Help with this Invalid settings from fwupd

English Hardware
1

I have a Invalid setting from fwupd ✘ UEFI db: Invalid but i’m not sure how to fix it. A user on Fedora Forum explained about the meaning of this setting.

I installed my Tumbleweed three months ago, I thought with only checking secure boot enabled, setting password for system and swap, installing tpm2-tools that was all, but in recent fwupd update i got this feature as invalid.

When i installed the OS left it such this secure boot state.

Screenshot_20250512_110936
Screenshot_20250512_1109361920×1005 97.3 KB

My bootctl

$ bootctl
System:
      Firmware: UEFI 2.70 (American Megatrends 5.17)
 Firmware Arch: x64
   Secure Boot: enabled (deployed)
  TPM2 Support: yes
  Measured UKI: no
  Boot into FW: supported

Current Boot Loader:
      Product: systemd-boot 257.5+suse.8.gc10a66fb4d
     Features: ✓ Boot counting
               ✓ Menu timeout control
               ✓ One-shot menu timeout control
               ✓ Default entry control
               ✓ One-shot entry control
               ✓ Support for XBOOTLDR partition
               ✓ Support for passing random seed to OS
               ✓ Load drop-in drivers
               ✓ Support Type #1 sort-key field
               ✓ Support @saved pseudo-entry
               ✓ Support Type #1 devicetree field
               ✓ Enroll SecureBoot keys
               ✓ Retain SHIM protocols
               ✓ Menu can be disabled
               ✓ Multi-Profile UKIs are supported
               ✓ Boot loader set partition information
    Partition: /dev/disk/by-partuuid/8be37297-448b-4d46-8e7f-aaaf813f7168
       Loader: └─/EFI/systemd/grub.efi
Current Entry: opensuse-tumbleweed-6.14.5-1-default-1.conf
Default Entry: opensuse-tumbleweed-6.14.5-1-default-1.conf

Random Seed:
 System Token: set
       Exists: yes

Available Boot Loaders on ESP:
          ESP: /boot/efi (/dev/disk/by-partuuid/8be37297-448b-4d46-8e7f-aaaf813f7168)
         File: ├─/EFI/systemd/MokManager.efi
               ├─/EFI/systemd/shim.efi
               ├─/EFI/systemd/grub.efi (systemd-boot 257.5+suse.8.gc10a66fb4d)
               ├─/EFI/systemd/fwupdx64.efi
               ├─/EFI/BOOT/MokManager.efi
               ├─/EFI/BOOT/fallback.efi
               └─/EFI/BOOT/BOOTX64.EFI

Boot Loaders Listed in EFI Variables:
        Title: openSUSE Boot Manager (systemd-boot)
           ID: 0x0000
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/8be37297-448b-4d46-8e7f-aaaf813f7168
         File: └─/EFI/systemd/shim.efi

        Title: Linux Firmware Updater
           ID: 0x0001
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/8be37297-448b-4d46-8e7f-aaaf813f7168
         File: └─/EFI/systemd/shim.efi

Boot Loader Entries:
        $BOOT: /boot/efi (/dev/disk/by-partuuid/8be37297-448b-4d46-8e7f-aaaf813f7168)
        token: opensuse-tumbleweed

Default Boot Loader Entry:
         type: Boot Loader Specification Type #1 (.conf)
        title: openSUSE Tumbleweed 20250508 (1@6.14.5-1-default)
           id: opensuse-tumbleweed-6.14.5-1-default-1.conf
       source: /boot/efi//loader/entries/opensuse-tumbleweed-6.14.5-1-default-1.conf (on the EFI System Partition)
     sort-key: opensuse-tumbleweed
      version: 1@6.14.5-1-default
        linux: /boot/efi//opensuse-tumbleweed/6.14.5-1-default/linux-a6c6ff2034bd25bd70f2b56ab04e638af44d5690
       initrd: /boot/efi//opensuse-tumbleweed/6.14.5-1-default/initrd-dcf61a3a3558a04d07b50639aa8e26851d98766e

I don’t know what to do, I’ve read about it on the forum and on the internet, but this part of the enroll keys is completely abstract for my presentation and I’m afraid I’ll damage the system even more. Author of this issue here, but closed as i saw it as my prob more than fwupd issue.

Anyone can shed some light what should i do? Thanks!

My Details:

Operating System: openSUSE Tumbleweed 20250509
KDE Plasma Version: 6.3.5
KDE Frameworks Version: 6.13.0
Qt Version: 6.9.0
Kernel Version: 6.14.5-1-default (64-bit)
Graphics Platform: Wayland
Processors: 8 × Intel® Core™ i7-10700 CPU @ 2.90GHz
Memory: 30.9 GiB of RAM
Graphics Processor: Intel® UHD Graphics 630
Manufacturer: Dell Inc.
Product Name: OptiPlex 5080
2

@woozy Hi so as root user if you run fwupdmgr get-updates does it show the UEFI dbx is available to update? If so, then run fwupdmgr update, system should say to reboot. Then on reboot at the blue screen follow instructions to enroll, then enter root password, should be good to go after that.

