Configuration update. Secure Boot dbx

hightechtatoka · June 5, 2024, 2:28pm

Hello, dear Fedora Community! I do not know how to solve this problem:
Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/EFI/Microsoft/Boot/bootmgfw.efi Authenticode checksum [84d75f7a8913d66db946eaf1480eaddec3063d27a6f625f040b406718abcac44] is present in dbx

I use Fedora Workstation with GNOME. I just want to update Built-in firmware and get this error.

Should I use any other Spin instead of Workstation with GNOME? Because I did not know about this problem when I used Sway Spin, for example.

And If I leave it, will I get dangerous vulnerabilities of Secure Boot or other sides of Fedora OS?

My PC config:
Fedora Linux 40 (Workstation Edition)
Lenovo Lenovo ideapad 320-15ABR
AMD A10-9620P RADEON R5, 10 COMPUTE CORES 4C+6G × 4
RAM: 6,0 GB
Hard drive: 500,1 GB

P.S. I use double boot: Fedora Workstation and WIndows 8.1.

vekruse · June 5, 2024, 3:01pm

This looks like your WIndows boot loader needs updating.

Before updating the dbx, the system checks the ESP if there are any efi programs that would be blocked by the new dbx entries. Microsoft/Boot/bootmgfw.efi appears to be one of them so it needs to be replaced by an up-to-date version.

hightechtatoka · June 5, 2024, 3:06pm

If I do not change anything, will this be dangerous for my Laptop and OS?

anon91881872 · June 5, 2024, 3:16pm

I would start updating windows since windows 8 support ended January 2023 that windows side is more risk than fedora side and that might cause the issues

Also windows 10 is getting end of life soon

hightechtatoka · June 5, 2024, 3:19pm

But I almost all the time use Fedora OS. I use Windows very very rarely. Is it still dangerous? Also I have antivirus on Windows 8.1.

vekruse · June 5, 2024, 3:44pm

I really don’t know. It depends on how you use your system, and the best security defense is still between the chair and the keyboard.

computersavvy · June 5, 2024, 4:54pm

Just guessing, but since windows 8.1 has not been supported for some time and the dbx is maintained by microsoft , it probably will be unable to update that dbx for you at all. You may be able to update windows (it was free to update to windows 10) then update that dbx.

The older system you are on may not be able to run windows 11 due to hardware requirements (TPM module) but I think it is still possible to get windows 10 install media.

Another option would be to completely forego windows and use linux 100%. I have done that and been happy for many years.

jakfrost · June 5, 2024, 5:15pm

You can run 100% Fedora for the host and use Widows in a VM if it is rarely, that to me makes the most sense. Especially with Win7/8.1 as they run fine for me in VM, including using USB and Serial communication, etc… So does Win 10 for that matter.

hightechtatoka · June 5, 2024, 5:15pm

And for now are you still using only LInux?

computersavvy · June 5, 2024, 5:34pm

My laptop was delivered with windows 10 several years ago. I boot to windows to keep it updated but do nothing else in that OS.
Linux (Specifically Fedora) has been my OS of choice for about 20 years.

Topic		Replies	Views
Can't update 'Secure Boot dbx Configuration Update' Ask Fedora gnome-software , fwupd , rpm-ostree , boot , silverblue , shim , secureboot	15	2963	November 27, 2024
UEFI dbx update broke secure boot Ask Fedora	3	95	March 6, 2025
Secure Boot dbx update offer, revisited Ask Fedora amd , intel , radeon , silverblue	14	1530	January 4, 2024
Cannot apply the Secure Boot dbx Configuration Update Ask Fedora f36 , fwupd , uefi , gnome	1	2685	September 29, 2022
Problem upgrading to Fedora 41 - Blocked executable in the ESP, ensure grub and shim are up to date Ask Fedora workstation	15	531	November 26, 2024

Configuration update. Secure Boot dbx

Related topics