4

There is update of Secure Boot, DBX - from 77 to 217. It cannot be installed because grub is old. I have switched Secure Boot off in bios. What is DBX update? I am not going to install it. Ubuntu 22.04.1.

sudo fwupdmgr update
Devices with no available firmware updates: 
 • 670p ******************* 512GB
 • UEFI Device Firmware
 • UEFI Device Firmware
Devices with the latest available firmware version:
 • System Firmware
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 77 to 217?                                             ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the dbx to the latest release from Microsoft which adds         ║
║ insecure versions of grub and shim to the list of forbidden signatures due   ║
║ to multiple discovered security updates.                                     ║
║                                                                              ║
║ Before installing the update, fwupd will check for any affected executables  ║
║ in the ESP and will refuse to update if it finds any boot binaries signed    ║
║ with any of the forbidden signatures.If the installation fails, you will     ║
║ need to update shim and grub packages before the update can be deployed.     ║
║                                                                              ║
║ Once you have installed this dbx update, any DVD or USB installer images     ║
║ signed with the old signatures may not work correctly.You may have to        ║
║ temporarily turn off secure boot when using recovery or installation media,  ║
║ if new images have not been made available by your distribution.             ║
║                                                                              ║
║ UEFI dbx and all connected devices may not be usable while updating.         ║
╚══════════════════════════════════════════════════════════════════════════════╝

Perform operation? [Y|n]: y
Downloading…             [***************************************]
Распаковка…              [***************************************]
Распаковка…              [***************************************]
Authenticating…          [***************************************]
Authenticating…          [***************************************]
Перезапуск устройства…   [***************************************]
Запись…                  [***************************************]
Распаковка…              [***************************************]
Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/efi.factory/boot/bootx64.efi Authenticode checksum [***************************] is present in dbx
Mahler
  • 611
  • 8
  • 18
  • Does update manager show this? – Archisman Panigrahi Oct 29 '22 at 15:56
  • It is shown in ubuntu software as well as in fwupdmgr in terminal. But when I try installing it it says that grub is old. – Mahler Oct 29 '22 at 16:01
  • It seems to be something Dell specific, but for what I couldn't tell you. Please see: https://answers.launchpad.net/ubuntu/+question/703205 – Terrance Oct 29 '22 at 16:39
  • Thanks. As It cannot be installed, I will not update it. By the way, when I launch aptitude (console software manager), it also says that grub version is old, but it is fixed and cannot be updated. – Mahler Oct 29 '22 at 17:10
  • What version of grub is installed? grub-install -V – Terrance Oct 29 '22 at 17:13
  • grub-install (GRUB) 2.06-2ubuntu7 – Mahler Oct 29 '22 at 17:17
  • Can you edit your question showing exactly where you are seeing that message – Terrance Oct 29 '22 at 17:44
  • I have added fwupdmgr output. – Mahler Oct 29 '22 at 17:53
  • I won't be much help from here on out as I don't use UEFI, but this might help you: https://askubuntu.com/questions/1429678/impossible-to-update-uefi-dbx – Terrance Oct 29 '22 at 18:06
  • There seems to be a phased update of grub going on to get to ...ubuntu10 from 7. – ubfan1 Oct 29 '22 at 18:25
  • There is update of Secure Boot, DBX No, incorrect terminology. This is an UEFI update. If you feel you need to install it then please try by other means. It likely allow such update directly in the UEFI settings. – ChanganAuto Oct 29 '22 at 19:12
  • I have switched off Secure boot in bios. But I tried to install it when secure boot was on as well. I think if secure boot is off in bios, this dbx doesn't affect anything. – Mahler Oct 29 '22 at 19:24
  • Still not understanding. What you're seeing here is a normal UEFI ("BIOS") update (Ubuntu now can deliver those updates thanks to special tool just like you typically do in Windows). That it fails to install regardless of the reason is immaterial and you can use any other method to update UEFI ("BIOS") like you always did. Secure Boot status is irrelevant. – ChanganAuto Oct 29 '22 at 20:09
  • Same here. Acer Travelmate Spin B118 from the year 2018. Never had problems with ubuntu since that year, but now since the LTS update from 20.04 to 22.04 I can only boot with secure boot disabled. maybe there is an expired or changed certificate somewhere? I also tried the fwupdate as shown in the OP but didn't help – Daniel Alder Nov 19 '22 at 01:38

1 Answers1

2

As someone said in one of the comments to your question, this looks very similar to other questions on many forums. The solution seems to be the removal of an old file that isn't being updated anymore. Which cause the upgrade manager (fwupdmg) to block the update because one of the files of the boot directory is going to be suppressed by the dbx update for not being signed as required. This is a security thing to avoid your machine being unable to boot after upgrade. The solution I've seen to this is to move the file into your documents for example, and deleted once you've made sure everything still works fine. See the topic Impossible to update UEFI dbx for the detail, where the problematic file is /boot/efi/EFI/Boot/shimx64.efi

dilwynlala
  • 31
  • 1
    I have read that someone has boot problems after moving this file. I decided not to update until this issue is fixed by Canonical. I don't have any problems without this update. – Mahler Dec 24 '22 at 15:58
  • You're right, that's certainly the safest solution. – dilwynlala Dec 24 '22 at 19:46
  • I have updated grub today. This DBX update is still cannot be installed. /boot/efi/EFI/Boot/shimx64.efi - I don't have this file. The content of the folder has the same dates. I think I don't need it, I have secure boot off. – Mahler Jan 06 '23 at 22:37
  • I have installed Cinnamon, updated GRUB and SHIM. This DBX update has disappeared, and not being offered anymore. – Mahler Apr 05 '23 at 16:24