Discover, which I use for upgrades, reports problems with UEFI. There is an update, which Discover refuses to install. Discover reports this message:
UEFI DBX : Version 217 : Released on 4/8/23
UEFI Secure Boot Forbidden Signature Database
Insecure versions of software from Trend Micro, vmware, CPSD, Eurosoft, and New Horizon Datasys Inc were added to the list of forbidden signatures due to discovered security problems. This updates the dbx to the latest release from Microsoft. Before installing the update, fwupd will check for any affected executables in the ESP and will refuse to update if it finds any boot binaries signed with any of the forbidden signatures. ...
It looks like there is a new version of the UEFI boot system, which can't be installed because of signature issues. Is this correct? Is it anything to worry about? Can anything be done to fix the issue? Is the issue likely to be fixed upstream?
System Info: Operating System: Fedora Linux 37 KDE Plasma Version: 5.27.4 KDE Frameworks Version: 5.104.0 Qt Version: 5.15.8 Kernel Version: 6.2.9-200.fc37.x86_64 (64-bit) Graphics Platform: X11 Processors: 8 × Intel® Core™ i7-4790K CPU @ 4.00GHz Memory: 15.5 GiB of RAM Graphics Processor: Mesa Intel® HD Graphics 4600 Manufacturer: ASUS Product Name: All Series
On Sat, Apr 8, 2023 at 9:08 PM Jonathan Ryshpan jonrysh@pacbell.net wrote:
Discover, which I use for upgrades, reports problems with UEFI. There is an update, which Discover refuses to install. Discover reports this message:
UEFI DBX : Version 217 : Released on 4/8/23
UEFI Secure Boot Forbidden Signature Database
Insecure versions of software from Trend Micro, vmware, CPSD, Eurosoft, and New Horizon Datasys Inc were added to the list of forbidden signatures due to discovered security problems. This updates the dbx to the latest release from Microsoft. Before installing the update, fwupd will check for any affected executables in the ESP and will refuse to update if it finds any boot binaries signed with any of the forbidden signatures. ...
It looks like there is a new version of the UEFI boot system, which can't be installed because of signature issues. Is this correct? Is it anything to worry about? Can anything be done to fix the issue? Is the issue likely to be fixed upstream?
System Info:
Operating System: Fedora Linux 37
KDE Plasma Version: 5.27.4
KDE Frameworks Version: 5.104.0
Qt Version: 5.15.8
Kernel Version: 6.2.9-200.fc37.x86_64 (64-bit)
Graphics Platform: X11
Processors: 8 × Intel® Core™ i7-4790K CPU @ 4.00GHz
Memory: 15.5 GiB of RAM
Graphics Processor: Mesa Intel® HD Graphics 4600
Manufacturer: ASUS
Product Name: All Series
--
Sincerely Jonathan Ryshpan jonrysh@pacbell.net
Common sense is the collection of prejudices acquired by the age of eighteen. -- Einstein
I don't use Discover. I use fwupdmgr directly. I have not seen fwupdmgr refuse to update a component (sans no UEFI). Here's the relevant piece of the script I run daily:
if command -v fwupdmgr >/dev/null 2>&1 ; then if fwupdmgr get-devices 2>&1 | grep -q -c 'UEFI ESRT device' ; then echo "Updating firmware" fwupdmgr refresh --force 1>/dev/null && \ fwupdmgr update 1>/dev/null fi fi
I also noticed the db was updated today.
Jeff
On Sat, 2023-04-08 at 21:32 -0400, Jeffrey Walton wrote:
On Sat, Apr 8, 2023 at 9:08 PM Jonathan Ryshpan jonrysh@pacbell.net wrote:
Discover, which I use for upgrades, reports problems with UEFI. There is an update, which Discover refuses to install. Discover reports this message:
UEFI DBX : Version 217 : Released on 4/8/23
UEFI Secure Boot Forbidden Signature Database
Insecure versions of software from Trend Micro, vmware, CPSD, Eurosoft, and New Horizon Datasys Inc were added to the list of forbidden signatures due to discovered security problems. This updates the dbx to the latest release from Microsoft. Before installing the update, fwupd will check for any affected executables in the ESP and will refuse to update if it finds any boot binaries signed with any of the forbidden signatures. ...
It looks like there is a new version of the UEFI boot system, which can't be installed because of signature issues. Is this correct? Is it anything to worry about? Can anything be done to fix the issue? Is the issue likely to be fixed upstream?
I don't use Discover. I use fwupdmgr directly. I have not seen fwupdmgr refuse to update a component (sans no UEFI). Here's the relevant piece of the script I run daily:
if command -v fwupdmgr >/dev/null 2>&1 ; then if fwupdmgr get-devices 2>&1 | grep -q -c 'UEFI ESRT device' ; then echo "Updating firmware" fwupdmgr refresh --force 1>/dev/null && \ fwupdmgr update 1>/dev/null fi fi
I also noticed the db was updated today.
Very interesting. After running by hand the parts of your script that test whether an update is necessary (It is.), I ran the actual update and got the following output. As you see, I replied "n"; would it be dangerous to try "Y"?
BTW: I've been seeing the error message for about a week.
