Re: UEFI Upgrade Fails

Sat, 08 Apr 2023 20:03:58 -0700 

On 4/8/23 19:09, Jonathan Ryshpan wrote:

On Sat, 2023-04-08 at 21:32 -0400, Jeffrey Walton wrote:
On Sat, Apr 8, 2023 at 9:08 PM Jonathan Ryshpan <jonr...@pacbell.net <mailto:jonr...@pacbell.net>> wrote: 


Discover, which I use for upgrades, reports problems with UEFI. There 
is an update, which Discover refuses to install. Discover reports 
this message:


UEFI DBX : Version 217 : Released on 4/8/23

UEFI Secure Boot Forbidden Signature Database


Insecure versions of software from Trend Micro, vmware, CPSD, 
Eurosoft, and New Horizon Datasys Inc were added to the list of 
forbidden signatures due to discovered security problems. This 
updates the dbx to the latest release from Microsoft.
Before installing the update, fwupd will check for any affected 
executables in the ESP and will refuse to update if it finds any boot 
binaries signed with any of the forbidden signatures.

...


It looks like there is a new version of the UEFI boot system, which 
can't be installed because of signature issues. Is this correct? Is 
it anything to worry about? Can anything be done to fix the issue? Is 
the issue likely to be fixed upstream?


I don't use Discover. I use fwupdmgr directly. I have not seen
fwupdmgr refuse to update a component (sans no UEFI). Here's the
relevant piece of the script I run daily:

if command -v fwupdmgr >/dev/null 2>&1 ; then
    if fwupdmgr get-devices 2>&1 | grep -q -c 'UEFI ESRT device' ; then
        echo "Updating firmware"
        fwupdmgr refresh --force 1>/dev/null && \
            fwupdmgr update 1>/dev/null
    fi
fi

I also noticed the db was updated today.



Very interesting. After running by hand the parts of your script that 
test whether an update is necessary (It is.), I ran the actual update 
and got the following output. As you see, I replied "n"; would it be 
dangerous to try "Y"?



That sounds quite safe.  Do you even use any software from those 
companies?  (Things that boot directly.)



BTW: I've been seeing the error message for about a week.


What error message?
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue






















					Reply via email to