Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: 22.04 Upgrade UEFI dbx from 77 to 217? difficulty

  1. #1
    Join Date
    Jul 2016
    Beans
    42

    22.04 Upgrade UEFI dbx from 77 to 217? difficulty

    Hello. I hope everyone is healthy and safe.

    Newby trying to resolve repeated message: Upgrade UEFI dbx from 77 to 217? when running: fwupdmgr update. Any help much appreciated.

    Dual boot windows/ubuntu

    Code:
    lsb_release -a
    No LSB modules are available.
    Distributor ID:    Ubuntu
    Description:    Ubuntu 22.04.2 LTS
    Release:    22.04
    Codename:    jammy
    
    root@xxxxx:/boot/efi/EFI# ls -la
    total 16
    drwx------ 4 root root 4096 Jan 13  2022 .
    drwx------ 4 root root 4096 Dec 31  1969 ..
    drwx------ 2 root root 4096 Jan 13  2022 BOOT
    drwx------ 2 root root 4096 Jan 13  2022 ubuntu
    
    
    root@xxxxx:/boot/efi/EFI/BOOT# sudo ls -lah /boot/efi/EFI/Boot/
    total 1.9M
    drwx------ 2 root root 4.0K Jan 13  2022 .
    drwx------ 4 root root 4.0K Jan 13  2022 ..
    -rwx------ 1 root root 934K Feb  1 08:57 BOOTX64.EFI
    -rwx------ 1 root root  84K Feb  1 08:57 fbx64.efi
    -rwx------ 1 root root 837K Feb  1 08:57 mmx64.efi
    
    
    root@xxxxxx:/boot/efi/EFI/ubuntu# ls -la
    total 4328
    drwx------ 2 root root    4096 Jan 13  2022 .
    drwx------ 4 root root    4096 Jan 13  2022 ..
    -rwx------ 1 root root     108 Feb  1 08:57 BOOTX64.CSV
    -rwx------ 1 root root     121 Feb  1 08:57 grub.cfg
    -rwx------ 1 root root 2594696 Feb  1 08:57 grubx64.efi
    -rwx------ 1 root root  856232 Feb  1 08:57 mmx64.efi
    -rwx------ 1 root root  955656 Feb  1 08:57 shimx64.efi
    
    NOTE: the following files with old timestamps (Jul 13  2021) exist:
    
    root@xxxxxxxx:/snap/core/14447/usr/lib/systemd/boot/efi# locate systemd-bootx64.efi
    /snap/core/14447/usr/lib/systemd/boot/efi/systemd-bootx64.efi
    /snap/core/14784/usr/lib/systemd/boot/efi/systemd-bootx64.efi
    /snap/core18/2679/usr/lib/systemd/boot/efi/systemd-bootx64.efi
    /snap/core18/2697/usr/lib/systemd/boot/efi/systemd-bootx64.efi
    /snap/core20/1778/usr/lib/systemd/boot/efi/systemd-bootx64.efi
    /snap/core20/1822/usr/lib/systemd/boot/efi/systemd-bootx64.efi
    
    
    efibootmgr -v
    
    
    BootCurrent: 0006
    Timeout: 1 seconds
    BootOrder: 0006,0000,0007
    Boot0000* Windows Boot Manager    HD(1,GPT,xxxxxxxxxxxxxxxxxxxx)/File(\EFI\MICROSOFT\BOOT\BOOTMGFW.EFI)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-xxxxxxxxxxxxxxxxxxx.-.f.3.2.b.3.4.4.d.4.7.9.5.}....................
    Boot0006* ubuntu    HD(1,GPT,xxxxxxxxxxxxxxxxxx)/File(\EFI\UBUNTU\SHIMX64.EFI)
    Boot0007* ubuntu    HD(1,GPT,xxxxxxxxxxxxxxxxxxxx)/File(\EFI\UBUNTU\SHIMX64.EFI)..BO
    
    
    Upgrade UEFI dbx from 77 to 217?                                             ║
    ╠══════════════════════════════════════════════════════════════════════════════╣
    ║ This updates the dbx to the latest release from Microsoft which adds         ║
    ║ insecure versions of grub and shim to the list of forbidden signatures due   ║
    ║ to multiple discovered security updates.                                     ║
    ║                                                                              ║
    ║ Before installing the update, fwupd will check for any affected executables  ║
    ║ in the ESP and will refuse to update if it finds any boot binaries signed    ║
    ║ with any of the forbidden signatures.If the installation fails, you will     ║
    ║ need to update shim and grub packages before the update can be deployed.     ║
    ║                                                                              ║
    ║ Once you have installed this dbx update, any DVD or USB installer images     ║
    ║ signed with the old signatures may not work correctly.You may have to        ║
    ║ temporarily turn off secure boot when using recovery or installation media,  ║
    ║ if new images have not been made available by your distribution.             ║
    ║                                                                              ║
    ║ UEFI dbx and all connected devices may not be usable while updating.  
    
