Secure Boot dbx update offer, revisited

I have a similar situation as reported in Secure Boot dbx update?, but since that post is already closed I am starting this one. A few days ago, my Intel motherboard died and I chose as replacement ASRock B550M PG Riptide, with AMD Ryzen 7 5700G with Radeon. This is Fedora Silverblue 37. Contrary to my worst fears, everything went fantastic. Silverblue is working as if nothing happened, except that is moving faster. I also saw rpm-ostree installing several AMD-related pieces. But then I got this offer from Software:


I was recently hit by the TPM error in a quite old HP all-in-one workstation, which I fixed. But before pushing the update button, I would like to get some feedback.
Thanks in advance.

You do not say how or when you upgraded to F37. The release of F37 was delayed to wait for a security fix in ssl, so that likely is not directly related, but there was also a recent update to the tpm keys and it is possible your machine is not yet updated for that. It is up to you to verfify if the upgrade is needed and to respond accordingly. You really should make certain everything security related is up to date. If not then problems may occur.

I think an update should be done just as a regular thing and the update is supposed to take care of any issues. This is a warning that if your system is running improperly signed software and your recovery images are also older that recovery may become a problem.

Thanks for your reply. I upgraded to F37 more than a month ago, when it hit beta status. Since then, I kept updating almost every day. My workstation broke down on November 12 and was fixed with the new CPU on November 18. That day, I updated everything again and was then when I got this secure boor update offer. I just ran rpm-ostree and found no new updates, so I guess I’m in a good position to proceed.
I survived. To my surprise, Software didn’t ask me to reboot once this firmware updated was applied (which took around 5 seconds). Software reloaded and offered updates for 2 flatpaks apps, which I also applied. Just in case I rebooted and everything went OK.

Well, there is something else going on here. The offer is back and no firmware is installed. Other regular updates were offered and applied on reboot, but the firmware one just keep hanging there in Software. So I guess I should disable it or find another way to apply it. Suggestions are welcome.

This update is applied in motherboard’s UEFI variable store, so after changing motherboard it might require reapplying.
If you look though linked topic, you’ll find my answers with tools able to install this update without GNOME Software or to verify whether it’s been installed.

Thanks. I ran fwupdmgr and got this:

[francisco@principal ~]$ sudo fwupdmgr update
Devices with no available firmware updates:
β€’ CT2000BX500SSD1
β€’ Portable SSD T5
╔══════════════════════════════════════════════════════════════════════════════╗
β•‘ Upgrade UEFI dbx from 77 to 217? β•‘
╠══════════════════════════════════════════════════════════════════════════════╣
β•‘ This updates the dbx to the latest release from Microsoft which adds β•‘
β•‘ insecure versions of grub and shim to the list of forbidden signatures due β•‘
β•‘ to multiple discovered security updates. β•‘
β•‘ β•‘
β•‘ Before installing the update, fwupd will check for any affected executables β•‘
β•‘ in the ESP and will refuse to update if it finds any boot binaries signed β•‘
β•‘ with any of the forbidden signatures. If the installation fails, you will β•‘
β•‘ need to update shim and grub packages before the update can be deployed. β•‘
β•‘ β•‘
β•‘ Once you have installed this dbx update, any DVD or USB installer images β•‘
β•‘ signed with the old signatures may not work correctly. You may have to β•‘
β•‘ temporarily turn off secure boot when using recovery or installation media, β•‘
β•‘ if new images have not been made available by your distribution. β•‘
β•‘ β•‘
β•šβ•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•β•

Perform operation? [Y|n]:
Downloading… []
Downloading… [
]
Downloading… []
Decompressing… [
]
Authenticating… []
Waiting… [
]
Writing… [***************************************]
Decompressing… [ ]Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/EFI/BOOT/BOOTX64.EFI Authenticode checksum [0ce02100f67c7ef85f4eed368f02bf7092380a3c23ca91fd7f19430d94b00c19] is present in dbx
[francisco@principal ~]$

Same topic:

I am running Fedora Silverblue 37 fully updated. Should I use rpm-ostree instead?

https://bugzilla.redhat.com/show_bug.cgi?id=2127995

1 Like

Oh, well. I will suscribe to the bug report. Thanks, @ozeszty, for taking care of me.

You’re welcome. You’ve found the right topic and should have read it through for most of what you needed :stuck_out_tongue:

It’s ironic, but I am relieved this is a bug. I was apprehensive about buying an AMD motherboard instead of Intel (besides it would cost more, it wouldn’t be available for 3 long weeks). Now I’m sure I made a good choice.

Good choice, competitions is great.

New development. Today I got some dracut updates for Silverblue 37 and my workstation failed to boot. I went to the BIOS and disabled secure boot, after which booting resumed. I intend to keep secure boot off until the firmware update bug is solved or when I reinstall Silverblue, if ever.