1 Like
3

hi @woozy

Let’s fix the Secure Boot mode in your BIOS

Go to Security, then Secure Boot, then Secure Boot Mode, and select “Standard” (not Custom). Do not modify Expert Key Management or Custom Mode Key Management. Save and exit… Re
start your PC, and in the terminal, check if you have Secure Boot enabled with this command :

sudo mokutil --sb-state

The output should show:

SecureBoot enabled

1 Like
4

@yoman Hi, it looks like it’s already enabled… Secure Boot: enabled (deployed) it’s the data base…

Should see something like;

fwupdmgr get-updates

Devices with no available firmware updates: 
 • KEK CA
 • Key Exchange Key
 • SPCC M.2 PCIe SSD
 • TPM
 • UEFI CA
 • UEFI DB
 • Windows Production PCA
Devices with the latest available firmware version:
 • System Firmware
 • UEFI dbx
No updates available

The above is a Dell Precision 5820 Tower, but had to do the same with OptiPlex XE3 and two OptiPlex 3080 Micro devices…

1 Like
5

Hi malcolmlewis, thanks for your reply/help.
fwupdmgr refresh --force
fwupdmgr update
fwupdmgr get-updates

$ sudo fwupdmgr refresh --force
[sudo] password for root:
Updating lvfs
Downloading…             [************************************** ]
Successfully downloaded new metadata: Updates have been published for 2 of 14 local devices
$ sudo fwupdmgr update
Devices with the latest available firmware version:
 • System Firmware
 • UEFI dbx
Devices with no available firmware updates:
 • KEK CA
 • Key Exchange Key
 • PM981a NVMe Samsung 256GB
 • SBAT
 • TPM
 • UEFI CA
 • UEFI DB
 • UEFI Device Firmware
 • UEFI Device Firmware
 • WD40EZRX-00SPEB0
 • WD5000LPVX-80V0TT0
 • Windows Production PCA
$ sudo fwupdmgr get-updates
Devices with no available firmware updates:
 • KEK CA
 • Key Exchange Key
 • PM981a NVMe Samsung 256GB
 • SBAT
 • TPM
 • UEFI CA
 • UEFI DB
 • UEFI Device Firmware
 • UEFI Device Firmware
 • WD40EZRX-00SPEB0
 • WD5000LPVX-80V0TT0
 • Windows Production PCA
Devices with the latest available firmware version:
 • System Firmware
 • UEFI dbx
No updates available

I often use these three commands to see if there are updates, I’ve run them but i don’t have any new update.

I can’t see a blue screen when i restart my system, except systemd-boot with a different kernel or snapshots.

Hello yoman, thanks for your reply and your suggestion.
I have it activated/enabled on BIOS “Secure Boot” since my first installation.

I don’t have Standart or Custom, Those are three Security Settings on my BIOS.

20250513_223814
20250513_2238141920×1440 120 KB

20250513_223826
20250513_2238261920×1440 134 KB

20250513_223837
20250513_2238371920×1440 152 KB

Indeed, i have enabled it since the first install. Never changed this part. fwupdmgr get-updates It show as you said.

6

@yoman Does fwupdmgr get-devices show a Failed update?

7

Apparently not? if you addressed me.

