there is critical update for secure boot dbx, but silverblue wont update it. It downloads it and restarts, but wont install
I think this is a known issue. The workaround is to update from the command line:
$ fwupdmgr refresh
$ fwupdmgr update
2 Likes
i’ve had the same issue. i just hit Update and Restart multiple time (trying to find the root cause) but suddenly it was installed correctly…
dont work now did this 10 times and each time after restart it still available it wont install
You need revoke custom dbx key, disable custom dbx in the BIOS after.
How can I do this, please?
Hi,
Any updates, tho?
Nope last time i had issues on this I booted on other distro and updated and then back to fedora
So, it’s related to Fedora?
I tried everything regarding even those:
I think so since I only see it on fedora and booting to example Ubuntu, opensuse etc install the patches
On other distros, how do you update it?
By fwupdmgr??
on this issue i havent updated on other distros yet since after yesterday i setup my LUKS to be managed by my TPM modules so it automatically derypts and crypts using TPM and after that setup done and working it actually updated no issues the UEFI dbx update. So i guess the issue is on more Fedora crypt side
Current version: 20241101
this is the latest updated version and all installed no issues and didint even noticed that it got installed
what is your point? saying Fedora that uses trusted Linux vendor for firmware and seure boot updates are just fake? i have been updating my system firmware and databeses on secure boot years using Fedora with fwupdmgr. Even my manufaturer provides there firmaware direct to Linux updater and that case it is trusted
so how you think i updated then all and all is updated if you say i ant even i have secure boot enabled with TPM so stop this nonsense. You learly have no clue what you are even talking
but i have updated the dbx so stop this nonsense spam and trolling and read the context or just dont reply if you dont understand things
@verolomstvo I’m quite not sure if you are trolling.
DBX Updates are nothing more than updated certificates for the uefi/DBX Database. Mostly containing revoked certificates. Every Hardware and Software Vendor are able to Update your DBX Store. Its up to you if you trust them or not. You may build your own Store with your very own certificate and place it into the Storage (Setup Mode).
The Security Boot State will change from Standard/Factory Mode to Custom/User Mode
of course, you can reset the DBX Store at any time to it’s factory State by entering the BIOS and select the appropriate Item that restores the Store ; here’s an example:
@thephatlee you may want to add the fwupd tag in your first post.
1 Like
In addition: the dbx update blob must be signed by one of the KEK keys, or perhaps by one of the db keys, to be accepted. In practice, the dbx updates are coming from Microsoft, and is the way of Microsoft to revoke permission to run previously signed efi program. If you dual boot your system, the dbx updates could be installed by any of the other systems, including by MS-Windows.
I expect and hope that any other firmware updates received nu fwupd are signed and validated by the firmware itself before being installed.
2 Likes
I hope at least this happens on Gnome version, it still shows the same update even after updates.
1 Like
just check and you will see if it is physically installed or not
sudo fwupdmgr get-devices
Summary: UEFI revocation database
│ Current version: 20241101
│ Minimum Version: 20241101
reinstall 
that means it is installed already so not fake