UEFI dbx update on Arch

Messing around with Arch Kde Plasma and Wayland. I notice this update that is UEFI dbx from Microsoft? The package is not in the repo and I’m not sure where it’s coming from. Not sure exactly what it is but it looks like some kind of database file? I’m hesitant to install it. Wondering if anyone has seen this on EndeavourOS? Arch has Discover included in the install and that is where i am seeing the update. If i run an update in the terminal there is nothing. Hmm? Strange? :thinking:

Any thoughts?

No idea what it is or why, but since it’s M$ proprietary garbage…


It’s weird! Where did it come from?

Edit: If you click on website it sends you here.


The UEFI dbx is coming through fwupd (https://archlinux.org/packages/community/x86_64/fwupd/). Discover and GNOME-Software also check for firmware updates using it.

The firmwares and related files are usually hosted on the LVFS (https://fwupd.org/).

If you run

sudo fwupdmgr get-updates

it will most likely show up too and you can do the update via the command line.

I have installed it on different distros and different mainboards without any issues. It is just a signature database for secure boot after all.

One thing to note is if you update your UEFI it might include an older database and the newer one will be overwritten and you will have to do the update again.

If you don’t use secure boot you can just ignore it.


I downloaded it from the site and it’s a bin file? I’m not sure if i installed it what it’s going to do? Mess up my installed UEFI version?

I just updated my UEFI Firmware (Bios) to the beta version that has new AMD AGESA No issues waiting for the final release. I have never ever used fwupdmgr on linux. I always update my UEFI by downloading it and then boot into UEFI to update it. I don’t trust this because MSI should alraedy take care of this in their UEFI updates. Thanks for the explanation but i think I’m going to pass on it.

Edit: I don’t use secure boot even on Windows.

Not sure if it is this: https://github.com/rhboot/dbxtool

But if it is, then they recommend fwupd instead.

I’m just not sure how it would affect my UEFI?

Edit: Also why are they using this if it’s been replaced.

dbxtool has been replaced by fwupd; we recommend using that instead.

It won’t. It will just update the signature database, nothing else.

It hasn’t been updated in 3 years… so looks abandoned.

Where though?

This is why I’m finding it a bit strange?

Edit: Why would it only show up on Discover and not in pacman?

It shows in pacman…
pacman -Si dbxtool

But not if i run an update though?

Because pacman doesn’t invoke fwupd, it’s a seperate application. Discover bundles updates for native packages, flatpak, snap, fwupd, etc. Most of it is done through packagekit.

And the dbx should be saved in the dedicated storage area in the UEFI that also holds the secure boot keys etc.

Also forget about dbxtool. fwupd is THE application to handle updating device firmware on linux (if the vendors support it and add their stuff to LFVS).

In theory you can even extract the UEFI capsule files from some Windows installers (e.g. for some Lenovo notebooks) and then use those files to update your entire UEFI right from the linux command line (if you feel like going on an adventure).

Yes i understand that it’s all part and parcel of secure boot and TPM but i still am not sure that i want to run it on my board. Secure boot is off anyway.

Edit: It’s just odd seeing this for the first time. I’m just messing around installing Arch with KDE. I’m still not sold on Wayland so i keep trying things.

That is because only Discover / GNOME software also check firmware (actual firmware flashed to a device) / firmware related updates by default and not just packages. Package managers usually don’t.

But this update has been around for months and would have shown up already if you had checked using fwupd manually.

And as I wrote before: If you don’t use secure boot you can just ignore it.

I have applied it to several ASUS desktop mainboards and 4 different Lenovo notebooks when I was running Fedora (which supports secure boot) in the past and there were no issues.

Also you already have a version of the dbx inside your UEFI, just an older one.

1 Like

I’ve been doing it my way for my entire life and have never had any problems updating firmware so I stick with what I’m familiar with and what works. I’m sure it’s fine but to me it’s odd that a brand new update from the Motherboard manufacturer wouldn’t already have this.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.