fwupdmgr get-devices
Dell Inc. OptiPlex 5080
│
├─Core™ i7-10700 CPU @ 2.90GHz:
│     Device ID:          4bde70ba4e39b28f9eab1628f9dd6e6244c03027
│     Current version:    0x00000100
│     Vendor:             Intel
│     GUIDs:              a45b0522-5722-54bd-b802-86cd044262df ← CPUID\PRO_0&FAM_06&MOD_A5
│                         538440cb-7cac-5185-bc01-d93a1e474058 ← CPUID\PRO_0&FAM_06&MOD_A5&STP_5
│     Device Flags:       • Internal device
│   
├─PM981a NVMe Samsung 256GB:
│     Device ID:          71b677ca0f1bc2c5b804fa1d59e52064ce589293
│     Summary:            NVM Express solid state drive
│     Current version:    15305029
│     Vendor:             Samsung (PCI:0x144D)
│     Serial Number:      S4GVNX0N509575
│     GUIDs:              47335265-a509-51f7-841e-1c94911af66b ← NVME\VEN_144D&DEV_A808
│                         c9d531ea-ee7d-5562-8def-c64d0d144813 ← NVME\VEN_144D&DEV_A808&SUBSYS_144DA801
│                         92129901-9091-586c-8986-cbd5e9d5523f ← STORAGE-DELL-108184
│                         4dd8e6a7-2e7f-884f-9879-73328600e2d3
│                         8d1cd1a6-8660-513c-924e-d0b630134d96 ← PM981a NVMe Samsung 256GB
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│                         • Signed Payload
│                         • Can tag for emulation
│   
├─SBAT:
│     Device ID:          6469856584e2f5873b2f148302e46c9313c7d054
│     Summary:            Generation number based revocation mechanism
│     Current version:    1.7.4
│     Vendor:             OS:opensuse-tumbleweed
│     GUID:               426635fe-5be5-5d39-aa7a-5bcfdc74822e ← UEFI\OS_opensuse-tumbleweed&VAR_SbatLevelRT
│     Device Flags:       • Updatable
│                         • Needs a reboot after installation
│                         • Signed Payload
│   
├─System Firmware:
│ │   Device ID:          3956d699b87ea6a7250cf559effb015f36f6307d
│ │   Summary:            UEFI System Resource Table device (updated via NVRAM)
│ │   Current version:    1.30.1
│ │   Minimum Version:    1.30.1
│ │   Vendor:             Dell (DMI:Dell Inc.)
│ │   Update State:       Success
│ │   GUID:               459b329f-c828-4000-b4af-73347b3bcd10
│ │   Device Flags:       • Internal device
│ │                       • Updatable
│ │                       • System requires external power source
│ │                       • Supported on remote server
│ │                       • Needs a reboot after installation
│ │                       • Cryptographic hash verification is available
│ │                       • Device is usable for the duration of the update
│ │   Device Requests:    • Message
│ │ 
│ ├─AMT [unprovisioned]:
│ │     Device ID:        8d5470e73fd9a31eaa460b2b6aea95483fe3f14c
│ │     Summary:          Hardware and firmware technology for remote out-of-band management
│ │     Current version:  14.1.75.2420
│ │     Bootloader Version: 14.1.75.2420
│ │     Vendor:           Intel Corporation (PCI:0x8086)
│ │     Device Flags:     • Internal device
│ │                       • Can tag for emulation
│ │   
│ ├─Platform Key:
│ │     Device ID:        6924110cde4fa051bfdc600a60620dc7aa9d3c6a
│ │     Summary:          UEFI Platform Key
│ │     Current version:  0
│ │     Vendor:           Dell
│ │     GUIDs:            8affd5b3-c498-5a17-84b5-29d2c5728e6f ← UEFI\VENDOR_Dell&NAME_Dell-Platform-Key
│ │                       ca4b602c-3c2f-5ccf-9757-ad471c465b41 ← UEFI\CRT_DB84CBBE71B3B1F045F98D4E3DA19F18F834A43A
│ │     Device Flags:     • Internal device
│ │                       • Cryptographic hash verification is available
│ │                       • Can tag for emulation
│ │   
│ ├─UEFI Signature Database:
│ │ │   Device ID:        0352a8acc949c7df21fec16e566ba9a74e797a97
│ │ │   Device Flags:     • Internal device
│ │ │ 
│ │ └─Windows Production PCA:
│ │       Device ID:      ad7e00ec37f005ae10492bdb7f73aef0d2e20488
│ │       Current version: 2011
│ │       Vendor:         Microsoft (UEFI:Microsoft)
│ │       GUIDs:          675d2184-6c9a-59f1-a6f1-3c229b5dbb79 ← UEFI\VENDOR_Microsoft&NAME_Microsoft-Windows-Production-PCA
│ │                       0611d85d-99a4-5c50-8c17-fc5196226f85 ← UEFI\CRT_1A8B6903D64CC9AD09D12FCB355663A458A09EF0
│ │       Device Flags:   • Internal device
│ │                       • Updatable
│ │                       • Needs a reboot after installation
│ │                       • Signed Payload
│ │                       • Can tag for emulation
│ │     
│ └─UEFI dbx:
│       Device ID:        362301da643102b9f38477387e2193e57abaa590
│       Summary:          UEFI revocation database
│       Current version:  20241101
│       Minimum Version:  20241101
│       Vendor:           UEFI:Microsoft
│       Install Duration: 1 second
│       GUIDs:            4a6cd2cb-8741-5257-9d1f-89a275dacca7 ← UEFI\CRT_E28D59CA489BD2AD580F2EA5D62D6A29BB9C02AE5A818434A37DA7FC11DFF9E9&ARCH_X64
│                         f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
│       Device Flags:     • Internal device
│                         • Updatable
│                         • Supported on remote server
│                         • Needs a reboot after installation
│                         • Cryptographic hash verification is available
│                         • Device is usable for the duration of the update
│                         • Only version upgrades are allowed
│                         • Signed Payload
│                         • Can tag for emulation
│     
├─TPM:
│     Device ID:          1d8d50a4dbc65618f5c399c2ae827b632b3ccc11
│     Current version:    7.2.2.0
│     Vendor:             Nuvoton Technology (TPM:NTC)
│     GUIDs:              fac1c8f3-73c8-5cd6-8330-07a3690b5140 ← TPM\VEN_NTC&DEV_0000
│                         e4a6bfd6-81ba-5d6a-bb28-84be07ee7a29 ← TPM\VEN_NTC&MOD_NPCT75x"!!4rls
│                         e9ccc1dc-960a-5e09-afe9-e59a904b776d ← TPM\VEN_NTC&DEV_0000&VER_2.0
│                         5a6b5ab6-c483-5eec-8a34-23a6d6d120bd ← TPM\VEN_NTC&MOD_NPCT75x"!!4rls&VER_2.0
│                         dfe506a8-2c5c-59b1-8009-2852161c08b5 ← 09a6-2.0
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device can recover flash failures
│                         • Full disk encryption secrets may be invalidated when updating
│                         • Signed Payload
│                         • Can tag for emulation
│   
├─UEFI Device Firmware:
│     Device ID:          bcb9e7b6f2d29fd470f490246c15e277a384c33a
│     Summary:            UEFI System Resource Table device (updated via NVRAM)
│     Current version:    256
│     Minimum Version:    256
│     Vendor:             DMI:Dell Inc.
│     Update State:       Success
│     GUID:               ffd6eef5-4372-4adc-8eeb-3dc0b7338375
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│     Device Requests:    • Message
│   
└─UEFI Device Firmware:
      Device ID:          343c72d5ebd53dca75e5c256dce492626478a4ac
      Summary:            UEFI System Resource Table device (updated via NVRAM)
      Current version:    355487785
      Minimum Version:    355487785
      Vendor:             DMI:Dell Inc.
      Update State:       Success
      GUID:               4dd8e6a7-2e7f-884f-9879-73328600e2d3
      Device Flags:       • Internal device
                          • Updatable
                          • System requires external power source
                          • Needs a reboot after installation
                          • Device is usable for the duration of the update
      Device Requests:    • Message
8

@woozy oops, my bad, it was… when was the BIOS last updated, might want to check? If there is you can copy the exe file onto a vfat formatted USB device, at boot tap the F12 key until the one time boot menu is going to load, then select the BIOS flash and browse to the exe file select, open etc to update this.

Else it maybe fwupd that has an issue reporting details wrong.

9

I just updated yesterday the BIOS, requested by fwupdmgr update.
I went to F12, checked a few settings and i’m showing you with photos.

It seems there isn’t anything to see here?

Someone else opened a new Issue. I’m following it closely here too.

Thank you for posting.

10

Unless you show the complete command and its output it is rather difficult to guess.

11

The complete command you mean --verbose?

$ fwupdmgr security -v
(fwupdmgr:9642): GLib-GIO-DEBUG: 10:12:37.589: _g_io_module_get_default: Found default implementation local (GLocalVfs) for ‘gio-vfs’
(fwupdmgr:9642): GLib-GIO-DEBUG: 10:12:37.589: _g_io_module_get_default: Found default implementation keyfile (GKeyfileSettingsBackend) for ‘gsettings-backend’
(fwupdmgr:9642): pxbackend-DEBUG: 10:12:37.589: px_config_kde_set_config_file: Could not read file /home/user/.config/kioslaverc
(fwupdmgr:9642): pxbackend-DEBUG: 10:12:37.589: px_config_kde_set_config_file: Could not read file /home/user/.config/kioslaverc
(fwupdmgr:9642): pxbackend-DEBUG: 10:12:37.589: Active config plugins:
(fwupdmgr:9642): pxbackend-DEBUG: 10:12:37.589:  - config-env
(fwupdmgr:9642): pxbackend-DEBUG: 10:12:37.589:  - config-xdp
(fwupdmgr:9642): pxbackend-DEBUG: 10:12:37.589:  - config-kde
(fwupdmgr:9642): pxbackend-DEBUG: 10:12:37.589:  - config-gnome
(fwupdmgr:9642): pxbackend-DEBUG: 10:12:37.589:  - config-sysconfig
(fwupdmgr:9642): GLib-GIO-DEBUG: 10:12:37.590: Failed to initialize portal (GNetworkMonitorPortal) for gio-network-monitor: Not using portals
(fwupdmgr:9642): GLib-GIO-DEBUG: 10:12:37.591: _g_io_module_get_default: Found default implementation networkmanager (GNetworkMonitorNM) for ‘gio-network-monitor’
(fwupdmgr:9642): pxbackend-DEBUG: 10:12:37.591: px_manager_constructed: Up and running
(fwupdmgr:9642): GLib-GIO-DEBUG: 10:12:37.591: _g_io_module_get_default: Found default implementation libproxy (GLibproxyResolver) for ‘gio-proxy-resolver’
(fwupdmgr:9642): Fwupd-DEBUG: 10:12:38.884: Emitting ::status-changed() [idle]
Host Security ID: HSI:2! (v2.0.9)

HSI-1
✔ BIOS firmware updates:         Enabled
✔ MEI key manifest:              Valid
✔ csme manufacturing mode:       Locked
✔ csme override:                 Locked
✔ csme v0:14.1.75.2420:          Valid
✔ Platform debugging:            Disabled
✔ SPI write:                     Disabled
✔ SPI lock:                      Enabled
✔ SPI BIOS region:               Locked
✔ Supported CPU:                 Valid
✔ TPM empty PCRs:                Valid
✔ TPM v2.0:                      Found
✔ UEFI bootservice variables:    Locked
✔ UEFI platform key:             Valid
✔ UEFI secure boot:              Enabled

