1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL

  • Secure Boot dbx Configuration Update

    From John Darrah@21:1/5 to All on Sun Sep 25 20:30:01 2022
    Hello,

    I'm tracking testing and with my most recent update I started getting
    the nag to update the Secure Boot dbx. When I click the graphical
    'update' button it appears to update something, but the update button
    remains as if nothing changed.

    I normally update my system by logging out of the graphical session and
    using a virtual console with the command line. Checking from the
    command line, there doesn't seem to be any requirement to update
    anything, so I'm a little confused.

    I'm posting here because I don't know if this is a bug or what facility
    I would even file a bug report against.

    Any comment or clue on this would be helpful.

    Thanks.

    -- john

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Ansgar@21:1/5 to John Darrah on Sun Sep 25 22:10:01 2022
    On Sun, 2022-09-25 at 11:17 -0700, John Darrah wrote:
    I'm tracking testing and with my most recent update I started getting
    the nag to update the Secure Boot dbx. When I click the graphical
    'update' button it appears to update something, but the update button
    remains as if nothing changed.

    Some firmware updates, including DBX updates, are distributed via a
    different service than apt: fwupd. The fwupdmgr program provides a command-line interface; the most helpful commands are probably
    "fwupdmgr get-updates" (get list of updates, i.e., equivalent to "apt
    update"), "fwupdmgr update" (install updates) and "fwupdmgr get-
    history" (history of installed firmware updates).

    The system logs might also show what the graphical update tries to
    install or why it might fail.

    I'm posting here because I don't know if this is a bug or what
    facility I would even file a bug report against.

    If the graphical interface (which one?) doesn't manage to successfully
    install the update or still offers the update even though it was
    installed, then that is probably a bug.

    Ansgar

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From LeJacq, Jean Pierre@21:1/5 to John Darrah on Sun Sep 25 20:40:17 2022
    To: debian-devel@lists.debian.org
    Copy: ansgar@43-1.org (Ansgar)

    On Sunday, September 25, 2022 4:03:50 PM EDT Ansgar wrote:
    On Sun, 2022-09-25 at 11:17 -0700, John Darrah wrote:
    I'm tracking testing and with my most recent update I started getting
    the nag to update the Secure Boot dbx. When I click the graphical
    'update' button it appears to update something, but the update button remains as if nothing changed.

    Some firmware updates, including DBX updates, are distributed via a
    different service than apt: fwupd. The fwupdmgr program provides a command-line interface; the most helpful commands are probably
    "fwupdmgr get-updates" (get list of updates, i.e., equivalent to "apt update"), "fwupdmgr update" (install updates) and "fwupdmgr get-
    history" (history of installed firmware updates).

    I follow exactly this process and get the following error. This started occurring about a week ago.

    Upgrade available for UEFI dbx from 77 to 217
    UEFI dbx and all connected devices may not be usable while updating. Continue with update? [Y|n]: Y
    Downloading… [***************************************] Decompressing… [***************************************] Authenticating… [***************************************] Authenticating… [***************************************]
    Updating UEFI dbx… [***************************************] Verifying… [***************************************]
    Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/ EFI/BOOT/shimx64.efi Authenticode checksum [af79b14064601bc0987d4747af1e914a228c05d622ceda03b7a4f67014fee767] is present in dbx

    I believe the error is due to the following bug reported in the upstream bug system.

    https://github.com/fwupd/fwupd/issues/5035

    This particular bug doesn't appear in the Debian bugs for the package fwupd. I'm also running stable which has a terribly outdated version of fwupd. I'm on a Lenovo Thinkpad X1. I need to investigate a bit more before filing a bug report.

    --
    JP

    -----BEGIN PGP SIGNATURE-----

    iHUEABYKAB0WIQSKOSH6AF7P20mTG9tPT/eoJ80m1wUCYzD08QAKCRBPT/eoJ80m 10wtAQD+VeOAixuffnK8AAcSDF6kcJs9bBbemD0pMq9kDGPLQwD/SnptUyz1e4at FFfCSyLruq8LGWsODZkxgJLhxT1anAY=
    =j0wG
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From John Darrah@21:1/5 to Ansgar on Mon Sep 26 03:30:01 2022
    On Sun, 2022-09-25 at 13:05 -0700, Ansgar wrote:
    On Sun, 2022-09-25 at 11:17 -0700, John Darrah wrote:
    I'm tracking testing and with my most recent update I started
    getting
    the nag to update the Secure Boot dbx. When I click the graphical
    'update' button it appears to update something, but the update
    button
    remains as if nothing changed.

    Some firmware updates, including DBX updates, are distributed via a
    different service than apt: fwupd.  The fwupdmgr program provides a command-line interface; the most helpful commands are probably
    "fwupdmgr get-updates" (get list of updates, i.e., equivalent to "apt update"), "fwupdmgr update" (install updates) and "fwupdmgr get-
    history" (history of installed firmware updates).

    The system logs might also show what the graphical update tries to
    install or why it might fail.

    I'm posting here because I don't know if this is a bug or what
    facility I would even file a bug report against.

    If the graphical interface (which one?) doesn't manage to
    successfully
    install the update or still offers the update even though it was
    installed, then that is probably a bug.

    Ansgar


    The graphical interface is the Gnome Software facility, fyi.

    Per your suggestion I looked at fwupdmgr get-history and see the
    following:

    Update Error: Blocked executable in the ESP, ensure grub and shim are
    up to date: /boot/efi/EFI/BOOT/BOOTX64.EFI Authenticode checksum [2ea4cb6a1f1eb1d3dce82d54fde26ded243ba3e18de7c6d211902a594fe56788] is
    present in dbx

    The kernel reports the secure boot is disabled, btw. I guess I'm now
    wondering if it will update if I'm not using secureboot. If this is the
    case, maybe it should check if secureboot is enabled before offering
    the update.

    Thanks

    -- john

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)