Re: Secure Boot dbx Configuration Update
On Sun, 2022-09-25 at 13:05 -0700, Ansgar wrote:
> On Sun, 2022-09-25 at 11:17 -0700, John Darrah wrote:
> > I'm tracking testing and with my most recent update I started
> > getting
> > the nag to update the Secure Boot dbx. When I click the graphical
> > 'update' button it appears to update something, but the update
> > button
> > remains as if nothing changed.
>
> Some firmware updates, including DBX updates, are distributed via a
> different service than apt: fwupd. The fwupdmgr program provides a
> command-line interface; the most helpful commands are probably
> "fwupdmgr get-updates" (get list of updates, i.e., equivalent to "apt
> update"), "fwupdmgr update" (install updates) and "fwupdmgr get-
> history" (history of installed firmware updates).
>
> The system logs might also show what the graphical update tries to
> install or why it might fail.
>
> > I'm posting here because I don't know if this is a bug or what
> > facility I would even file a bug report against.
>
> If the graphical interface (which one?) doesn't manage to
> successfully
> install the update or still offers the update even though it was
> installed, then that is probably a bug.
>
> Ansgar
>
The graphical interface is the Gnome Software facility, fyi.
Per your suggestion I looked at fwupdmgr get-history and see the
following:
Update Error: Blocked executable in the ESP, ensure grub and shim are
up to date: /boot/efi/EFI/BOOT/BOOTX64.EFI Authenticode checksum
[2ea4cb6a1f1eb1d3dce82d54fde26ded243ba3e18de7c6d211902a594fe56788] is
present in dbx
The kernel reports the secure boot is disabled, btw. I guess I'm now
wondering if it will update if I'm not using secureboot. If this is the
case, maybe it should check if secureboot is enabled before offering
the update.
Thanks
-- john
Reply to: