Fwupdmgr wants to upgrade UEFI dbx from 77 to 217.
However, it always fails
Blocked executable in the ESP, ensure grub and shim are up to date:
/run/media/root/ESP/EFI/Boot/shimx64.efi Authenticode checksum [xxxxxxx] is present in dbx
My install is not customized in any way. All UEFI and boot are directly from EndeavourOS install. I do not have any dual boot.
I found many similar reports with other Linuxes as well, but no good solutions. Are there any?
Is that some leftover from a distro which supports Secure Boot? Ubuntu, Mint or others?
EnOS/Archlinux doesnβt support Secure Boot and donβt ship shimx64.efi.
See here for a fwupd wiki article on the same issue:
From the wiki post above:
General Solution
Even if this binary is unused, fwupd wonβt have any means to understand user intent. So to continue applying the update, either update the binary to a newer version or remove the binary from the disk.
Disclaimer:
I am just posting this as FYI. Please do your own resarch before making any modification to your system.
I removed the file from /boot/efi/EFI/boot/ and then rebooted.
Still the same error even when the file does not exist. Should I compile or transform something now? I did not find any clear instructions. It still says
Blocked executable in the ESP, ensure grub and shim are up to date:
/run/media/root/ESP/EFI/Boot/shimx64.efi
Authenticode checksum [xxx] is present in dbx
I have actually no more ideas than what I read on the wiki page I posted before.
Unless there are other users on the forum with the same issue or otherwise know how to resolve it, I guess your best bet would be to post on fwupdβs Github page.
By the way, how are you running fwupdmgr ? The exact command and the full output in the terminal might tell someone something.
I wonder also how relevant this is actually for a system which is not supporting Secure Boot.
Sorry, I made too many mistakes to my earlier post. I try again.
[root@maximus ~]# fwupdmgr refresh --force
Updating lvfs-testing
Downloading⦠[ \ ]Updating lvfs
Downloading⦠[***************************************]
Downloading⦠[***************************************]
Downloading⦠[***************************************]
Successfully downloaded new metadata: 2 local devices supported
[root@maximus ~]# fwupdmgr update
Devices with no available firmware updates:
β’ PC611 NVMe SK hynix 512GB
β’ Thunderbolt host controller
β’ 0000:00:1f.5
Devices with the latest available firmware version:
β’ System Firmware
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Upgrade UEFI dbx from 77 to 217? β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β This updates the dbx to the latest release from Microsoft which adds β
β insecure versions of grub and shim to the list of forbidden signatures due β
β to multiple discovered security updates. β
β β
β Before installing the update, fwupd will check for any affected executables β
β in the ESP and will refuse to update if it finds any boot binaries signed β
β with any of the forbidden signatures.If the installation fails, you will β
β need to update shim and grub packages before the update can be deployed. β
β β
β Once you have installed this dbx update, any DVD or USB installer images β
β signed with the old signatures may not work correctly.You may have to β
β temporarily turn off secure boot when using recovery or installation media, β
β if new images have not been made available by your distribution. β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Perform operation? [Y|n]: Y
Downloading⦠[***************************************]
Downloading⦠[***************************************]
Decompressing⦠[***************************************]
Authenticating⦠[***************************************]
Decompressing⦠[ ]
Blocked executable in the ESP, ensure grub and shim are up to date:
/run/media/root/ESP/EFI/Boot/shimx64.efi
Authenticode checksum [xxx] is present in dbx
[root@maximus ~]#
I have never used fwupdmgr. Most modern UEFI motherboards allow you to update directly from the UEFI screen either via network or download the file and install from usb.
Edit: I normally download the new file to a usb and then boot into UEFI and run the update from there.
Edit2: As you say it can be done from Windows or a comaptible Windows boot disc. Lenovo usually comes with software on their Windows laptops that also takes care of updating the UEFI/Bios .