Blocked executable in the ESP, ensure grub and shim are up to date: /run/media/root/SYSTEM/EFI/HP/SystemRecovery/bootmgfw.efi
Authenticode checksum [f74947590a87a005023e9ef89cdf0c38d8d582ca4173f8201cebc443ef796790] is present in dbx
This is from “Discover” as well as command line: fwupdmgr update
I dual boot windows 10 and fedora 40.
The efi file in question is on the windows EFI partition.
Google search shows there are many ocurrences of this problem, some of which have dangerous recommendations, but none of which have solutions.
As far as I can see, there’s no way to “update” bootmgfw.efi.
So is it possible to do the upgrade or not, and if so, how.
Thanks!
Do you have a file named HP/SystemRecovery/bootmgfw.efi somewhere in the efi file system (aka ESP)? The efi file system is usually mounted on /boot/efi.
If so, this file seems to become blacklisted by Microsoft, and therefore either needs to be updated or removed.
The error message refer to it as
/run/media/root/SYSTEM/EFI/HP/SystemRecovery/bootmgfw.efi
so also check there and also find out what is mounted there using the command
Thanks Villy. I just mounted it to take a peek .
I know nothing about dbx or how to update it.
It seems that microsoft updates EFI/Microsoft/Boot/bootmgfw.efi but the boot process is using EFI/HP/SystemRecovery/bootmgfw.efi.
Maybe I could just copy EFI/Microsoft/Boot/bootmgfw.efi to EFI/HP/SystemRecovery/bootmgfw.efi ?
Would there be an action to do with dbx?
…
On second thought, never mind the boot process. This whole thing is to satisfy the Fedora software update. The boot works just fine as-is and I don’t want to do anything to break it.
Whenever it is discovered that some .efi program has a security issue, said .efi program will be blacklisted by the updated dbx file. If UEFI is then asked to load this blacklist .efi program it gets a security violation and the program won’t run. You don’t update dbx, Microsoft does.
BootCurrent: 0000
BootOrder: 0001,0000,0008,0007,000D,0004,0006,000C,000E
Boot0000* Fedora HD(1,GPT,aad43d6d-f33b-4675-b6be-e66072912a6a,0x800,0x12c000)/\EFI\fedora\shimx64.efi
Boot0001* Windows Boot Manager HD(2,GPT,6b413ded-a60a-4c43-a449-644be3aff19b,0x200000,0xb4000)/\EFI\Microsoft\Boot\bootmgfw.efi ...
Boot0004* USB Floppy/CD ...
Boot0006* Hard Drive ...
Boot0007* USB Floppy/CD ...
Boot0008* USB Hard Drive ...
Boot000C* Realtek PXE B02 D00 ...
Boot000D* ATAPI CD-ROM Drive ...
Boot000E* CD/DVD Drive BBS(CDROM,,0x0)...
The problem I’m trying to solve is to make the Fedora 41 upgrade possible. If it is not possible or possible with risk to break booting, then I will simply stick with Fedora 40.
Maybe @vekruse is suggesting that this is not possible since that partition doesn’t even get mounted during a Fedora boot session, and that is what will be running when you do the system upgrade from f40 to f41?
I also interpret his suggestion to you that you wait to see if that HP manufacturer recovery efi file gets addressed the next time you boot Windows. In that case, since you’ll be booting from the drive containing Windows, it will mount the EFI partition on that disk.
I got courageous and backed up EFI/HP/SystemRecovery, deleted it and ran the UEFI dbx update and the other updates. When successfully completed and before rebooting, I restored the backed up EFI directory and rebooted. It seems to have gone well as the Fedora 41 update is now running. Thanks again for the comments.
Looking back at my comment to you, I see that I misstated my point: I meant that it would’ve been impossible for youi to mess up that HP recovery efi file during a Fedora system upgrade because that partition isn’t even mounted while you’re booted into Fedora.
On the contrary. Don’t mount that partition and the contents becomes irrelevant. Besides, you can upgrade to Fedora 41 even if you haven’t installed the dbx upgrade.
Blocked executable in the ESP, ensure grub and shim are up to date: /run/media/root/SYSTEM/EFI/HP/SystemRecovery/bootmgfw.efi
Authenticode checksum [f74947590a87a005023e9ef89cdf0c38d8d582ca4173f8201cebc443ef796790] is present in dbx
At that point EFI/HP/SystemRecovery was not mounted. The UEFI dbx update threw that error all by itself. I mounted it afterward to investigate. So Fedora 41 upgrade depended on UEFI dbx update, and UEFI dbx update failed. This is the sequence of events:
Fedora 41 upgrade requires UEFI dbx upgrade
UEFI dbx upgrade fails because of SYSTEM/EFI/HP/SystemRecovery/bootmgfw.efi
I mount the fs and remove SYSTEM/EFI/HP/SystemRecovery
I retry UEFI dbx upgrade and succeed
I restore SYSTEM/EFI/HP/SystemRecovery
I proceed with Fedora 41 upgrade which succeeds
I unmount the fs - probably could have done that before step 6