For almost a year I get the following message in GNOME Software:
In the past I read somewhere that this would be solved in Fedora 41 Silverblue (can’t remember where). However, I upgraded my laptop to Fedora 41 Silverblue and I still get this message.
Today I run the command fwupdmgr update and got the following output:
Devices with no available firmware updates:
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 77 to 371? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ Insecure versions of the Microsoft Windows boot manager affected by Black ║
║ Lotus were added to the list of forbidden signatures due to a discovered ║
║ security problem.This updates the dbx to the latest release from Microsoft. ║
║ ║
║ Before installing the update, fwupd will check for any affected executables ║
║ in the ESP and will refuse to update if it finds any boot binaries signed ║
║ with any of the forbidden signatures.Applying this update may also cause ║
║ some Windows install media to not start correctly. ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: y
Decompressing… [ ]
Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/EFI/BOOT/BOOTX64.EFI Authenticode checksum [0ce02100f67c7ef85f4eed368f02bf7092380a3c23ca91fd7f19430d94b00c19] is present in dbx
My system is up to date, so despite what the message recommends, I can't upgrade the system any further.
Does anybody have an idea, how I can deblock the ESP and update UEFI dbx?
And what exactly is ESP?
An ESP contains the boot loaders, boot managers, or kernel images of installed operating systems (which are typically contained in other partitions), device driver files for hardware devices present in a computer and used by the firmware at boot time, system utility programs that are intended to be run before an operating system is booted, and data files such as error logs.[1]
I guess you have secure boot on, while this not allows you to upgrade the ESP. Can you please check in the bios?
In silverblue and similar systems, the files in /boot/efi (also known as ESP) were not updated automatically when a new shim got released back in the spring. What dbx does is, among other things, making the previous shim not trusted and can’t boot in secure mode. Furthermore it has been reported that the older shim will not let you boot the newer kernels or grub versions in secure mode.
The error message you see is a protection against shooting yourself in the foot.
If you multiboot WIndows, dbx may also be updated by Windows. The dbx update comes after all from Microsoft.
I tried the commands, but got the following error message:
sudo bootupctl adopt-and-update
Running as unit: bootupd.service
error: Failed adopt and update: applying filesystem changes: removing ".btmp.BOOT/fbia32.efi": No such file or directory (os error 2)
I believe that Fedora 42 comment is in regards to another component that will fix the duplicated GRUB entries. The bootupd component is ready as of F41.
Thanks for sharing this, this was very helpful. I was getting the same error messages on two computers with Fedora 41, and in both cases fwupdmgr update did the job!
On another note, what on earth is this update about? Curious to know because windoze update never prompted me for this Black Lotus thingy, whereas Fedora did.