HSI-2
✔ BIOS rollback protection:      Enabled
✔ Intel BootGuard ACM protected: Valid
✔ Intel BootGuard:               Enabled
✔ Intel BootGuard OTP fuse:      Valid
✔ Intel BootGuard verified boot: Valid
✔ Intel GDS mitigation:          Enabled
✔ IOMMU:                         Enabled
✔ Platform debugging:            Locked
✔ TPM PCR0 reconstruction:       Valid

HSI-3
✔ Intel BootGuard error policy:  Valid
✔ Pre-boot DMA protection:       Enabled
✔ Suspend-to-ram:                Disabled
✘ CET Platform:                  Not supported
✘ Suspend-to-idle:               Disabled

HSI-4
✔ SMAP:                          Enabled
✘ Encrypted RAM:                 Not supported

Runtime Suffix -!
✔ fwupd plugins:                 Untainted
✔ Linux kernel lockdown:         Enabled
✔ Linux swap:                    Encrypted
✔ Linux kernel:                  Untainted
✘ UEFI db:                       Invalid

This system has HSI runtime issues.
 » https://fwupd.github.io/hsi.html#hsi-runtime-suffix

FuMain-INFO: 10:12:38.891: FwupdSecurityAttr:
  AppstreamId:          org.fwupd.hsi.Mei.KeyManifest
  Created:              2025-05-11
  HsiLevel:             1
  HsiResult:            valid
  Flags:                success
  Name:                 MEI key manifest
  Summary:              MEI Key Manifest
  Description:          The Intel Management Engine Key Manifest must be valid so that the device firmware can be trusted by the CPU.
  Plugin:               intel_mchi
  Version:              1.8.7
  Uri:                  https://fwupd.github.io/libfwupdplugin/hsi.html#org.fwupd.hsi.Mei.KeyManifest
  Guid:                 459b329f-c828-4000-b4af-73347b3bcd10

FuMain-INFO: 10:12:38.891: FwupdSecurityAttr:
  AppstreamId:          org.fwupd.hsi.Uefi.Db
  Created:              2025-04-15
  HsiResult:            not-valid
  Flags:                runtime-issue|action-config-fw
  Name:                 UEFI db
  Summary:              UEFI db
  Description:          The UEFI db contains the list of valid certificates that can be used to authorize what EFI binaries are allowed to run.
  Plugin:               uefi_db
  Uri:                  https://fwupd.github.io/libfwupdplugin/hsi.html#org.fwupd.hsi.Uefi.Db

FuMain-INFO: 10:12:38.891: FwupdSecurityAttr:
  AppstreamId:          org.fwupd.hsi.Kernel.Swap
  Created:              2025-04-07
  HsiResult:            encrypted
  HsiResultFallback:    not-enabled
  Flags:                success|runtime-issue
  Name:                 Linux swap
  Summary:              Linux Swap
  Description:          Linux Kernel Swap temporarily saves information to disk as you work. If the information is not protected, it could be accessed by someone if they obtained the disk.
  Plugin:               linux_swap
  Uri:                  https://fwupd.github.io/libfwupdplugin/hsi.html#org.fwupd.hsi.Kernel.Swap

FuMain-INFO: 10:12:38.891: FwupdSecurityAttr:
  AppstreamId:          org.fwupd.hsi.Kernel.Swap
  Created:              2025-02-15
  HsiResult:            not-enabled
  HsiResultFallback:    encrypted
  Flags:                success|runtime-issue
  Name:                 Linux swap
  Summary:              Linux Swap
  Description:          Linux Kernel Swap temporarily saves information to disk as you work. If the information is not protected, it could be accessed by someone if they obtained the disk.
  Plugin:               linux_swap
  Uri:                  https://fwupd.github.io/libfwupdplugin/hsi.html#org.fwupd.hsi.Kernel.Swap

FuMain-INFO: 10:12:38.891: FwupdSecurityAttr:
  AppstreamId:          org.fwupd.hsi.IntelGds
  Created:              2025-02-15
  HsiLevel:             2
  HsiResult:            enabled
  Flags:                success
  Name:                 Intel GDS mitigation
  Summary:              Intel GDS Mitigation
  Description:          CPU Microcode must be updated to mitigate against various information-disclosure security issues.
  Plugin:               msr
  Uri:                  https://fwupd.github.io/libfwupdplugin/hsi.html#org.fwupd.hsi.IntelGds
  Guid:                 a45b0522-5722-54bd-b802-86cd044262df
  Guid:                 538440cb-7cac-5185-bc01-d93a1e474058