$ fwupdmgr update Devices with no available firmware updates: • System Firmware • WDC WD2005FBYZ-01YCBB2 • WDC WD20EFRX-68EUZN0 ╔═══════════════════════════════════════════════════════════════════════ ═══════╗ ║ Upgrade UEFI dbx from 217 to 220? ║ ╠═══════════════════════════════════════════════════════════════════════ ═══════╣ ║ Insecure versions of software from Trend Micro, vmware, CPSD, Eurosoft, and ║ ║ New Horizon Datasys Inc were added to the list of forbidden signatures due ║ ║ to discovered security problems. This updates the dbx to the latest release ║ ║ from Microsoft. ║ ║ ║ ║ Before installing the update, fwupd will check for any affected executables ║ ║ in the ESP and will refuse to update if it finds any boot binaries signed ║ ║ with any of the forbidden signatures. ║ ║ ║ ╚═══════════════════════════════════════════════════════════════════════ ═══════╝ Perform operation? [Y|n]: n Request canceled
On 4/8/23 19:09, Jonathan Ryshpan wrote:
On Sat, 2023-04-08 at 21:32 -0400, Jeffrey Walton wrote:
On Sat, Apr 8, 2023 at 9:08 PM Jonathan Ryshpan <jonrysh@pacbell.net mailto:jonrysh@pacbell.net> wrote:
Discover, which I use for upgrades, reports problems with UEFI. There is an update, which Discover refuses to install. Discover reports this message:
UEFI DBX : Version 217 : Released on 4/8/23
UEFI Secure Boot Forbidden Signature Database
Insecure versions of software from Trend Micro, vmware, CPSD, Eurosoft, and New Horizon Datasys Inc were added to the list of forbidden signatures due to discovered security problems. This updates the dbx to the latest release from Microsoft. Before installing the update, fwupd will check for any affected executables in the ESP and will refuse to update if it finds any boot binaries signed with any of the forbidden signatures. ...
It looks like there is a new version of the UEFI boot system, which can't be installed because of signature issues. Is this correct? Is it anything to worry about? Can anything be done to fix the issue? Is the issue likely to be fixed upstream?
I don't use Discover. I use fwupdmgr directly. I have not seen fwupdmgr refuse to update a component (sans no UEFI). Here's the relevant piece of the script I run daily:
if command -v fwupdmgr >/dev/null 2>&1 ; then if fwupdmgr get-devices 2>&1 | grep -q -c 'UEFI ESRT device' ; then echo "Updating firmware" fwupdmgr refresh --force 1>/dev/null && \ fwupdmgr update 1>/dev/null fi fi
I also noticed the db was updated today.
Very interesting. After running by hand the parts of your script that test whether an update is necessary (It is.), I ran the actual update and got the following output. As you see, I replied "n"; would it be dangerous to try "Y"?
That sounds quite safe. Do you even use any software from those companies? (Things that boot directly.)
BTW: I've been seeing the error message for about a week.
What error message?
On Sat, 2023-04-08 at 20:03 -0700, Samuel Sieb wrote:
It looks like there is a new version of the UEFI boot system, which can't be installed because of signature issues. Is this correct? Is it anything to worry about? Can anything be done to fix the issue? Is the issue likely to be fixed upstream?
I don't use Discover. I use fwupdmgr directly. I have not seen fwupdmgr refuse to update a component (sans no UEFI). Here's the relevant piece of the script I run daily:
if command -v fwupdmgr >/dev/null 2>&1 ; then if fwupdmgr get-devices 2>&1 | grep -q -c 'UEFI ESRT device' ; then echo "Updating firmware" fwupdmgr refresh --force 1>/dev/null && \ fwupdmgr update 1>/dev/null fi fi
I also noticed the db was updated today.
Very interesting. After running by hand the parts of your script that test whether an update is necessary (It is.), I ran the actual update and got the following output. As you see, I replied "n"; would it be dangerous to try "Y"?
That sounds quite safe. Do you even use any software from those companies? (Things that boot directly.)
One of them may be the author my system's firmware. I don't know who wrote it.
BTW: I've been seeing the error message for about a week.
What error message?
The following message. I should have written "warning" rather than "error".
$ fwupdmgr update Devices with no available firmware updates: • System Firmware • WDC WD2005FBYZ-01YCBB2 • WDC WD20EFRX-68EUZN0 ╔═══════════════════════════════════════════════════════════════════════ ═══════╗ ║ Upgrade UEFI dbx from 217 to 220? ║ ╠═══════════════════════════════════════════════════════════════════════ ═══════╣ ║ Insecure versions of software from Trend Micro, vmware, CPSD, Eurosoft, and ║ ║ New Horizon Datasys Inc were added to the list of forbidden signatures due ║ ║ to discovered security problems. This updates the dbx to the latest release ║ ║ from Microsoft. ║ ║ ║ ║ Before installing the update, fwupd will check for any affected executables ║ ║ in the ESP and will refuse to update if it finds any boot binaries signed ║ ║ with any of the forbidden signatures. ║ ║ ║ ╚═══════════════════════════════════════════════════════════════════════ ═══════╝ Perform operation? [Y|n]: n Request canceled
On 4/8/23 20:29, Jonathan Ryshpan wrote:
On Sat, 2023-04-08 at 20:03 -0700, Samuel Sieb wrote:
It looks like there is a new version of the UEFI boot system, which can't be installed because of signature issues. Is this correct? Is
Now that I read back again, I see you misunderstood it. The message is that there's a dbx update to *block* those insecure software applications from running. It's not about not being able to update.
I also noticed the db was updated today.
Very interesting. After running by hand the parts of your script that test whether an update is necessary (It is.), I ran the actual update and got the following output. As you see, I replied "n"; would it be dangerous to try "Y"?
That sounds quite safe. Do you even use any software from those companies? (Things that boot directly.)
One of them may be the author my system's firmware. I don't know who wrote it.
That has nothing to do with the firmware. It's referring to software that would be booting using UEFI. e.g. vmware for the bare metal hypervisor. Possibly virus scanners, I'm not sure what else would be involved.
BTW: I've been seeing the error message for about a week.
What error message?
The following message. I should have written "warning" rather than "error".
That's not even a warning, just a notification that there's an update available.