I was using fwupdmgr update recently to try to update the firmware on my laptop. One of the updates for the UEFI dbx. Unfortunately, I’m unable to apply the update because the BOOTX64.EFI provided by shim-x64-15.6-2.x86_64 contains one of the forbidden signatures.
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 77 to 217? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the dbx to the latest release from Microsoft which adds ║
║ insecure versions of grub and shim to the list of forbidden signatures due ║
║ to multiple discovered security updates. ║
║ ║
║ Before installing the update, fwupd will check for any affected executables ║
║ in the ESP and will refuse to update if it finds any boot binaries signed ║
║ with any of the forbidden signatures.If the installation fails, you will ║
║ need to update shim and grub packages before the update can be deployed. ║
║ ║
║ Once you have installed this dbx update, any DVD or USB installer images ║
║ signed with the old signatures may not work correctly.You may have to ║
║ temporarily turn off secure boot when using recovery or installation media, ║
║ if new images have not been made available by your distribution. ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: y
Downloading… [***************************************]
Downloading… [***************************************]
Downloading… [***************************************]
Decompressing… [***************************************]
Authenticating… [***************************************]
Decompressing… [ ]
Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/EFI/BOOT/BOOTX64.EFI Authenticode checksum [0ce02100f67c7ef85f4eed368f02bf7092380a3c23ca91fd7f19430d94b00c19] is present in dbx
I found the following entry in the fwupd wiki, but it doesn’t get into what version of grub and/or shim are required.
I suspect this might be a situation of just waiting for a newer signed shim to get released to Fedora, but wanted to ask the broader community if they knew anything different.
