Ubuntu
grub2-signed package

can't install "Secure Boot dbx Configuration Update" firmware upgrade version 217 because of abandoned and stale (I think) "/boot/efi/EFI/ubuntu/shimx64.efi

Bug #1993207 reported by Jonathan Kamens
24
This bug affects 5 people
Affects Status Importance Assigned to Milestone
grub2-signed (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

The Ubuntu Software app says it wants to update my "Secure Boot dbx Configuration Update" to version 217, but when I try to install the udpate, it says:

Unable to update "Secure Boot dbx Configuration Update": Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/EFI/ubuntu/shimx64.efi Authenticode checksum [e060d...I'm not going to type the whole thing...cec6df] is present in dbx

The file /boot/efi/EFI/ubuntu/shimx64.efi was last modified on September 20, 2020 and is not owned by any package. There are two other files in that directdory, mmx64.efi and BOOTX64.CSV, that were last modified on September 20, 2020, and two files in that directory, grub.cfg and grubx64.efi, that were last modified on September 24, 2022 when grub-efi-amd64-signed was upgraded.

My guess—just a guess, maybe I'm wrong—is that the three files last modified on September 20, 2020 are obsolete and should have been cleaned up by a package upgrade at some point but were not. However, I'm not comfortable with simply deleting them because I don't know enough about secure boot to know for certain that's safe for me to do without bricking my system.

I think if these files are indeed obsolete then the package configurator needs to clean them up so others who are upgrading don't end up in this situation.

ProblemType: Bug
DistroRelease: Ubuntu 22.10
Package: grub-efi-amd64-signed 1.185+2.06-2ubuntu12
ProcVersionSignature: Ubuntu 5.19.0-21.21-generic 5.19.7
Uname: Linux 5.19.0-21-generic x86_64
NonfreeKernelModules: nvidia_modeset nvidia
ApportVersion: 2.23.1-0ubuntu3
Architecture: amd64
CasperMD5CheckResult: unknown
CurrentDesktop: ubuntu:GNOME
Date: Mon Oct 17 16:00:46 2022
InstallationDate: Installed on 2019-01-02 (1384 days ago)
InstallationMedia: Ubuntu 18.10 "Cosmic Cuttlefish" - Release amd64 (20181017.3)
SourcePackage: grub2-signed
UpgradeStatus: Upgraded to kinetic on 2022-09-24 (22 days ago)

Revision history for this message
Jonathan Kamens (jik) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in grub2-signed (Ubuntu):
status: New → Confirmed
Jonathan Kamens (jik)
tags: added: community-security
Revision history for this message
Jonathan Kamens (jik) wrote :

FWIW I was able to resolve this by installing the package `shim-signed`. I don't know how my system ended up in a state where this package was not installed. My dpkg logs in /var/log only go back to 2022, and as noted above the unowned files that shim-signed is apparently responsible for maintaining were last modified (before I installed shim-signed) in 2020.

Revision history for this message
Julian Andres Klode (juliank) wrote :

Marking as fix released then, as it is no longer possible to remove shim-signed (well if you pass --allow-remove-essential it can be done but ugh).

Changed in grub2-signed (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Jonathan Kamens (jik) wrote :

Perhaps it is no longer possible to _remove_ shim-signed, but how was it possible for me to get my machine into a state where it wasn't installed, and that state was not rectified by a subsequent upgrade? Given that was possible, aren't other people upgrading going to run into this?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.