Failed Secure Boot dbx update
Firstly, please search to see if someone has already reported the same issue as you: https://gitlab.gnome.org/GNOME/gnome-software/-/issues/?state=all
Please describe the issue you’re experiencing:
I have Fedora Linux 38 (Workstation Edition) installed on a Intel_R_ Client Systems NUC8i7BEH with the current kernel version Linux 6.2.15-300.fc38.x86_64. Fedora Linux 38 was installed from scratch. After installing available updates the recurrent Secure Boot dbx update persists in gnome-software, despite several attempts at completing it.
A search for possible solution led to issue #2112 (closed). I have followed the steps listed by @mcrha on #2112 (comment 1693606), with no success. The output of fwupdmgr get-updates is the following:
Intel(R) Client Systems NUC8i7BEH
│
└─UEFI dbx:
│ ID do dispositivo: 362301da643102b9f38477387e2193e57abaa590
│ Resumo: UEFI revocation database
│ Versão atual: 83
│ Versão mínima: 83
│ Fornecedor: UEFI:Linux Foundation
│ Duração de instalação:1 segundo
│ GUIDs: c6682ade-b5ec-57c4-b687-676351208742 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503
│ f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
│ Opções do dispositivo:• Dispositivo interno
│ • Atualizável
│ • Suporte no servidor remoto
│ • Precisa de uma reinício após a instalação
│ • O dispositivo pode ser usado durante a atualização
│ • Apenas atualizações de versão são permitidas
│ • Signed Payload
│
├─Secure Boot dbx:
│ Nova versão: 220
│ ID remoto: lvfs
│ ID da versão: 28499
│ Resumo: UEFI Secure Boot Forbidden Signature Database
│ Variação: x64
│ Licença: Privativa
│ Tamanho: 13,9 kB
│ Criado: 2023-03-14
│ Urgência: Alta
│ Fornecedor: Linux Foundation
│ Duração: 1 segundo
│ Release Flags: • Trusted metadata
│ • Is upgrade
│ Descrição:
│ Insecure versions of software from Trend Micro, vmware, CPSD, Eurosoft, and New Horizon Datasys Inc were added to the list of forbidden signatures due to discovered security problems. This updates the dbx to the latest release from Microsoft.
│
│ Before installing the update, fwupd will check for any affected executables in the ESP and will refuse to update if it finds any boot binaries signed with any of the forbidden signatures.
│ Problema: CVE-2023-28005
│
├─Secure Boot dbx:
│ Nova versão: 217
│ ID remoto: lvfs
│ ID da versão: 15179
│ Resumo: UEFI Secure Boot Forbidden Signature Database
│ Variação: x64
│ Licença: Privativa
│ Tamanho: 13,8 kB
│ Criado: 2020-07-29
│ Urgência: Alta
│ Fornecedor: Linux Foundation
│ Duração: 1 segundo
│ Release Flags: • Trusted metadata
│ • Is upgrade
│ Descrição:
│ This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.
│
│ Before installing the update, fwupd will check for any affected executables in the ESP and will refuse to update if it finds any boot binaries signed with any of the forbidden signatures.If the installation fails, you will need to update shim and grub packages before the update can be deployed.
│
│ Once you have installed this dbx update, any DVD or USB installer images signed with the old signatures may not work correctly.You may have to temporarily turn off secure boot when using recovery or installation media, if new images have not been made available by your distribution.
│ Problemas: 309662
│ CVE-2022-34303
│ CVE-2022-34302
│ CVE-2022-34301
│
├─Secure Boot dbx:
│ Nova versão: 211
│ ID remoto: lvfs
│ ID da versão: 15178
│ Resumo: UEFI Secure Boot Forbidden Signature Database
│ Variação: x64
│ Licença: Privativa
│ Tamanho: 13,5 kB
│ Criado: 2021-04-29
│ Urgência: Alta
│ Fornecedor: Linux Foundation
│ Duração: 1 segundo
│ Release Flags: • Trusted metadata
│ • Is upgrade
│ Descrição:
│ This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.
│
└─Secure Boot dbx:
Nova versão: 190
ID remoto: lvfs
ID da versão: 6104
Resumo: UEFI Secure Boot Forbidden Signature Database
Variação: x64
Licença: Privativa
Tamanho: 14,4 kB
Criado: 2020-07-29
Urgência: Alta
Fornecedor: Linux Foundation
Duração: 1 segundo
Release Flags: • Trusted metadata
• Is upgrade
Descrição:
This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.
Problemas: CVE-2020-7205
CVE-2020-15707
CVE-2020-15706
CVE-2020-15705
CVE-2020-14311
CVE-2020-14310
CVE-2020-14309
174059
CVE-2020-14308
CVE-2020-10713
What Linux distribution are you using, and what kind of package (RPM, deb, flatpak, etc.) are you experiencing the problem with?
Fedora Linux 38 (Workstation Edition) gnome-software 44.1
Please attach a log of the issue, by running the following commands, reproducing the issue, and then attaching gnome-software.log
here:gnome-software.log
pkill gnome-software
gnome-software --verbose &> gnome-software.log
If the problem is with the user interface, please attach a screenshot or video of it. Please attach the file directly rather than linking to an external hosting service, as external files are likely to be deleted after a while.