9
runtime org.freedesktop.gusb 0.3.10
runtime org.kernel 5.14.0-1048-oem
compile org.freedesktop.gusb 0.3.10
compile com.hughsie.libjcat 0.1.9
runtime org.freedesktop.fwupd 1.7.9

The whole /media/root/ESP directory is nonexistent and so perhaps that could be a reason for the failure.

I briefly looked online to find others with this issue but there wasn't a clear answer that stood out. Working with proprietary firmware in this way is new to me, my personal laptops are mostly running Free Software firmware so that works just fine. I hope you can either fix things upstream and provide a guide to compensate if things don't fix themselves. I'd like to keep my system up to date.

1 Rookie

 • 

4 Posts

April 30th, 2024 22:21

As a workaround I moved a malformed file /boot/efi/efi.factory/boot/bootx64.efi somewhere else: `sudo mv /boot/efi/efi.factory/boot/bootx64.efi /tmp/bootx64.efi`.

Then I performed a command `sudo fwupdtool update` without reboot. I don't like to loose the file.

Afterwards the file have been returned back: `sudo mv /tmp/bootx64.efi /boot/efi/efi.factory/boot/bootx64.efi`

After the above manipulations a version looks updated. It is necessary to reboot.


That's it!

(edited)

No Events found!

Top