On Sat, 2023-04-08 at 21:32 -0400, Jeffrey Walton wrote:
On Sat, Apr 8, 2023 at 9:08 PM Jonathan Ryshpan <jonrysh@xxxxxxxxxxx> wrote:Discover, which I use for upgrades, reports problems with UEFI. There is an update, which Discover refuses to install. Discover reports this message:UEFI DBX : Version 217 : Released on 4/8/23UEFI Secure Boot Forbidden Signature DatabaseInsecure versions of software from Trend Micro, vmware, CPSD, Eurosoft, and New Horizon Datasys Inc were added to the list of forbidden signatures due to discovered security problems. This updates the dbx to the latest release from Microsoft.Before installing the update, fwupd will check for any affected executables in the ESP and will refuse to update if it finds any boot binaries signed with any of the forbidden signatures....It looks like there is a new version of the UEFI boot system, which can't be installed because of signature issues. Is this correct? Is it anything to worry about? Can anything be done to fix the issue? Is the issue likely to be fixed upstream?I don't use Discover. I use fwupdmgr directly. I have not seenfwupdmgr refuse to update a component (sans no UEFI). Here's therelevant piece of the script I run daily:if command -v fwupdmgr >/dev/null 2>&1 ; thenif fwupdmgr get-devices 2>&1 | grep -q -c 'UEFI ESRT device' ; thenecho "Updating firmware"fwupdmgr refresh --force 1>/dev/null && \fwupdmgr update 1>/dev/nullfifiI also noticed the db was updated today.
Very interesting. After running by hand the parts of your script that test whether an update is necessary (It is.), I ran the actual update and got the following output. As you see, I replied "n"; would it be dangerous to try "Y"?
BTW: I've been seeing the error message for about a week.
$ fwupdmgr update
Devices with no available firmware updates:
• System Firmware
• WDC WD2005FBYZ-01YCBB2
• WDC WD20EFRX-68EUZN0
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 217 to 220? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ Insecure versions of software from Trend Micro, vmware, CPSD, Eurosoft, and ║
║ New Horizon Datasys Inc were added to the list of forbidden signatures due ║
║ to discovered security problems. This updates the dbx to the latest release ║
║ from Microsoft. ║
║ ║
║ Before installing the update, fwupd will check for any affected executables ║
║ in the ESP and will refuse to update if it finds any boot binaries signed ║
║ with any of the forbidden signatures. ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: n
Request canceled
Devices with no available firmware updates:
• System Firmware
• WDC WD2005FBYZ-01YCBB2
• WDC WD20EFRX-68EUZN0
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 217 to 220? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ Insecure versions of software from Trend Micro, vmware, CPSD, Eurosoft, and ║
║ New Horizon Datasys Inc were added to the list of forbidden signatures due ║
║ to discovered security problems. This updates the dbx to the latest release ║
║ from Microsoft. ║
║ ║
║ Before installing the update, fwupd will check for any affected executables ║
║ in the ESP and will refuse to update if it finds any boot binaries signed ║
║ with any of the forbidden signatures. ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: n
Request canceled
--
Sincerely Jonathan Ryshpan <jonrysh@xxxxxxxxxxx> Ever wonder why the SAME PEOPLE make up ALL the conspiracy theories?
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
