Fwupdmgr fails in UEFI dbx update

Fwupdmgr wants to upgrade UEFI dbx from 77 to 217.
However, it always fails

Blocked executable in the ESP, ensure grub and shim are up to date:
/run/media/root/ESP/EFI/Boot/shimx64.efi Authenticode checksum [xxxxxxx] is present in dbx

My install is not customized in any way. All UEFI and boot are directly from EndeavourOS install. I do not have any dual boot.
I found many similar reports with other Linuxes as well, but no good solutions. Are there any?

Is that some leftover from a distro which supports Secure Boot? Ubuntu, Mint or others?

EnOS/Archlinux doesn’t support Secure Boot and don’t ship shimx64.efi.

See here for a fwupd wiki article on the same issue:

From the wiki post above:

General Solution

Even if this binary is unused, fwupd won’t have any means to understand user intent. So to continue applying the update, either update the binary to a newer version or remove the binary from the disk.

I am just posting this as FYI. Please do your own resarch before making any modification to your system.

Fedora created that file on my PC. Leftover from distro hopping?

That’s my suspicion. It might have been left behind, if you have shared the same ESP between several distros.

I am not the original poster :joy:

I didn’t think so either.


Possibly. I had Debian for some time before moving to Endeavour. Is this file safe to remove?

Yet another mystery. There is no path /run/media/root/ESP/EFI/Boot in my computer. Where should I look for this file?

In /boot/efi/EFI/boot.

I removed the file from /boot/efi/EFI/boot/ and then rebooted.
Still the same error even when the file does not exist. Should I compile or transform something now? I did not find any clear instructions. It still says

Blocked executable in the ESP, ensure grub and shim are up to date:
Authenticode checksum [xxx] is present in dbx

I have actually no more ideas than what I read on the wiki page I posted before.

Unless there are other users on the forum with the same issue or otherwise know how to resolve it, I guess your best bet would be to post on fwupd’s Github page.

By the way, how are you running fwupdmgr ? The exact command and the full output in the terminal might tell someone something.

I wonder also how relevant this is actually for a system which is not supporting Secure Boot.

You might also want to have a look at:


1 Like

Sorry, I made too many mistakes to my earlier post. I try again.

[root@maximus ~]# fwupdmgr refresh --force
Updating lvfs-testing
Downloading…             [     \                                 ]Updating lvfs
Downloading…             [***************************************]
Downloading…             [***************************************]
Downloading…             [***************************************]
Successfully downloaded new metadata: 2 local devices supported
[root@maximus ~]# fwupdmgr update
Devices with no available firmware updates: 
 β€’ PC611 NVMe SK hynix 512GB
 β€’ Thunderbolt host controller
 β€’ 0000:00:1f.5
Devices with the latest available firmware version:
 β€’ System Firmware
β•‘ Upgrade UEFI dbx from 77 to 217?                                             β•‘
β•‘ This updates the dbx to the latest release from Microsoft which adds         β•‘
β•‘ insecure versions of grub and shim to the list of forbidden signatures due   β•‘
β•‘ to multiple discovered security updates.                                     β•‘
β•‘                                                                              β•‘
β•‘ Before installing the update, fwupd will check for any affected executables  β•‘
β•‘ in the ESP and will refuse to update if it finds any boot binaries signed    β•‘
β•‘ with any of the forbidden signatures.If the installation fails, you will     β•‘
β•‘ need to update shim and grub packages before the update can be deployed.     β•‘
β•‘                                                                              β•‘
β•‘ Once you have installed this dbx update, any DVD or USB installer images     β•‘
β•‘ signed with the old signatures may not work correctly.You may have to        β•‘
β•‘ temporarily turn off secure boot when using recovery or installation media,  β•‘
β•‘ if new images have not been made available by your distribution.             β•‘
β•‘                                                                              β•‘

Perform operation? [Y|n]: Y
Downloading…             [***************************************]
Downloading…             [***************************************]
Decompressing…           [***************************************]
Authenticating…          [***************************************]
Decompressing…           [                                       ]
Blocked executable in the ESP, ensure grub and shim are up to date:
Authenticode checksum [xxx] is present in dbx
[root@maximus ~]# 

1 Like

After all, it looks that it all has to do with what Microsoft will decide is a β€œlegitimate” bootloader for its Secure Boot deployment.

If you say no to updating the database, will the whole process abort then?

:warning: Updating the firmware might at times be a tricky business, so you should make some research and take responsibility for what you do to your system.

You could post the specifics of your motherboard, perhaps there would be other alternatives for updating the UEFI firmware:

inxi -MC

If the firmware update is done by a .exe file you could use something like:


That is how I update the firmware for a Lenovo laptop.

I have never used fwupdmgr. Most modern UEFI motherboards allow you to update directly from the UEFI screen either via network or download the file and install from usb.

Edit: I normally download the new file to a usb and then boot into UEFI and run the update from there.

Edit2: As you say it can be done from Windows or a comaptible Windows boot disc. Lenovo usually comes with software on their Windows laptops that also takes care of updating the UEFI/Bios .

I have used both methods (fwupd and file on usb) for updating UEFI firmware on a XPS13 laptop. Both methods work fine on that machine.

I tried the fwupdate on my current MSI board to see what it showed but i just got errors. My board is up todate but i wanted to see what it showed.

Edit: I’m also not familiar with this tools so i may not be using it correctly either? :man_shrugging:

Did you check if that board is supported by fwupd?

No … so maybe it’s not.

Supported devices are listed here and more are to come.
From: https://wiki.archlinux.org/title/Fwupd

Doesn’t look like it. I don’t see any MSI listed.