Unable to update UEFI dbx

Question

I'm having a similar problem to what's described in Impossible to update UEFI dbx (and others) but thought it was different enough (and still unsolved) to ask a separate question.

When I try to update my firmware, I get the error message:

Blocked executable in the ESP, ensure grub and shim are up to date: /media/root/PQSERVICE/efi/boot/shimx64.efi Authenticode checksum [2ea4cb6a1f1eb1d3dce82d54fde26ded243ba3e18de7c6d211902a594fe56788] is present in dbx

The output of efibootmgr -v shows me, I believe, that the /media/root/PQSERVICE/efi/boot/shimx64.efi file listed in the error message is not actually used:

$ sudo efibootmgr -v
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,001C,001D,001E,001F,0020,0021,0022,0023,0024,0001
Boot0000* ubuntu    HD(1,GPT,fdf05e72-c48f-436c-9ec2-9aa056bad95e,0x800,0x1b7801)/File(\EFI\ubuntu\shimx64.efi)
Boot0001* Linux-Firmware-Updater    HD(1,GPT,fdf05e72-c48f-436c-9ec2-9aa056bad95e,0x800,0x1b7801)/File(\EFI\ubuntu\fwupdx64.efi)
Boot0010  Setup FvFile(721c8b66-426c-4e86-8e99-3457c46ab0b9)
Boot0011  Boot Menu FvFile(126a762d-5758-4fca-8531-201a7f57f850)
Boot0012  Diagnostic Splash Screen  FvFile(a7d8d9a6-6ab0-4aeb-ad9d-163e59a7a380)
Boot0013  Lenovo Diagnostics    FvFile(3f7e615b-0d45-4f80-88dc-26b234958560)
Boot0014  Asset Information FvFile(da465b87-a26f-4c12-b78a-0361428fa026)
Boot0015  Regulatory Information    FvFile(478c92a0-2622-42b7-a65d-5894169e4d24)
Boot0016  ThinkShield secure wipe   FvFile(3593a0d5-bd52-43a0-808e-cbff5ece2477)
Boot0017  ThinkShield Passwordless Power-On Device Manager  FvFile(08448b41-7f83-49be-82a7-0e84790ab133)
Boot0018  Wi-Fi Configuration   FvFile(d3aaff0f-cb22-4792-896c-802c2e9383ba)-.A.p.p...
Boot0019  Intel(R) MEBx FvFile(29a70110-7762-4211-ae88-fab19b7665be)
Boot001A  Startup Interrupt Menu    FvFile(f46ee6f4-4785-43a3-923d-7f786c3c8479)
Boot001B  Rescue and Recovery   FvFile(665d3f60-ad3e-4cad-8e26-db46eee9f1b5)
Boot001C* USB CD    VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,86701296aa5a7848b66cd49dd3ba6a55)
Boot001D* USB FDD   VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,6ff015a28830b543a8b8641009461e49)
Boot001E* NVMe0 VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,001c199932d94c4eae9aa0b6e98eb8a400)
Boot001F* USB HDD   VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,33e821aaaf33bc4789bd419f88c50803)
Boot0020* PXE BOOT  VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,78a84aaf2b2afc4ea79cf5cc8f3d3803)
Boot0021* LENOVO CLOUD  VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,ad38ccbbf7edf04d959cf42aa74d3650)/Uri(https://download.lenovo.com/pccbbs/cdeploy/efi/boot.efi)
Boot0022* ON-PREMISE    VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,ad38ccbbf7edf04d959cf42aa74d3650)/Uri()
Boot0023  Other CD  VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,aea2090adfde214e8b3a5e471856a35400)
Boot0024  Other HDD VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,ca88c2349e7ae947beeb43038a5aeae700)
Boot0025* IDER BOOT CDROM   PciRoot(0x0)/Pci(0x14,0x0)/USB(11,1)
Boot0026* IDER BOOT Floppy  PciRoot(0x0)/Pci(0x14,0x0)/USB(11,0)
Boot0027* ATA HDD   VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f6)
Boot0028* ATAPI CD  VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,aea2090adfde214e8b3a5e471856a354)

This is on a Thinkpad that came fresh with Ubuntu - no other OS installed, and I'm currently on 22.10. The file in the error message lives in what I believe is Lenovo's recovery partition.

Does the fact that it is not listed in the above output mean that it is safe to delete or rename (a solution from the other topics) - or might that cause issues if I need to boot into the recovery partition?

Answer 1

I had exactly the same problem described here when updating UEFI DBX to v217. My configuration is ThinkPad X1 Carbon gen 10 running Ubuntu 22.10 (Kernel 6.1.6-stable).

Since /media/root/PQSERVICE does not exist on a normal boot, there is no shim or grub efi file to move from the location as per other answers on other threads where the error was reported from /boot/efi/EFI.

What worked for me was simply: sudo fwupdmgr update --force -y