FuMain-INFO: 10:12:38.891: FwupdSecurityAttr:
  AppstreamId:          org.fwupd.hsi.PlatformDebugEnabled
  Created:              2025-02-14
  HsiLevel:             1
  HsiResult:            not-enabled
  HsiResultFallback:    not-supported
  Flags:                success
  Name:                 Platform debugging
  Summary:              Platform Debugging
  Description:          Platform Debugging allows device security features to be disabled. This should only be used by hardware manufacturers.
  Plugin:               msr
  Uri:                  https://fwupd.github.io/libfwupdplugin/hsi.html#org.fwupd.hsi.PlatformDebugEnabled

FuMain-INFO: 10:12:38.891: FwupdSecurityAttr:
  AppstreamId:          org.fwupd.hsi.PlatformDebugLocked
  Created:              2025-02-14
  HsiLevel:             2
  HsiResult:            locked
  HsiResultFallback:    not-supported
  Flags:                success
  Name:                 Platform debugging
  Summary:              Platform Debugging
  Description:          Platform Debugging allows device security features to be disabled. This should only be used by hardware manufacturers.
  Plugin:               msr
  Uri:                  https://fwupd.github.io/libfwupdplugin/hsi.html#org.fwupd.hsi.PlatformDebugLocked

Host Security Events
  2025-04-07 15:44:48:  ✔ Linux swap changed: Disabled → Encrypted
  2025-02-15 07:28:31:  ✔ Linux swap changed: Encrypted → Disabled
  2025-02-14 22:20:50:  ✔ Platform debugging changed: Not supported → Disabled
  2025-02-14 22:20:50:  ✔ Platform debugging changed: Not supported → Locked

Upload these anonymous results to the Linux Vendor Firmware Service to help other users? [y|N]:
12

Well, if you look at the URL it displays (FwupdPlugin – 1.0: Host Security ID Specification) you will see

not-valid: the certificate store is not up to date (failure)

show

mokutil --db
13

Just saw the reply from fwupd #8787

mokutil output

mokutil --db
[key 1]
Owner: 70564dce-9afc-4ee3-85fc-949649d7e45c
SHA1 Fingerprint: 15:25:4b:19:9b:df:c1:4f:e1:2f:6b:1a:b1:e6:f5:e7:b8:3d:6c:8b
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            34:e4:c5:11:d0:dc:09:ae:4d:9c:ec:51:5b:17:b1:f7
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Texas, L=Round Rock, O=Dell Inc., CN=Dell Inc. Key Exchange Key
        Validity
            Not Before: Jun  3 14:26:06 2016 GMT
            Not After : Jun  3 14:36:05 2018 GMT
        Subject: C=US, ST=Texas, L=Round Rock, O=Dell Inc., CN=Dell Inc. UEFI DB
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:96:9a:d2:75:f6:bc:02:cf:f9:76:6a:73:61:ab:
                    45:31:84:85:9f:99:53:2b:f8:cd:16:8b:f6:5a:45:
                    80:8f:a4:2a:7e:43:e9:c4:f5:8c:da:91:f8:1d:66:
                    91:d7:98:b2:40:5b:48:65:86:aa:e0:3f:02:bb:cb:
                    b3:41:df:8f:c9:41:0c:e0:ed:b2:1a:38:cb:8d:35:
                    0c:80:12:7d:ac:b2:fe:4d:31:7f:2d:7f:e4:f9:06:
                    ef:ce:9b:ca:f5:1c:06:af:58:6b:ed:c2:ae:52:65:
                    ff:99:05:5d:26:2f:bc:ca:9b:e3:19:7f:d0:66:87:
                    31:57:a1:fd:4f:16:05:e4:94:02:ed:96:45:e9:9f:
                    71:cb:9a:da:22:aa:9c:21:6b:4a:29:7b:2d:4a:31:
                    3a:47:1f:93:8c:78:38:aa:41:fd:e3:90:dc:ee:2c:
                    21:67:d0:55:0d:4f:5c:fc:0d:b2:ae:83:db:fb:34:
                    5d:09:f7:4b:80:91:08:ef:31:ac:9e:e0:05:f8:55:
                    31:b2:3d:64:50:0a:f3:25:0d:67:69:73:4a:95:bf:
                    3d:4b:b2:29:18:d1:4a:90:ca:70:da:32:3b:63:20:
                    8d:65:fc:94:8f:94:82:0b:2c:d2:91:a5:1b:74:cf:
                    4e:e1:19:ad:94:a4:48:d0:07:23:f2:9a:47:51:bf:
                    19:09
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: 
                Code Signing
            X509v3 Authority Key Identifier: 
                07:07:F4:95:10:D4:D7:7B:CF:DD:98:63:B5:FE:3C:60:72:A0:EA:72
            X509v3 Subject Key Identifier: 
                5D:DB:77:2D:C8:80:66:00:55:BA:0B:C1:31:88:6B:B6:30:A6:39:E7
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        10:aa:3d:d6:02:26:c6:29:e6:39:f3:6d:88:d8:74:79:a4:3e:
        0a:d9:b0:b7:8b:fc:a0:fc:5e:55:38:65:8b:6f:31:9f:51:52:
        da:96:ad:9a:ce:00:fb:02:fe:37:11:fa:35:ed:43:67:e8:6e:
        01:17:d7:b4:f1:a3:0b:af:a1:96:b5:f9:32:e5:60:80:e3:62:
        c4:d8:dc:49:90:fa:5c:03:c7:7c:8c:a0:c2:64:c8:a9:38:fe:
        5d:43:bb:dc:8e:14:89:8f:81:d9:3b:8b:9d:c5:f9:d6:09:87:
        bc:37:5e:f0:df:72:a4:65:8f:75:b3:3a:1f:a6:85:02:43:44:
        f8:0f:45:2b:d7:94:90:3d:1c:3c:85:72:1e:b6:6e:c8:6f:33:
        94:73:c8:ad:0a:82:db:51:b2:58:91:b7:f2:bd:13:c3:28:6a:
        9d:8c:16:8d:90:44:b2:de:22:3f:e8:13:ed:67:66:6f:be:40:
        a8:b2:b5:50:05:d7:b4:2c:73:3d:ec:8c:eb:14:07:1c:6e:b9:
        72:4e:cc:67:8a:a8:40:89:51:f6:86:27:d8:9c:9a:ad:81:8f:
        c0:59:58:3c:0a:41:2f:48:22:34:16:e3:26:e7:7b:ae:23:22:
        b1:08:0f:b9:10:76:e5:c5:b0:e0:8a:76:80:aa:1b:16:30:b8:
        ee:c1:86:d0

