Can't update 'Secure Boot dbx Configuration Update'

Hello Fedora Administrators!


For almost a year I get the following message in GNOME Software:
image


In the past I read somewhere that this would be solved in Fedora 41 Silverblue (can’t remember where). However, I upgraded my laptop to Fedora 41 Silverblue and I still get this message.


Today I run the command fwupdmgr update and got the following output:

Devices with no available firmware updates: 
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 77 to 371?                                             ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ Insecure versions of the Microsoft Windows boot manager affected by Black    ║
║ Lotus were added to the list of forbidden signatures due to a discovered     ║
║ security problem.This updates the dbx to the latest release from Microsoft.  ║
║                                                                              ║
║ Before installing the update, fwupd will check for any affected executables  ║
║ in the ESP and will refuse to update if it finds any boot binaries signed    ║
║ with any of the forbidden signatures.Applying this update may also cause     ║
║ some Windows install media to not start correctly.                           ║
║                                                                              ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: y
Decompressing…           [                                       ]
Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/EFI/BOOT/BOOTX64.EFI Authenticode checksum [0ce02100f67c7ef85f4eed368f02bf7092380a3c23ca91fd7f19430d94b00c19] is present in dbx

My system is up to date, so despite what the message recommends, I can't upgrade the system any further.

Does anybody have an idea, how I can deblock the ESP and update UEFI dbx?
And what exactly is ESP?


Thanks in advance :-) !

ESP = EFI System Partition

Source wikipedia

The EFI (Extensible Firmware Interface) system partition or ESP is a partition on a data storage device (usually a hard disk drive or solid-state drive) that is used by computers that have the Unified Extensible Firmware Interface (UEFI). When a computer is booted, UEFI firmware loads files stored on the ESP to start operating systems and various utilities.

An ESP contains the boot loaders, boot managers, or kernel images of installed operating systems (which are typically contained in other partitions), device driver files for hardware devices present in a computer and used by the firmware at boot time, system utility programs that are intended to be run before an operating system is booted, and data files such as error logs.[1]

I guess you have secure boot on, while this not allows you to upgrade the ESP. Can you please check in the bios?

Added boot, gnome-software, rpm-ostree, secureboot, shim

Hello @ilikelinux,

Thanks for the information!
I checked the bios, but Secure Boot is not enabled.

If there is something else I should check, let me know!

Can you please give more information about your system please?

inxi -Fzxx and paste the output here as pre formated text ( </> in editor menu).

This is the bug tracker for this error:

In Fedora 41, you should be able to run the following commands to update the bootloader:

$ sudo bootupctl status
$ sudo bootupctl adopt-and-update

Afterwards you can try updating the UEFI dbx firmware.

2 Likes

In silverblue and similar systems, the files in /boot/efi (also known as ESP) were not updated automatically when a new shim got released back in the spring. What dbx does is, among other things, making the previous shim not trusted and can’t boot in secure mode. Furthermore it has been reported that the older shim will not let you boot the newer kernels or grub versions in secure mode.

The error message you see is a protection against shooting yourself in the foot.

If you multiboot WIndows, dbx may also be updated by Windows. The dbx update comes after all from Microsoft.

Okay, thanks for the information!

I tried the commands, but got the following error message:

sudo bootupctl adopt-and-update
Running as unit: bootupd.service
error: Failed adopt and update: applying filesystem changes: removing ".btmp.BOOT/fbia32.efi": No such file or directory (os error 2)

I think I have to wait until Fedora 42 is released, before it gets solved?

Thanks for sharing the bug report; it was exactly the one I was looking/searching for!

I think I have to wait until Fedora 42 is released, before it gets solved.

I believe that Fedora 42 comment is in regards to another component that will fix the duplicated GRUB entries. The bootupd component is ready as of F41.

Can you try:

$ sudo systemctl reset-failed bootupd.service

And then give the output of:

$ sudo bootupctl status
$ sudo bootupctl validate

2 Likes

The Fedora 42 comment is about something else.

Your issue looks like Adopt fails with error "removing ".btmp.fedora/mmia32.efi": No such file or directory (os error 2)" · Issue #762 · coreos/bootupd · GitHub. Can you add info there? Thanks

Hi @ilikelinux ,

Here is some information about my system.
I ran the command inxi -Fzxx from inside a Toolbox container.

