Oh - one more point to share regarding coordination. The fwupd dbx plugins DOES validate the content on the ESP. If the revocation update contains a signature on the ESP, the update will not be allowed to be installed by default.
The code that does runs as part of the 'prepare' state of the dbx update installation. So the dbx would not be installed in this case: https://github.com/fwupd/fwupd/blob/main/plugins/uefi-dbx/fu-uefi-dbx-device.c#L85 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1971965 Title: fwupd has dbx plugin enabled but shouldn't To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1971965/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