[key 2]
Owner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
SHA1 Fingerprint: 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            61:08:d3:c4:00:00:00:00:00:04
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation Third Party Marketplace Root
        Validity
            Not Before: Jun 27 21:22:45 2011 GMT
            Not After : Jun 27 21:32:45 2026 GMT
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a5:08:6c:4c:c7:45:09:6a:4b:0c:a4:c0:87:7f:
                    06:75:0c:43:01:54:64:e0:16:7f:07:ed:92:7d:0b:
                    b2:73:bf:0c:0a:c6:4a:45:61:a0:c5:16:2d:96:d3:
                    f5:2b:a0:fb:4d:49:9b:41:80:90:3c:b9:54:fd:e6:
                    bc:d1:9d:c4:a4:18:8a:7f:41:8a:5c:59:83:68:32:
                    bb:8c:47:c9:ee:71:bc:21:4f:9a:8a:7c:ff:44:3f:
                    8d:8f:32:b2:26:48:ae:75:b5:ee:c9:4c:1e:4a:19:
                    7e:e4:82:9a:1d:78:77:4d:0c:b0:bd:f6:0f:d3:16:
                    d3:bc:fa:2b:a5:51:38:5d:f5:fb:ba:db:78:02:db:
                    ff:ec:0a:1b:96:d5:83:b8:19:13:e9:b6:c0:7b:40:
                    7b:e1:1f:28:27:c9:fa:ef:56:5e:1c:e6:7e:94:7e:
                    c0:f0:44:b2:79:39:e5:da:b2:62:8b:4d:bf:38:70:
                    e2:68:24:14:c9:33:a4:08:37:d5:58:69:5e:d3:7c:
                    ed:c1:04:53:08:e7:4e:b0:2a:87:63:08:61:6f:63:
                    15:59:ea:b2:2b:79:d7:0c:61:67:8a:5b:fd:5e:ad:
                    87:7f:ba:86:67:4f:71:58:12:22:04:22:22:ce:8b:
                    ef:54:71:00:ce:50:35:58:76:95:08:ee:6a:b1:a2:
                    01:d5
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.21.1: 
                .....
            1.3.6.1.4.1.311.21.2: 
                ....k..wSJ.%7.N.&{. p.
            X509v3 Subject Key Identifier: 
                13:AD:BF:43:09:BD:82:70:9C:8C:D5:4F:31:6E:D5:22:98:8A:1B:D4
            1.3.6.1.4.1.311.20.2: 
                .
.S.u.b.C.A
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Authority Key Identifier: 
                45:66:52:43:E1:7E:58:11:BF:D6:4E:9E:23:55:08:3B:3A:22:6A:A8
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl.microsoft.com/pki/crl/products/MicCorThiParMarRoo_2010-10-05.crl

