Score:3

Ubuntu

What do I need to update Secure boot for?

Mahler

10/29/23, 3:50 PM

There is update of Secure Boot, DBX - from 77 to 217. It cannot be installed because grub is old. I have switched Secure Boot off in bios. What is DBX update? I am not going to install it. Ubuntu 22.04.1.

sudo fwupdmgr update
Devices with no available firmware updates: 
 • 670p ******************* 512GB
 • UEFI Device Firmware
 • UEFI Device Firmware
Devices with the latest available firmware version:
 • System Firmware
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 77 to 217?                                             ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the dbx to the latest release from Microsoft which adds         ║
║ insecure versions of grub and shim to the list of forbidden signatures due   ║
║ to multiple discovered security updates.                                     ║
║                                                                              ║
║ Before installing the update, fwupd will check for any affected executables  ║
║ in the ESP and will refuse to update if it finds any boot binaries signed    ║
║ with any of the forbidden signatures.If the installation fails, you will     ║
║ need to update shim and grub packages before the update can be deployed.     ║
║                                                                              ║
║ Once you have installed this dbx update, any DVD or USB installer images     ║
║ signed with the old signatures may not work correctly.You may have to        ║
║ temporarily turn off secure boot when using recovery or installation media,  ║
║ if new images have not been made available by your distribution.             ║
║                                                                              ║
║ UEFI dbx and all connected devices may not be usable while updating.         ║
╚══════════════════════════════════════════════════════════════════════════════╝

Perform operation? [Y|n]: y
Downloading…             [***************************************]
Распаковка…              [***************************************]
Распаковка…              [***************************************]
Authenticating…          [***************************************]
Authenticating…          [***************************************]
Перезапуск устройства…   [***************************************]
Запись…                  [***************************************]
Распаковка…              [***************************************]
Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/efi.factory/boot/bootx64.efi Authenticode checksum [***************************] is present in dbx

1775

1 + 14

secure-boot

22.04

Archisman Panigrahi

10/29/23, 3:56 PM

Does update manager show this?

Mahler

10/29/23, 4:01 PM

It is shown in ubuntu software as well as in fwupdmgr in terminal. But when I try installing it it says that grub is old.

Terrance

10/29/23, 4:39 PM

It seems to be something Dell specific, but for what I couldn't tell you. Please see: https://answers.launchpad.net/ubuntu/+question/703205

Mahler

10/29/23, 5:10 PM

Thanks. As It cannot be installed, I will not update it. By the way, when I launch aptitude (console software manager), it also says that grub version is old, but it is fixed and cannot be updated.

Terrance

10/29/23, 5:13 PM

What version of grub is installed? `grub-install -V`

Mahler

10/29/23, 5:17 PM

grub-install (GRUB) 2.06-2ubuntu7

Terrance

10/29/23, 5:44 PM

Can you [edit](https://askubuntu.com/posts/1438076/edit) your question showing exactly where you are seeing that message

Mahler

10/29/23, 5:53 PM

I have added fwupdmgr output.

Terrance

10/29/23, 6:06 PM

I won't be much help from here on out as I don't use UEFI, but this might help you: https://askubuntu.com/questions/1429678/impossible-to-update-uefi-dbx

ubfan1

10/29/23, 6:25 PM

There seems to be a phased update of grub going on to get to ...ubuntu10 from 7.

ChanganAuto

10/29/23, 7:12 PM

*There is update of Secure Boot, DBX* No, incorrect terminology. This is an UEFI update. If you feel you need to install it then please try by other means. It likely allow such update directly in the UEFI settings.

Mahler

10/29/23, 7:24 PM

I have switched off Secure boot in bios. But I tried to install it when secure boot was on as well. I think if secure boot is off in bios, this dbx doesn't affect anything.

ChanganAuto

10/29/23, 8:09 PM

Still not understanding. What you're seeing here is a normal UEFI ("BIOS") update (Ubuntu now can deliver those updates thanks to special tool just like you typically do in Windows). That it fails to install regardless of the reason is immaterial and you can use any other method to update UEFI ("BIOS") like you always did. Secure Boot status is irrelevant.

Daniel Alder

11/19/23, 1:38 AM

Same here. Acer Travelmate Spin B118 from the year 2018. Never had problems with ubuntu since that year, but now since the LTS update from 20.04 to 22.04 I can only boot with secure boot disabled. maybe there is an expired or changed certificate somewhere? I also tried the fwupdate as shown in the OP but didn't help

Score:1

Ubuntu

dilwynlala

12/24/23, 3:50 PM

As someone said in one of the comments to your question, this looks very similar to other questions on many forums. The solution seems to be the removal of an old file that isn't being updated anymore. Which cause the upgrade manager (fwupdmg) to block the update because one of the files of the boot directory is going to be suppressed by the dbx update for not being signed as required. This is a security thing to avoid your machine being unable to boot after upgrade. The solution I've seen to this is to move the file into your documents for example, and deleted once you've made sure everything still works fine. See the topic Impossible to update UEFI dbx for the detail, where the problematic file is /boot/efi/EFI/Boot/shimx64.efi

+ 4

Mahler

12/24/23, 3:58 PM

I have read that someone has boot problems after moving this file. I decided not to update until this issue is fixed by Canonical. I don't have any problems without this update.

dilwynlala

12/24/23, 7:46 PM

You're right, that's certainly the safest solution.

Mahler

1/6/24, 10:37 PM

I have updated grub today. This DBX update is still cannot be installed. /boot/efi/EFI/Boot/shimx64.efi - I don't have this file. The content of the folder has the same dates. I think I don't need it, I have secure boot off.

Mahler

4/5/24, 4:24 PM

I have installed Cinnamon, updated GRUB and SHIM. This DBX update has disappeared, and not being offered anymore.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What do I need to update Secure boot for?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.