Issue with UEFI dbx invalid after fresh fedora 42 install and fwupdmgr update

I recently did a fresh installation of Fedora 42 Workstation. After that, I used the Software app to update both the system firmware and the UEFI dbx.

However, when I run the command fwupdmgr security, it reports that the UEFI db is invalid. Everything else seems to be fine, but this particular status is confusing, especially after a clean install and updates. Please see the output below

Host Security ID: HSI:4! (v2.0.8)

HSI-1
✔ BIOS firmware updates:         Enabled
✔ Fused platform:                Locked
✔ Supported CPU:                 Valid
✔ TPM empty PCRs:                Valid
✔ TPM v2.0:                      Found
✔ UEFI bootservice variables:    Locked
✔ UEFI platform key:             Valid
✔ UEFI secure boot:              Enabled

HSI-2
✔ SPI write protection:          Enabled
✔ BIOS rollback protection:      Enabled
✔ IOMMU:                         Enabled
✔ Platform debugging:            Locked
✔ TPM PCR0 reconstruction:       Valid

HSI-3
✔ SPI replay protection:         Enabled
✔ CET Platform:                  Supported
✔ Pre-boot DMA protection:       Enabled
✔ Suspend-to-idle:               Enabled
✔ Suspend-to-ram:                Disabled

HSI-4
✔ Processor rollback protection: Enabled
✔ Encrypted RAM:                 Encrypted
✔ SMAP:                          Enabled

Runtime Suffix -!
✔ CET OS Support:                Supported
✔ fwupd plugins:                 Untainted
✔ Linux kernel lockdown:         Enabled
✔ Linux swap:                    Encrypted
✔ Linux kernel:                  Untainted
✘ UEFI db:                       Invalid

This system has HSI runtime issues.
 » https://fwupd.github.io/hsi.html#hsi-runtime-suffix

This is my fwupdmgr get-devices

│ └─UEFI dbx:
│       Device ID:        Redacted
│       Summary:          UEFI revocation database
│       Current version:  20241101
│       Minimum Version:  20241101
│       Vendor:           UEFI:Microsoft
│       Install Duration: 1 second

Below are the steps that I’ve tried but to no avail

1. Clear all secure boot keys and reset factory key in bios
2. fwupdmgr enable-remote lvfs then fwupdmgr refresh --force
3. fwupdmgr update and reboot machine

The update is successful but fwupdmgr security UEFI db still shows invalid.

Has anyone else experienced this? Any suggestions on how to resolve or further troubleshoot the UEFI db invalid issue?

Thanks in advance!

I looked on 3 different X86 systems and none of them list this line in the report.
It would be good to have a confirmation of what it is means.

I experience the same problem. On a recently updated Fedora from 41 WS to 42 WS, I also experienced some sort of entry screen (when I turn on my laptop and the encryption password is required), it starts as usual but gets black for a second, and afterward it appears again. I decided to reinstall Fedora WS 42, but I have the same issue. Just for the record, I installed a month ago the extension Battery Health Charging: Battery Health Charging - GNOME Shell Extensions
Is it possible that “UEFI db - Invalid” could be from the extension? Additionally, could it be the reason for the problem with the entry screen I mentioned?

fwupd can identify three possible results for the UEFI db check: invalid, not found, and valid. In this case, the invalid result means that the updated Microsoft UEFI 2023 certificate is not present in the certificate store database, leaving only the 2011 certificate. To resolve this, one needs to enter their UEFI settings and select the option to update their UEFI CA. The location of this setting will vary depending on what UEFI firmware solution is used, so if it cannot be found, contacting motherboard/mainboard vendor for support is the best bet. Not found means that neither the 2023 nor the 2011 certificates are found, which may not be a problem because not everyone wants to rely on Microsoft’s signatures. Valid means that the 2023 certificate is present in the database, and no problem is detected.

More information can be found here: FwupdPlugin – 1.0: Host Security ID Specification

Does anyone knows what happens when the MS certificate used for signing the shim will expire and may not be installed on new computers. Also, how are the new MS certificates updated on Linux only systems?