Comment 18 for bug 1990179

I didn't request fwupdmgr update --verbose, I requested fwupdtool update --verbose. There was a reason I requested that difference.

Anyway though; the problem is very clear now from your output from fwupdgmr as well.

Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/efi.factory/boot/bootx64.efi Authenticode checksum [2ea4cb6a1f1eb1d3dce82d54fde26ded243ba3e18de7c6d211902a594fe56788] is present in dbx

What is going on is that the ESP contains another bootloader that is used for the recovery partition, which if secureboot DBX update was pushed down would no longer be able to execute. This other bootloader needs to be updated before the DBX update will be accepted.