Re: Secure Boot dbx Configuration Update
On Sun, 2022-09-25 at 13:05 -0700, Ansgar wrote:
> On Sun, 2022-09-25 at 11:17 -0700, John Darrah wrote:
> > I'm tracking testing and with my most recent update I started
> > getting
> > the nag to update the Secure Boot dbx. When I click the graphical
> > 'update' button it appears to update something, but the update
> > button
> > remains as if nothing changed.
> Some firmware updates, including DBX updates, are distributed via a
> different service than apt: fwupd. The fwupdmgr program provides a
> command-line interface; the most helpful commands are probably
> "fwupdmgr get-updates" (get list of updates, i.e., equivalent to "apt
> update"), "fwupdmgr update" (install updates) and "fwupdmgr get-
> history" (history of installed firmware updates).
> The system logs might also show what the graphical update tries to
> install or why it might fail.
> > I'm posting here because I don't know if this is a bug or what
> > facility I would even file a bug report against.
> If the graphical interface (which one?) doesn't manage to
> install the update or still offers the update even though it was
> installed, then that is probably a bug.
The graphical interface is the Gnome Software facility, fyi.
Per your suggestion I looked at fwupdmgr get-history and see the
Update Error: Blocked executable in the ESP, ensure grub and shim are
up to date: /boot/efi/EFI/BOOT/BOOTX64.EFI Authenticode checksum
present in dbx
The kernel reports the secure boot is disabled, btw. I guess I'm now
wondering if it will update if I'm not using secureboot. If this is the
case, maybe it should check if secureboot is enabled before offering