UEFI dbx update blocked (Kinoite/atomic)

I am running into the following error when trying to update the UEFI dbx firmware:

# fwupdmgr update
Devices with no available firmware updates: 
 ? Force MP510
 ? Force MP600
 ? SSD 860 EVO 1TB
 ? SSD 970 EVO 1TB
 ? System Firmware
 ? USB2.1 Hub
 ? USB2.1 Hub
????????????????????????????????????????????????????????????????????????????????
? Upgrade UEFI dbx from 20230501 to 20241101?                                  ?
????????????????????????????????????????????????????????????????????????????????
? This updates the list of forbidden signatures (the "dbx") to the latest      ?
? release from Microsoft.                                                      ?
?                                                                              ?
? An insecure version of Howyar's SysReturn software was added, due to a       ?
? security vulnerability that allowed an attacker to bypass UEFI Secure Boot.  ?
?                                                                              ?
????????????????????????????????????????????????????????????????????????????????
Perform operation? [Y|n]: Y
Decompressing?           [                                       ]
Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/EFI/fedora/shimx64-fedora.efi Authenticode checksum [0ce02100f67c7ef85f4eed368f02bf7092380a3c23ca91fd7f19430d94b00c19] is present in dbx

Seems I need to update the shim, as it is blocking the dbx update. As this is an Atomic system, I use bootupd to update the bootloader.

However, I believe I am running the latest bootloader:

# bootupctl status
Running as unit: bootupd.service
Component EFI
  Installed: grub2-efi-ia32-1:2.12-20.fc41.x86_64,grub2-efi-x64-1:2.12-20.fc41.x86_64,shim-ia32-15.8-3.x86_64,shim-x64-15.8-3.x86_64
  Update: At latest version
No components are adoptable.
Boot method: EFI

# bootupctl adopt-and-update
Running as unit: bootupd.service; invocation ID: bc6c41eb97c64dac9607021483affdef
No components are adoptable.

So how can I update the UEFI dbx?

The offending efi file, /boot/efi/EFI/fedora/shimx64-fedora.efi, seems to be defunct. It is not a part of the latest shim-x64 package.

/boot/efi/EFI/fedora# ls -l
total 10824
-rwx------. 1 root root     110 Jan  5  2023 BOOTX64.CSV
drwx------. 2 root root    4096 Jan  5  2023 fonts
-rwx------. 1 root root     144 Jan  5  2023 grub.cfg
-rwx------. 1 root root 3030336 Mar 14 05:42 grubia32.efi
-rwx------. 1 root root 4078912 Mar 14 05:42 grubx64.efi
-rwx------. 1 root root  848080 Oct 11 07:17 mmx64.efi
-rwx------. 1 root root  949424 Oct 11 07:17 shim.efi
-rwx------. 1 root root  949424 Oct 11 07:17 shimx64.efi
-rwx------. 1 root root 1204496 Jan  5  2023 shimx64-fedora.efi

It seems to have been removed from the package at some point between version 15 and 15.4, but it didn’t clean up the bootloader folder. BTW, if there’s a better way to find/look at older versions of packages, please let me know - I just found these by browsing the package build list here.

So as it seems this one efi file is no longer needed/maintained, I manually deleted it. After which, I was able to update my dbx file.

I’ll mark this as the solution, but admittedly it seems sketchy to manually delete stuff from this folder so if anyone has any better methods or if this is a bad solution, let me know.

It should be safe to remove it as your system should not depend on it to boot.

You can verify that by looking if there is a boot entry listing it:

$ efibootmgr | grep shimx64-fedora
<should be empty>
$ efibootmgr | grep fedora
<should list all Fedora EFI boot entries>

Fixing this is tracked in Cleanup `shimx64-fedora.efi` from adopted installations (was: Can't upgrade UEFI dbx from 77 to 371) · Issue #784 · coreos/bootupd · GitHub.