Secure Boot dbx update seems to be installed when it's not
When I install Fedora 38 Beta RC2 into an UEFI virtual machine and run GNOME Software -> Updates, I see ''Secure Boot dbx Configuration Update'' in a ''Integrated Firmware'' section, and it's shown as Installing. However, it's not installing. I can wait as long as I want, the "installation" never finishes. When I reboot the machine, the update is there again, this time in a proper state (there is a button called ''Update'', as expected).
It seems this only happens in the first boot after install, at least I saw it (several times) at the first boot. I don't know how to trigger the incorrect "Installing" label later.
The firmware update is this one:
$ fwupdmgr get-updates
WARNING: UEFI capsule updates not available or enabled in firmware setup
See https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported for more information.
QEMU Standard PC (Q35 + ICH9, 2009)
│
└─UEFI dbx:
│ Device ID: 362301da643102b9f38477387e2193e57abaa590
│ Summary: UEFI revocation database
│ Current version: 0
│ Minimum Version: 0
│ Vendor: UEFI:Linux Foundation
│ Install Duration: 1 second
│ GUIDs: bee4bd92-9eaf-5c40-98d7-089224651e6a ← UEFI\CRT_7F122FAB825041C2B0C67696BB151DB6F39FED7DF2D1104107F5B892B354EF5C
│ 2212b1e5-b49a-5f30-9717-ac9eb2330513 ← UEFI\CRT_7F122FAB825041C2B0C67696BB151DB6F39FED7DF2D1104107F5B892B354EF5C&ARCH_X64
│ c6682ade-b5ec-57c4-b687-676351208742 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503
│ f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
│ Device Flags: • Internal device
│ • Updatable
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│ • Only version upgrades are allowed
│ • Signed Payload
│
├─Secure Boot dbx:
│ New version: 217
│ Remote ID: lvfs
│ Release ID: 15179
│ Summary: UEFI Secure Boot Forbidden Signature Database
│ Variant: x64
│ License: Proprietary
│ Size: 13.8 kB
│ Created: 2020-07-29
│ Urgency: High
│ Vendor: Linux Foundation
│ Duration: 1 second
│ Release Flags: • Is upgrade
│ Description:
│ This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.
│
│ Before installing the update, fwupd will check for any affected executables in the ESP and will refuse to update if it finds any boot binaries signed with any of the forbidden signatures.If the installation fails, you will need to update shim and grub packages before the update can be deployed.
│
│ Once you have installed this dbx update, any DVD or USB installer images signed with the old signatures may not work correctly.You may have to temporarily turn off secure boot when using recovery or installation media, if new images have not been made available by your distribution.
│ Issues: 309662
│ CVE-2022-34303
│ CVE-2022-34302
│ CVE-2022-34301
│
├─Secure Boot dbx:
│ New version: 211
│ Remote ID: lvfs
│ Release ID: 15178
│ Summary: UEFI Secure Boot Forbidden Signature Database
│ Variant: x64
│ License: Proprietary
│ Size: 13.5 kB
│ Created: 2021-04-29
│ Urgency: High
│ Vendor: Linux Foundation
│ Duration: 1 second
│ Release Flags: • Is upgrade
│ Description:
│ This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.
│
├─Secure Boot dbx:
│ New version: 190
│ Remote ID: lvfs
│ Release ID: 6104
│ Summary: UEFI Secure Boot Forbidden Signature Database
│ Variant: x64
│ License: Proprietary
│ Size: 14.4 kB
│ Created: 2020-07-29
│ Urgency: High
│ Vendor: Linux Foundation
│ Duration: 1 second
│ Release Flags: • Is upgrade
│ Description:
│ This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.
│ Issues: CVE-2020-7205
│ CVE-2020-15707
│ CVE-2020-15706
│ CVE-2020-15705
│ CVE-2020-14311
│ CVE-2020-14310
│ CVE-2020-14309
│ 174059
│ CVE-2020-14308
│ CVE-2020-10713
│
└─Secure Boot dbx:
New version: 77
Remote ID: lvfs
Release ID: 6101
Summary: UEFI Secure Boot Forbidden Signature Database
Variant: x64
License: Proprietary
Size: 7.1 kB
Created: 2016-08-09
Urgency: High
Vendor: Linux Foundation
Duration: 1 second
Release Flags: • Is upgrade
Description:
This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.
What Linux distribution are you using, and what kind of package (RPM, deb, flatpak, etc.) are you experiencing the problem with?
Fedora 38 development
gnome-software-44~beta-2.fc38.x86_64
fwupd-1.8.10-1.fc38.x86_64
Please attach a log of the issue, by running the following commands, reproducing the issue, and then attaching gnome-software.log
here:
pkill gnome-software
gnome-software --verbose &> gnome-software.log
I'll try to capture this if needed.