Text only | Text with Images

Cobra Forum

Linux Specialised Support => Security => Topic started by: kalpana on Nov 04, 2023, 03:17 AM

Title: 22.04 Upgrade UEFI dbx from 77 to 217? difficulty
Post by: kalpana on Nov 04, 2023, 03:17 AM
Hello. I hope everyone is healthy and safe.

Newby trying to resolve repeated message: Upgrade UEFI dbx from 77 to 217? when running: fwupdmgr update. Any help much appreciated.

Dual boot windows/ubuntu

Code:
Code Select
lsb_release -a
No LSB modules are available.
Distributor ID:    Ubuntu
Description:    Ubuntu 22.04.2 LTS
Release:    22.04
Codename:    jammy

root@xxxxx:/boot/efi/EFI# ls -la
total 16
drwx------ 4 root root 4096 Jan 13  2022 .
drwx------ 4 root root 4096 Dec 31  1969 ..
drwx------ 2 root root 4096 Jan 13  2022 BOOT
drwx------ 2 root root 4096 Jan 13  2022 ubuntu


root@xxxxx:/boot/efi/EFI/BOOT# sudo ls -lah /boot/efi/EFI/Boot/
total 1.9M
drwx------ 2 root root 4.0K Jan 13  2022 .
drwx------ 4 root root 4.0K Jan 13  2022 ..
-rwx------ 1 root root 934K Feb  1 08:57 BOOTX64.EFI
-rwx------ 1 root root  84K Feb  1 08:57 fbx64.efi
-rwx------ 1 root root 837K Feb  1 08:57 mmx64.efi


root@xxxxxx:/boot/efi/EFI/ubuntu# ls -la
total 4328
drwx------ 2 root root    4096 Jan 13  2022 .
drwx------ 4 root root    4096 Jan 13  2022 ..
-rwx------ 1 root root     108 Feb  1 08:57 BOOTX64.CSV
-rwx------ 1 root root     121 Feb  1 08:57 grub.cfg
-rwx------ 1 root root 2594696 Feb  1 08:57 grubx64.efi
-rwx------ 1 root root  856232 Feb  1 08:57 mmx64.efi
-rwx------ 1 root root  955656 Feb  1 08:57 shimx64.efi

NOTE: the following files with old timestamps (Jul 13  2021) exist:

root@xxxxxxxx:/snap/core/14447/usr/lib/systemd/boot/efi# locate systemd-bootx64.efi
/snap/core/14447/usr/lib/systemd/boot/efi/systemd-bootx64.efi
/snap/core/14784/usr/lib/systemd/boot/efi/systemd-bootx64.efi
/snap/core18/2679/usr/lib/systemd/boot/efi/systemd-bootx64.efi
/snap/core18/2697/usr/lib/systemd/boot/efi/systemd-bootx64.efi
/snap/core20/1778/usr/lib/systemd/boot/efi/systemd-bootx64.efi
/snap/core20/1822/usr/lib/systemd/boot/efi/systemd-bootx64.efi


efibootmgr -v


BootCurrent: 0006
Timeout: 1 seconds
BootOrder: 0006,0000,0007
Boot0000* Windows Boot Manager    HD(1,GPT,xxxxxxxxxxxxxxxxxxxx)/File(\EFI\MICROSOFT\BOOT\BOOTMGFW.EFI)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-xxxxxxxxxxxxxxxxxxx.-.f.3.2.b.3.4.4.d.4.7.9.5.}....................
Boot0006* ubuntu    HD(1,GPT,xxxxxxxxxxxxxxxxxx)/File(\EFI\UBUNTU\SHIMX64.EFI)
Boot0007* ubuntu    HD(1,GPT,xxxxxxxxxxxxxxxxxxxx)/File(\EFI\UBUNTU\SHIMX64.EFI)..BO


Upgrade UEFI dbx from 77 to 217?                                             ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the dbx to the latest release from Microsoft which adds         ║
║ insecure versions of grub and shim to the list of forbidden signatures due   ║
║ to multiple discovered security updates.                                     ║
║                                                                              ║
║ Before installing the update, fwupd will check for any affected executables  ║
║ in the ESP and will refuse to update if it finds any boot binaries signed    ║
║ with any of the forbidden signatures.If the installation fails, you will     ║
║ need to update shim and grub packages before the update can be deployed.     ║
║                                                                              ║
║ Once you have installed this dbx update, any DVD or USB installer images     ║
║ signed with the old signatures may not work correctly.You may have to        ║
║ temporarily turn off secure boot when using recovery or installation media,  ║
║ if new images have not been made available by your distribution.             ║
║                                                                              ║
║ UEFI dbx and all connected devices may not be usable while updating. 


Blocked executable in the ESP, ensure grub and shim are up to date: /media/root/SYSTEM/EFI/Boot/bootx64.efi Authenticode checksum [xxxxxxxxxxxxxxxxxxx] is present in dbx

root@xxxxx:~# /usr/bin/fwupdtool esp-list --verbose
15:18:43:0060 FuDebug              Verbose debugging enabled (on console 1)
15:18:43:0135 FuCommon             device /org/freedesktop/UDisks2/block_devices/sdb3, type: xxxxxxxxxxxxxxxxxxx, internal: 1, fs: ntfs
15:18:43:0138 FuCommon             device /org/freedesktop/UDisks2/block_devices/sdb2, type: xxxxxxxxxxxxxxxxxx, internal: 1, fs:
15:18:43:0160 FuCommon             device /org/freedesktop/UDisks2/block_devices/sda3, type: xxxxxxxxxxxxxxxxxxx, internal: 1, fs: crypto_LUKS
15:18:43:0174 FuCommon             device /org/freedesktop/UDisks2/block_devices/sda2, type: xxxxxxxxxxxxxxxxxxx, internal: 1, fs: ext4
15:18:43:0179 FuCommon             device /org/freedesktop/UDisks2/block_devices/sda1, type: xxxxxxxxxxxxxxxxxxx, internal: 1, fs: vfat
15:18:43:0184 FuCommon             device /org/freedesktop/UDisks2/block_devices/sdb1, type: xxxxxxxxxxxxxxxxxxx, internal: 1, fs: vfat
15:18:43:0188 FuCommon             device /org/freedesktop/UDisks2/block_devices/sdb5, type: xxxxxxxxxxxxxxxxxxx, internal: 1, fs: ntfs


Choose a volume:
0.    Cancel
1.    /org/freedesktop/UDisks2/block_devices/sda1
2.    /org/freedesktop/UDisks2/block_devices/sdb1

Please enter a number from 0 to 2: 1
/boot/efi/EFI/ubuntu/grubx64.efi
/boot/efi/EFI/ubuntu/shimx64.efi
/boot/efi/EFI/ubuntu/mmx64.efi
/boot/efi/EFI/ubuntu/BOOTX64.CSV
/boot/efi/EFI/ubuntu/grub.cfg
/boot/efi/EFI/BOOT/BOOTX64.EFI
/boot/efi/EFI/BOOT/fbx64.efi
/boot/efi/EFI/BOOT/mmx64.efi
Text only | Text with Images