    
    Blocked executable in the ESP, ensure grub and shim are up to date: /media/root/SYSTEM/EFI/Boot/bootx64.efi Authenticode checksum [xxxxxxxxxxxxxxxxxxx] is present in dbx
    
    root@xxxxx:~# /usr/bin/fwupdtool esp-list --verbose
    15:18:43:0060 FuDebug              Verbose debugging enabled (on console 1)
    15:18:43:0135 FuCommon             device /org/freedesktop/UDisks2/block_devices/sdb3, type: xxxxxxxxxxxxxxxxxxx, internal: 1, fs: ntfs
    15:18:43:0138 FuCommon             device /org/freedesktop/UDisks2/block_devices/sdb2, type: xxxxxxxxxxxxxxxxxx, internal: 1, fs: 
    15:18:43:0160 FuCommon             device /org/freedesktop/UDisks2/block_devices/sda3, type: xxxxxxxxxxxxxxxxxxx, internal: 1, fs: crypto_LUKS
    15:18:43:0174 FuCommon             device /org/freedesktop/UDisks2/block_devices/sda2, type: xxxxxxxxxxxxxxxxxxx, internal: 1, fs: ext4
    15:18:43:0179 FuCommon             device /org/freedesktop/UDisks2/block_devices/sda1, type: xxxxxxxxxxxxxxxxxxx, internal: 1, fs: vfat
    15:18:43:0184 FuCommon             device /org/freedesktop/UDisks2/block_devices/sdb1, type: xxxxxxxxxxxxxxxxxxx, internal: 1, fs: vfat
    15:18:43:0188 FuCommon             device /org/freedesktop/UDisks2/block_devices/sdb5, type: xxxxxxxxxxxxxxxxxxx, internal: 1, fs: ntfs
    
    
    Choose a volume:
    0.    Cancel
    1.    /org/freedesktop/UDisks2/block_devices/sda1
    2.    /org/freedesktop/UDisks2/block_devices/sdb1
    
    Please enter a number from 0 to 2: 1
    /boot/efi/EFI/ubuntu/grubx64.efi
    /boot/efi/EFI/ubuntu/shimx64.efi
    /boot/efi/EFI/ubuntu/mmx64.efi
    /boot/efi/EFI/ubuntu/BOOTX64.CSV
    /boot/efi/EFI/ubuntu/grub.cfg
    /boot/efi/EFI/BOOT/BOOTX64.EFI
    /boot/efi/EFI/BOOT/fbx64.efi
    /boot/efi/EFI/BOOT/mmx64.efi
    Last edited by DuckHook; February 25th, 2023 at 08:01 PM. Reason: Added CODE tags.

  2. #2
    Join Date
    Feb 2014
    Beans
    298

    Re: 22.04 Upgrade UEFI dbx from 77 to 217? difficulty

    Deleted. On re-reading the above not helpful.
    Last edited by maglin2; February 26th, 2023 at 12:09 AM.

  3. #3
    Join Date
    Jul 2016
    Beans
    42

    Re: 22.04 Upgrade UEFI dbx from 77 to 217? difficulty

    What does that mean? Deleted. On re-reading the above not helpful. . .

    Oh, sorry. I see, what you initially wrote was probably not helpful.

    Apologies.
    Last edited by bulgin; February 26th, 2023 at 04:33 AM.

  4. #4
    Join Date
    Feb 2014
    Beans
    298

    Re: 22.04 Upgrade UEFI dbx from 77 to 217? difficulty

    Quote Originally Posted by bulgin View Post
    What does that mean? Deleted. On re-reading the above not helpful. . .

    Oh, sorry. I see, what you initially wrote was probably not helpful.

    Apologies.
    Sorry I should have worded the deletion edit better.
    I had the same issue, but in my case I found some obvious old leftover KDE Neon stuff in /boot/efi
    Looking at your output again I saw you'd already looked there.

  5. #5
    Join Date
    Feb 2014
    Beans
    298

    Re: 22.04 Upgrade UEFI dbx from 77 to 217? difficulty

    Is it a Dell machine?
    If so this post may help https://ubuntuforums.org/showthread.php?t=2484426
    (with the benefit that the person answering there knows what they're doing!)

  6. #6
    Join Date
    Jul 2016
    Beans
    42

    Re: 22.04 Upgrade UEFI dbx from 77 to 217? difficulty

    Thanks but not Dell. Is Asus laptop.

    I'm nervous about deleting files that will brick the device. I have full backups but it's never nice to loss access to the machine. . .

  7. #7
    Join Date
    Jul 2016
    Beans
    42

    Re: 22.04 Upgrade UEFI dbx from 77 to 217? difficulty SOLVED

    SOLVED:

    As some may have noticed there is a dual boot setup: First in order is Ubuntu 22.04, then Windows. The solution was I removed the Windows SD card from the computer, leaving only the Ubuntu 22.04 install on SSD which is the first to boot anyway.

    I than ran fwupdmgr update and was succesful in upgrading.

