4

I've a message starting popping up after the upgrade to 23.10 from 23.04, that I've got some updates. Turned out that this is that in the sub. Tried to update and it fails. This is what I've got running fwupdmgr manually:

  ~$ sudo fwupdmgr update
Devices with no available firmware updates: 
 • ELAN1200:00 04F3:306F
 • SD8SN8U512G1002
 • System Firmware
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 77 to 371?                                             ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ Insecure versions of the Microsoft Windows boot manager affected by Black    ║
║ Lotus were added to the list of forbidden signatures due to a discovered     ║
║ security problem.This updates the dbx to the latest release from Microsoft.  ║
║                                                                              ║
║ Before installing the update, fwupd will check for any affected executables  ║
║ in the ESP and will refuse to update if it finds any boot binaries signed    ║
║ with any of the forbidden signatures.Applying this update may also cause     ║
║ some Windows install media to not start correctly.                           ║
║                                                                              ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: Y
Decompressing…           [                                       ]
Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/EFI/Boot/bkpbootx64.efi Authenticode checksum [5b89f1aa2435a03d18d9b203d17fb4fba4f8f5076cf1f9b8d6d9b826222235c1] is present in dbx

I am not sure if I really need this update but the pop-up every time I boot is annoying. Any way to fix it?

muru
  • 197,895
  • 55
  • 485
  • 740
foxy123
  • 417
  • 8
  • 13

2 Answers2

2

I have successfully fixed the issue on my machine after the 23.10 upgrade by applying the solution given by Impossible to update UEFI dbx. Essentially the problem appears the same as in my previous comment on this question:

You have a file that can be used to boot an OS-version that is blocklisted. fwupdmgr refuses to update your blocklist while you have it. It actually tells you the file name and path in the original error message:

Blocked executable in the ESP, ensure grub and shim are up to date: [path] Authenticode checksum [checksum] is present in dbx

You can use the command

efibootmgr -v

to list all paths that are in use. If the path from the error message is not listed, it is not in use and you can remove it with

sudo rm [path]

after which fwupdmgr will work.

Note that I have no clue what happens if you remove the file while it IS in use, but it probably isn't good. Most of the paths are very similar, so compare them carefully.

Jakob Buis
  • 121
0

I had exactly the same problem. How to fix?

sudo rm /boot/efi/EFI/Boot/bkpbootx64.efi
sudo fwupdmgr update

(reboot now/later)

Ubuntu 23.10 was booted correctly and the error message displayed by the 'update manager' disappeared. I was able to boot Ubuntu 23.10 and Windows 10 normally as before.

Problem solved

Rudy Vissers
  • 501