OEM Priority Project

Bug #1990179
Comment #32

Comment 32 for bug 1990179

Revision history for this message

Daniel P Pflager (pflagerd) wrote on 2022-10-28:

#32

VERSION="22.04.1 LTS (Jammy Jellyfish)"
Dell 7750

DELL7750:~/Downloads> sudo fwupdmgr update
Devices with no available firmware updates:
• SSD 970 EVO Plus 2TB
• SSD 970 EVO Plus 2TB
• Thunderbolt host controller
• UEFI Device Firmware
• UEFI Device Firmware
Devices with the latest available firmware version:
• BC711 NVMe SK hynix 256GB
• System Firmware
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 77 to 217? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the dbx to the latest release from Microsoft which adds ║
║ insecure versions of grub and shim to the list of forbidden signatures due ║
║ to multiple discovered security updates. ║
║ ║
║ Before installing the update, fwupd will check for any affected executables ║
║ in the ESP and will refuse to update if it finds any boot binaries signed ║
║ with any of the forbidden signatures.If the installation fails, you will ║
║ need to update shim and grub packages before the update can be deployed. ║
║ ║
║ Once you have installed this dbx update, any DVD or USB installer images ║
║ signed with the old signatures may not work correctly.You may have to ║
║ temporarily turn off secure boot when using recovery or installation media, ║
║ if new images have not been made available by your distribution. ║
║ ║
║ UEFI dbx and all connected devices may not be usable while updating. ║
╚══════════════════════════════════════════════════════════════════════════════╝

Perform operation? [Y|n]:
Downloading… [***************************************]
Decompressing… [***************************************]
Decompressing… [***************************************]
Authenticating… [***************************************]
Authenticating… [***************************************]
Restarting device… [***************************************]
Writing… [***************************************]
Decompressing… [***************************************]
Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/EFI/Boot/shimx64.efi Authenticode checksum [007f4c95125713b112093e21663e2d23e3c1ae9ce4b5de0d58a297332336a2d8] is present in dbx

DELL7750:~/Downloads> sudo fwupdtool esp-list --verbose
18:24:08:0819 FuDebug Verbose debugging enabled (on console 1)
18:24:08:0873 FuCommon device /org/freedesktop/UDisks2/block_devices/nvme1n1p3, type: 0fc63daf-8483-4772-8e79-3d69d8477de4, internal: 1, fs: ext4
18:24:08:0877 FuCommon device /org/freedesktop/UDisks2/block_devices/nvme1n1p2, type: e3c9e316-0b5c-4db8-817d-f92df00215ae, internal: 1, fs: vfat
18:24:08:0881 FuCommon device /org/freedesktop/UDisks2/block_devices/nvme1n1p1, type: c12a7328-f81f-11d2-ba4b-00a0c93ec93b, internal: 1, fs: vfat
Selected volume: /org/freedesktop/UDisks2/block_devices/nvme1n1p1
/boot/efi/EFI/Boot/BOOTX64.EFI
/boot/efi/EFI/Boot/en-us/bootx64.efi.mui
/boot/efi/EFI/Boot/shimx64.efi
/boot/efi/EFI/Boot/fbx64.efi
/boot/efi/EFI/Boot/mmx64.efi
/boot/efi/EFI/Microsoft/Boot/BCD
/boot/efi/EFI/Microsoft/Boot/Fonts/chs_boot.ttf
/boot/efi/EFI/Microsoft/Boot/Fonts/cht_boot.ttf
/boot/efi/EFI/Microsoft/Boot/Fonts/jpn_boot.ttf
/boot/efi/EFI/Microsoft/Boot/Fonts/kor_boot.ttf
/boot/efi/EFI/Microsoft/Boot/Fonts/malgun_boot.ttf
/boot/efi/EFI/Microsoft/Boot/Fonts/meiryo_boot.ttf
/boot/efi/EFI/Microsoft/Boot/Fonts/msjh_boot.ttf
/boot/efi/EFI/Microsoft/Boot/Fonts/msyh_boot.ttf
/boot/efi/EFI/Microsoft/Boot/Fonts/segmono_boot.ttf
/boot/efi/EFI/Microsoft/Boot/Fonts/segoe_slboot.ttf
/boot/efi/EFI/Microsoft/Boot/Fonts/wgl4_boot.ttf
/boot/efi/EFI/Microsoft/Boot/Resources/bootres.dll
/boot/efi/EFI/Microsoft/Boot/BCD.LOG
/boot/efi/EFI/dell/bios/recovery/BIOS_PRE.rcv
/boot/efi/EFI/dell/bios/recovery/BIOS_CUR.RCV
/boot/efi/EFI/dell/logs/diags_previous.xml
/boot/efi/EFI/dell/logs/diags_current.xml
/boot/efi/EFI/ubuntu/fw/fwupd-cd2d1a90-4e20-42fd-8e4a-4674177ac416.cap
/boot/efi/EFI/ubuntu/grubx64.efi
/boot/efi/EFI/ubuntu/grub.cfg
/boot/efi/EFI/ubuntu/shimx64.efi
/boot/efi/EFI/ubuntu/mmx64.efi
/boot/efi/EFI/ubuntu/BOOTX64.CSV
/boot/efi/EFI/ubuntu/fwupdx64.efi
/boot/efi/en-us/bootmgr.efi.mui

The content of this thread seems similar to my current predicament.