System:
  Kernel: 6.11.5-300.fc41.x86_64 arch: x86_64 bits: 64 compiler: gcc
    v: 2.43.1-2.fc41
  Desktop: GNOME v: N/A wm: gnome-shell dm: N/A Distro: Fedora Linux 41
    (Toolbx Container Image)
Machine:
  Type: Laptop System: Dell product: XPS 13 9380 v: N/A
    serial: <superuser required> Chassis: type: 10 serial: <superuser required>
  Mobo: Dell model: 0KTW76 v: A00 serial: <superuser required> part-nu: 08AF
    UEFI: Dell v: 1.26.0 date: 09/11/2023
Battery:
  ID-1: BAT0 charge: 41.0 Wh (96.7%) condition: 42.4/52.0 Wh (81.6%)
    volts: 8.5 min: 7.6 model: SMP DELL G8VCF6C serial: <filter>
    status: charging
  Device-1: hidpp_battery_1 model: Logitech Signature M650 L
    serial: <filter> charge: N/A status: discharging
CPU:
  Info: quad core model: Intel Core i7-8565U bits: 64 type: MT MCP
    arch: Comet/Whiskey Lake note: check rev: C cache: L1: 256 KiB L2: 1024 KiB
    L3: 8 MiB
  Speed (MHz): avg: 700 min/max: 400/4600 cores: 1: 700 2: 700 3: 700 4: 700
    5: 700 6: 700 7: 700 8: 700 bogomips: 31999
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
Graphics:
  Device-1: Intel WhiskeyLake-U GT2 [UHD Graphics 620] vendor: Dell
    driver: i915 v: kernel arch: Gen-9.5 ports: active: DP-1,eDP-1
    empty: DP-2,DP-3 bus-ID: 00:02.0 chip-ID: 8086:3ea0
  Device-2: Microdia Integrated_Webcam_HD driver: uvcvideo type: USB
    rev: 2.0 speed: 480 Mb/s lanes: 1 bus-ID: 1-5:2 chip-ID: 0c45:6723
  Display: wayland server: N/A compositor: gnome-shell driver: X:
    loaded: modesetting unloaded: fbdev,vesa dri: iris gpu: i915 display-ID: 0
  Monitor-1: DP-1 model: Dell U2718Q res: 3840x2160 dpi: 160
    diag: 702mm (27.6")
  Monitor-2: eDP-1 model: AU Optronics 0x282b res: 3840x2160 dpi: 333
    diag: 336mm (13.2")
  API: EGL Message: EGL data requires eglinfo. Check --recommends.
Audio:
  Device-1: Intel Cannon Point-LP High Definition Audio vendor: Dell
    driver: snd_hda_intel v: kernel bus-ID: 00:1f.3 chip-ID: 8086:9dc8
  API: ALSA v: k6.11.5-300.fc41.x86_64 status: kernel-api
Network:
  Device-1: Qualcomm Atheros QCA6174 802.11ac Wireless Network Adapter
    vendor: Rivet Networks Killer 1435 Wireless-AC driver: ath10k_pci v: kernel
    pcie: speed: 2.5 GT/s lanes: 1 bus-ID: 02:00.0 chip-ID: 168c:003e
    temp: 39.0 C
  IF: wlp2s0 state: up mac: <filter>
Bluetooth:
  Device-1: Foxconn / Hon Hai driver: btusb v: 0.8 type: USB rev: 1.1
    speed: 12 Mb/s lanes: 1 bus-ID: 1-7:3 chip-ID: 0489:e0a2
  Report: rfkill ID: hci0 rfk-id: 0 state: up address: see --recommends
Drives:
  Local Storage: total: 476.94 GiB used: 402.3 GiB (84.4%)
  ID-1: /dev/nvme0n1 vendor: Samsung model: PM981 NVMe 512GB
    size: 476.94 GiB speed: 31.6 Gb/s lanes: 4 serial: <filter> temp: 37.9 C
Partition:
  Message: No partition data found.
Swap:
  ID-1: swap-1 type: zram size: 8 GiB used: 0 KiB (0.0%) priority: 100
    dev: /dev/zram0
Sensors:
  System Temperatures: cpu: 50.0 C mobo: N/A
  Fan Speeds (rpm): N/A
Info:
  Memory: total: 16 GiB note: est. available: 15.27 GiB used: 3.47 GiB (22.7%)
  Processes: 342 Power: uptime: 16m wakeups: 0 Init: systemd v: 256
    default: graphical
  Packages: pm: rpm pkgs: N/A note: see --rpm Compilers: N/A Shell: Bash
    v: 5.2.32 running-in: conmon inxi: 3.3.36

Hello @guiltydoggy,

Thanks for thinking along!
Below you can find the output of the mentioned commands.

sudo systemctl reset-failed bootupd.service

Failed to reset failed state of unit bootupd.service: 
Unit bootupd.service not loaded.

sudo bootupctl status
Running as unit: bootupd.service
No components installed.
Detected: EFI: unknown
Boot method: EFI

sudo bootupctl validate
Running as unit: bootupd.service
No components installed.

Reading this, it looks like that bootupd is not loaded (?)(!).

Yes, I will do that!

Thanks for sharing this, this was very helpful. I was getting the same error messages on two computers with Fedora 41, and in both cases fwupdmgr update did the job!

On another note, what on earth is this update about? Curious to know because windoze update never prompted me for this Black Lotus thingy, whereas Fedora did.