UEFI dbx fails to update due to fedora shim.efi

pauldoo · January 22, 2023, 8:19pm

I am running Fedora Silverblue 37. There is an UEFI update available from fwupd, but it fails to install due to a complaint about the Fedora shim.

╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 83 to 217?                                             ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the dbx to the latest release from Microsoft which adds         ║
║ insecure versions of grub and shim to the list of forbidden signatures due   ║
║ to multiple discovered security updates.                                     ║
║                                                                              ║
║ Before installing the update, fwupd will check for any affected executables  ║
║ in the ESP and will refuse to update if it finds any boot binaries signed    ║
║ with any of the forbidden signatures. If the installation fails, you will    ║
║ need to update shim and grub packages before the update can be deployed.     ║
║                                                                              ║
║ Once you have installed this dbx update, any DVD or USB installer images     ║
║ signed with the old signatures may not work correctly. You may have to       ║
║ temporarily turn off secure boot when using recovery or installation media,  ║
║ if new images have not been made available by your distribution.             ║
║                                                                              ║
╚══════════════════════════════════════════════════════════════════════════════╝

Perform operation? [Y|n]: y
Downloading…             [***************************************]
Downloading…             [***************************************]
Decompressing…           [***************************************]
Authenticating…          [***************************************]
Waiting…                 [***************************************]
Writing…                 [***************************************]
Decompressing…           [                                       ]Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/EFI/fedora/shim.efi Authenticode checksum [0ce02100f67c7ef85f4eed368f02bf7092380a3c23ca91fd7f19430d94b00c19] is present in dbx

I am up to date on Silvberblue. Info from rpm-ostree:

                  Version: 37.20230122.0 (2023-01-22T00:46:38Z)
               BaseCommit: 91fe33a8681ed2ee3e7db9b8ab3c7ec0207c5d65df63aad013cd81d15e628765
             GPGSignature: Valid signature by ACB5EE4E831C74BB7C168D27F55AD3FB5323552A

Is there something I can do to resolve this? Is there a separate update for the fedora shim that I need to install?

guiltydoggy · January 22, 2023, 11:46pm

Refer to: 2127995 – BOOTX64.EFI on f36 Silverblue needs update to be able to upgrade UEFI dbx

Topic		Replies	Views
Silverblue + UEFI dbx + shim Project Discussion silverblue-team	5	1310	November 11, 2022
Can't update 'Secure Boot dbx Configuration Update' Ask Fedora gnome-software , fwupd , rpm-ostree , boot , silverblue , shim , secureboot	16	3450	March 10, 2025
UEFI dbx update blocked (Kinoite/atomic) Ask Fedora kinoite , f41 , atomic-desktops , bootupd	2	98	March 21, 2025
Cannot apply the Secure Boot dbx Configuration Update Ask Fedora f36 , fwupd , uefi , gnome	1	2736	September 29, 2022
F38 Secure Boot dbx Configuration Update 190 -> 217 fails w/Invalid argument Ask Fedora f38 , kvm , gnome-software	9	2969	March 26, 2023

UEFI dbx fails to update due to fedora shim.efi

Related topics