    Questions remains: why? Was there something in the Windows loaders or otherwise that gave a faulty response? Curious minds need to know. . .

  8. #8
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 22.04 Jammy Jellyfish

    Re: 22.04 Upgrade UEFI dbx from 77 to 217? difficulty

    I don't dual boot with Windows, so this is foreign to me, but if I were to hazard a guess, I would say, yes, it is likely Windows fault.

    I'm not a UEFI expert, but the newest machines come with built-in secure boot "safeguards" that stop the computer from installing anything that smells fishy. The problem for us Linux folks is that what smells fishy is dictated by Microsoft, so, if they don't whitelist a certain bootloader, it is treated as insecure.

    By taking out your Windows SD card entirely, you deprived the UEFI of its access to that whitelist, in which case, it probably defaults to accepting everything. This may have been the reason you could finally upgrade without Windows present.

    Please keep in mind that the above is nothing more than a wild (well, slightly educated) guess.

    The first thing that I do with a new machine is to entirely disable secure boot (and fast boot too). I'm not sold on its supposed security benefits and feel that it is just one more handcuff foisted on us by the MS cabal to further solidify their hegemony under the guise of "security". They keep doing stuff like this and I just don't trust them.

    I don't know your machine, so I don't know if you can disable secure boot or not. It does *theoretically* offer enhanced security, but, as you have discovered, this comes with a downside. It's up to you to decide if the extra hassle is worth it.

    BTW, I do run Windows, but in a VM. I find this to be the best way to sidestep all of the tricks and subterfuges that MS imposes on us Linux users. Windows can't screw up my host if it's fooled into thinking that it is boss of its own safely contained little virtual world.

  9. #9
    Join Date
    Jul 2016
    Beans
    42

    Re: 22.04 Upgrade UEFI dbx from 77 to 217? difficulty

    Thank you @DuckHook for the insight. Much appreciated. And I fully agree with your perspective on Microsoft hegemony. . . Let me ask you this for my own edification: Are you saying that the outdated UEFI saw something when the microsoft OS was installed and saw it potentially in which OS? Windows or Ubuntu? Or neither? As you explained it the old UEFI somehow had a different list of potential bad actors - perhaps outdated - than the new one?

    Thank again appreciate the insight.

  10. #10
    Join Date
    Mar 2011
    Location
    19th Hole
    Beans
    Hidden!
    Distro
    Ubuntu 22.04 Jammy Jellyfish

    Re: 22.04 Upgrade UEFI dbx from 77 to 217? difficulty

    I feel it important to re‑emphasize that my above exposition remains a guess, as is what follows. Please don't take it as insight. I don't want to have to eat my words if I turn out to be wrong.

    In more modern machines, UEFI replaces the ancient BIOS bootstrap process. The way that I understand it to be superior is that it allows the addition of modules to enhance the boot process. This is actually a partnership between modern boot HW and what's in the UEFI partition. So, when a modern computer boots up, it checks the UEFI partition in the HDD/SSD and then reacts to what it finds there based on the settings in its HW.

    If you have secure boot enabled in the HW, it checks any system level stuff that you want to load or add against a database of acceptable whitelisted stuff that it has stashed away in the UEFI partition (I'm in full flight guessing mode now). It does this by checking for "properly" signed keys in the things you want to add. These "things" can range from bootloaders to drivers to kernel modules—anything that can effect the critical internal organs of your OS. If the key is acceptable, it will allow the boot/upgrade/installation process to proceed. If the key is outdated or otherwise unacceptable, then it will not allow the process to proceed. In the case of a bootloader, you won't be able to boot. In the case of a device driver, it won't load. In a case like yours, you won't be allowed to upgrade a component.

    So, in your case, I don't know if the problem was an outdated UEFI or a bad MS signature database or something else entirely, but the fact that everything worked once the MS SD card was removed would seem to indicate that it was a bad MS signature database. I suppose that it is also possible that Ubuntu neglected to sign their update "properly", whether they failed to inform MS or used an old outdated key or… your guess is as good as mine here. I can't really answer your question as to where the "fault" lies, and, in truth, I don't really much care…

    …because the larger point I'm making is that all of this complexity is so unnecessary for those of us who just run Linux.

    Part of the reason I have to guess at all of the above is because I've never bothered to immerse myself in the witchcraft of UEFI and MS signed keys. I can avoid the whole Microsoft mess by nuking Windows altogether from my host and confining it to just VMs. I've done so for years and it's like being let out of jail.

    As an aside, I have run into a minor problem recently in my Windows 10 VM. A security update refuses to install presumably because it doesn't recognize my virtual HW as being "secure". I can't tell what the problem is because Windows updates are frustratingly opaque and uninformative. When they don't install, they don't tell us what the problem is; they just say that they failed. I have no real idea if my problem is related to yours, but I thank my lucky stars that the problem is confined to my VM and does not bork my host.

    Thank the computing gods for VMs. Thank the computing gods even more that I can confine the MS beast to its own little VM cage.

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •