On Sat, 2023-04-08 at 21:32 -0400, Jeffrey Walton wrote: > On Sat, Apr 8, 2023 at 9:08 PM Jonathan Ryshpan <jonr...@pacbell.net> > wrote: > > > > Discover, which I use for upgrades, reports problems with UEFI. > > There is an update, which Discover refuses to install. Discover > > reports this message: > > > > UEFI DBX : Version 217 : Released on 4/8/23 > > > > UEFI Secure Boot Forbidden Signature Database > > > > Insecure versions of software from Trend Micro, vmware, CPSD, > > Eurosoft, and New Horizon Datasys Inc were added to the list of > > forbidden signatures due to discovered security problems. This > > updates the dbx to the latest release from Microsoft. > > Before installing the update, fwupd will check for any affected > > executables in the ESP and will refuse to update if it finds any > > boot binaries signed with any of the forbidden signatures. > > ... > > > > It looks like there is a new version of the UEFI boot system, which > > can't be installed because of signature issues. Is this correct? Is > > it anything to worry about? Can anything be done to fix the issue? > > Is the issue likely to be fixed upstream? > > I don't use Discover. I use fwupdmgr directly. I have not seen > fwupdmgr refuse to update a component (sans no UEFI). Here's the > relevant piece of the script I run daily: > > if command -v fwupdmgr >/dev/null 2>&1 ; then > if fwupdmgr get-devices 2>&1 | grep -q -c 'UEFI ESRT device' ; > then > echo "Updating firmware" > fwupdmgr refresh --force 1>/dev/null && \ > fwupdmgr update 1>/dev/null > fi > fi > > I also noticed the db was updated today.
Very interesting. After running by hand the parts of your script that test whether an update is necessary (It is.), I ran the actual update and got the following output. As you see, I replied "n"; would it be dangerous to try "Y"? BTW: I've been seeing the error message for about a week. $ fwupdmgr update Devices with no available firmware updates: • System Firmware • WDC WD2005FBYZ-01YCBB2 • WDC WD20EFRX-68EUZN0 ╔═══════════════════════════════════════════════════════════════════════ ═══════╗ ║ Upgrade UEFI dbx from 217 to 220? ║ ╠═══════════════════════════════════════════════════════════════════════ ═══════╣ ║ Insecure versions of software from Trend Micro, vmware, CPSD, Eurosoft, and ║ ║ New Horizon Datasys Inc were added to the list of forbidden signatures due ║ ║ to discovered security problems. This updates the dbx to the latest release ║ ║ from Microsoft. ║ ║ ║ ║ Before installing the update, fwupd will check for any affected executables ║ ║ in the ESP and will refuse to update if it finds any boot binaries signed ║ ║ with any of the forbidden signatures. ║ ║ ║ ╚═══════════════════════════════════════════════════════════════════════ ═══════╝ Perform operation? [Y|n]: n Request canceled -- Sincerely Jonathan Ryshpan <jonr...@pacbell.net> Ever wonder why the SAME PEOPLE make up ALL the conspiracy theories?
_______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