Is it?

VERSION="22.04.1 LTS (Jammy Jellyfish)"
Dell 7750

DELL7750:~/Downloads> sudo fwupdmgr update
Devices with no available firmware updates: 
 • SSD 970 EVO Plus 2TB
 • SSD 970 EVO Plus 2TB
 • Thunderbolt host controller
 • UEFI Device Firmware
 • UEFI Device Firmware
Devices with the latest available firmware version:
 • BC711 NVMe SK hynix 256GB
 • System Firmware
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 77 to 217?                                             ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the dbx to the latest release from Microsoft which adds         ║
║ insecure versions of grub and shim to the list of forbidden signatures due   ║
║ to multiple discovered security updates.                                     ║
║                                                                              ║
║ Before installing the update, fwupd will check for any affected executables  ║
║ in the ESP and will refuse to update if it finds any boot binaries signed    ║
║ with any of the forbidden signatures.If the installation fails, you will     ║
║ need to update shim and grub packages before the update can be deployed.     ║
║                                                                              ║
║ Once you have installed this dbx update, any DVD or USB installer images     ║
║ signed with the old signatures may not work correctly.You may have to        ║
║ temporarily turn off secure boot when using recovery or installation media,  ║
║ if new images have not been made available by your distribution.             ║
║                                                                              ║
║ UEFI dbx and all connected devices may not be usable while updating.         ║
╚══════════════════════════════════════════════════════════════════════════════╝

Perform operation? [Y|n]: 
Downloading…             [***************************************]
Decompressing…           [***************************************]
Decompressing…           [***************************************]
Authenticating…          [***************************************]
Authenticating…          [***************************************]
Restarting device…       [***************************************]
Writing…                 [***************************************]
Decompressing…           [***************************************]
Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/EFI/Boot/shimx64.efi Authenticode checksum [007f4c95125713b112093e21663e2d23e3c1ae9ce4b5de0d58a297332336a2d8] is present in dbx

DELL7750:~/Downloads> sudo fwupdtool esp-list --verbose
18:24:08:0819 FuDebug              Verbose debugging enabled (on console 1)
18:24:08:0873 FuCommon             device /org/freedesktop/UDisks2/block_devices/nvme1n1p3, type: 0fc63daf-8483-4772-8e79-3d69d8477de4, internal: 1, fs: ext4
18:24:08:0877 FuCommon             device /org/freedesktop/UDisks2/block_devices/nvme1n1p2, type: e3c9e316-0b5c-4db8-817d-f92df00215ae, internal: 1, fs: vfat
18:24:08:0881 FuCommon             device /org/freedesktop/UDisks2/block_devices/nvme1n1p1, type: c12a7328-f81f-11d2-ba4b-00a0c93ec93b, internal: 1, fs: vfat
Selected volume: /org/freedesktop/UDisks2/block_devices/nvme1n1p1
/boot/efi/EFI/Boot/BOOTX64.EFI
/boot/efi/EFI/Boot/en-us/bootx64.efi.mui
/boot/efi/EFI/Boot/shimx64.efi
/boot/efi/EFI/Boot/fbx64.efi
/boot/efi/EFI/Boot/mmx64.efi
/boot/efi/EFI/Microsoft/Boot/BCD
/boot/efi/EFI/Microsoft/Boot/Fonts/chs_boot.ttf
/boot/efi/EFI/Microsoft/Boot/Fonts/cht_boot.ttf
/boot/efi/EFI/Microsoft/Boot/Fonts/jpn_boot.ttf
/boot/efi/EFI/Microsoft/Boot/Fonts/kor_boot.ttf
/boot/efi/EFI/Microsoft/Boot/Fonts/malgun_boot.ttf
/boot/efi/EFI/Microsoft/Boot/Fonts/meiryo_boot.ttf
/boot/efi/EFI/Microsoft/Boot/Fonts/msjh_boot.ttf
/boot/efi/EFI/Microsoft/Boot/Fonts/msyh_boot.ttf
/boot/efi/EFI/Microsoft/Boot/Fonts/segmono_boot.ttf
/boot/efi/EFI/Microsoft/Boot/Fonts/segoe_slboot.ttf
/boot/efi/EFI/Microsoft/Boot/Fonts/wgl4_boot.ttf
/boot/efi/EFI/Microsoft/Boot/Resources/bootres.dll
/boot/efi/EFI/Microsoft/Boot/BCD.LOG
/boot/efi/EFI/dell/bios/recovery/BIOS_PRE.rcv
/boot/efi/EFI/dell/bios/recovery/BIOS_CUR.RCV
/boot/efi/EFI/dell/logs/diags_previous.xml
/boot/efi/EFI/dell/logs/diags_current.xml
/boot/efi/EFI/ubuntu/fw/fwupd-cd2d1a90-4e20-42fd-8e4a-4674177ac416.cap
/boot/efi/EFI/ubuntu/grubx64.efi
/boot/efi/EFI/ubuntu/grub.cfg
/boot/efi/EFI/ubuntu/shimx64.efi
/boot/efi/EFI/ubuntu/mmx64.efi
/boot/efi/EFI/ubuntu/BOOTX64.CSV
/boot/efi/EFI/ubuntu/fwupdx64.efi
/boot/efi/en-us/bootmgr.efi.mui

The content of this thread seems similar to my current predicament.

Is it?