trouble ubuntu update firmware uefi dbx 217

Question

i try to update my ubuntu firmware but i get an issue:

Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/efi.factory/boot/bootx64.efi Authenticode checksum [2ea4cb6a1f1eb1d3dce82d54fde26ded243ba3e18de7c6d211902a594fe56788] is present in dbx

here are the details of the update:

Version 217: This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.

Before installing the update, fwupd will check for any affected executables in the ESP and will refuse to update if it finds any boot binaries signed with any of the forbidden signatures. If the installation fails, you will need to update shim and grub packages before the update can be deployed.

Once you have installed this dbx update, any DVD or USB installer images signed with the old signatures may not work correctly. You may have to temporarily turn off secure boot when using recovery or installation media, if new images have not been made available by your distribution.

Version 211: This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.

Version 190: This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.

Answer 1

WARNING : I don't have the problem myself and I cannot test the answer below. Be aware that it could prevent your computer to boot.

The folder /boot/efi/efi.factory seems to be a specificity of DELL computers sold with Ubuntu [1].

You can check if you are actually using /boot/efi/efi.factory/boot/bootx64.efi to boot with this command :

sudo efibootmgr -v | grep "Boot$(sudo efibootmgr -v | awk '/BootCurrent/{print $2}')"

This command shows which EFI has been used to boot. If it's not /EFI/efi.factory/boot/bootx64.efi and you don't need to boot into DELL Recovery, I think you can safely delete or move it outside the /EFI folder : see https://unix.stackexchange.com/a/636034.

[1] : https://github.com/dell/dell-recovery/blob/master/debian/changelog#L514

Answer 2

This usually happens for old efi files that needed to be manually updated. Here's an excerpt from fwupd wiki pages

In my case, the file that the update complained about was /boot/efi/EFI/BOOT/bkpbootx64.efi. I discovered that that file was a year older than the other files within the same directory. A websearch disclosed that the file was 'a backup regularly created by Boot-Repair.' Boot-Repair is a third-party program that is designed to be used on Ubuntu and which one an use - with caution - on Ubuntu-derivatives such as Linux Mint. I am on Mint and had used the program. I deleted the backup file, i.e. /boot/efi/EFI/BOOT/bkpbootx64.efi. I told fwupd to do the update. I rebooted fwupd gave little sign of having done the update but running fwupd again suggested that the update had indeed been performed; and my system seems to continue to work perfectly well.

Another user found the following. 'My problem was that I had a very old /boot/efi/EFI/ubuntu from a previous install. I am running Fedora. So the very old ubuntu components were not being updated, blocking the UEFI dbx update.'

The error message usually tells you the name of the problematic efi file:

Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/efi.factory/boot/bootx64.efi Authenticode checksum [2ea4cb6a1f1eb1d3dce82d54fde26ded243ba3e18de7c6d211902a594fe56788] is present in dbx

Filename: /boot/efi/efi.factory/boot/bootx64.efi

You can delete this file and then update fwupdmgr again

sudo fwupdmgr refresh --force
sudo fwupdmgr update

This will ask you for a reboot. After the reboot, if you check again, you'll see that the update has been installed.