            Authority Information Access: 
                CA Issuers - URI:http://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        35:08:42:ff:30:cc:ce:f7:76:0c:ad:10:68:58:35:29:46:32:
        76:27:7c:ef:12:41:27:42:1b:4a:aa:6d:81:38:48:59:13:55:
        f3:e9:58:34:a6:16:0b:82:aa:5d:ad:82:da:80:83:41:06:8f:
        b4:1d:f2:03:b9:f3:1a:5d:1b:f1:50:90:f9:b3:55:84:42:28:
        1c:20:bd:b2:ae:51:14:c5:c0:ac:97:95:21:1c:90:db:0f:fc:
        77:9e:95:73:91:88:ca:bd:bd:52:b9:05:50:0d:df:57:9e:a0:
        61:ed:0d:e5:6d:25:d9:40:0f:17:40:c8:ce:a3:4a:c2:4d:af:
        9a:12:1d:08:54:8f:bd:c7:bc:b9:2b:3d:49:2b:1f:32:fc:6a:
        21:69:4f:9b:c8:7e:42:34:fc:36:06:17:8b:8f:20:40:c0:b3:
        9a:25:75:27:cd:c9:03:a3:f6:5d:d1:e7:36:54:7a:b9:50:b5:
        d3:12:d1:07:bf:bb:74:df:dc:1e:8f:80:d5:ed:18:f4:2f:14:
        16:6b:2f:de:66:8c:b0:23:e5:c7:84:d8:ed:ea:c1:33:82:ad:
        56:4b:18:2d:f1:68:95:07:cd:cf:f0:72:f0:ae:bb:dd:86:85:
        98:2c:21:4c:33:2b:f0:0f:4a:f0:68:87:b5:92:55:32:75:a1:
        6a:82:6a:3c:a3:25:11:a4:ed:ad:d7:04:ae:cb:d8:40:59:a0:
        84:d1:95:4c:62:91:22:1a:74:1d:8c:3d:47:0e:44:a6:e4:b0:
        9b:34:35:b1:fa:b6:53:a8:2c:81:ec:a4:05:71:c8:9d:b8:ba:
        e8:1b:44:66:e4:47:54:0e:8e:56:7f:b3:9f:16:98:b2:86:d0:
        68:3e:90:23:b5:2f:5e:8f:50:85:8d:c6:8d:82:5f:41:a1:f4:
        2e:0d:e0:99:d2:6c:75:e4:b6:69:b5:21:86:fa:07:d1:f6:e2:
        4d:d1:da:ad:2c:77:53:1e:25:32:37:c7:6c:52:72:95:86:b0:
        f1:35:61:6a:19:f5:b2:3b:81:50:56:a6:32:2d:fe:a2:89:f9:
        42:86:27:18:55:a1:82:ca:5a:9b:f8:30:98:54:14:a6:47:96:
        25:2f:c8:26:e4:41:94:1a:5c:02:3f:e5:96:e3:85:5b:3c:3e:
        3f:bb:47:16:72:55:e2:25:22:b1:d9:7b:e7:03:06:2a:a3:f7:
        1e:90:46:c3:00:0d:d6:19:89:e3:0e:35:27:62:03:71:15:a6:
        ef:d0:27:a0:a0:59:37:60:f8:38:94:b8:e0:78:70:f8:ba:4c:
        86:87:94:f6:e0:ae:02:45:ee:65:c2:b6:a3:7e:69:16:75:07:
        92:9b:f5:a6:bc:59:83:58

[key 3]
Owner: 77fa9abd-0359-4d32-bd60-28f4e78f784b
SHA1 Fingerprint: 58:0a:6f:4c:c4:e4:b6:69:b9:eb:dc:1b:2b:3e:08:7b:80:d0:67:8d
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            61:07:76:56:00:00:00:00:00:08
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Root Certificate Authority 2010
        Validity
            Not Before: Oct 19 18:41:42 2011 GMT
            Not After : Oct 19 18:51:42 2026 GMT
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:dd:0c:bb:a2:e4:2e:09:e3:e7:c5:f7:96:69:bc:
                    00:21:bd:69:33:33:ef:ad:04:cb:54:80:ee:06:83:
                    bb:c5:20:84:d9:f7:d2:8b:f3:38:b0:ab:a4:ad:2d:
                    7c:62:79:05:ff:e3:4a:3f:04:35:20:70:e3:c4:e7:
                    6b:e0:9c:c0:36:75:e9:8a:31:dd:8d:70:e5:dc:37:
                    b5:74:46:96:28:5b:87:60:23:2c:bf:dc:47:a5:67:
                    f7:51:27:9e:72:eb:07:a6:c9:b9:1e:3b:53:35:7c:
                    e5:d3:ec:27:b9:87:1c:fe:b9:c9:23:09:6f:a8:46:
                    91:c1:6e:96:3c:41:d3:cb:a3:3f:5d:02:6a:4d:ec:
                    69:1f:25:28:5c:36:ff:fd:43:15:0a:94:e0:19:b4:
                    cf:df:c2:12:e2:c2:5b:27:ee:27:78:30:8b:5b:2a:
                    09:6b:22:89:53:60:16:2c:c0:68:1d:53:ba:ec:49:
                    f3:9d:61:8c:85:68:09:73:44:5d:7d:a2:54:2b:dd:
                    79:f7:15:cf:35:5d:6c:1c:2b:5c:ce:bc:9c:23:8b:
                    6f:6e:b5:26:d9:36:13:c3:4f:d6:27:ae:b9:32:3b:
                    41:92:2c:e1:c7:cd:77:e8:aa:54:4e:f7:5c:0b:04:
                    87:65:b4:43:18:a8:b2:e0:6d:19:77:ec:5a:24:fa:
                    48:03
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.21.1: 
                ...
            X509v3 Subject Key Identifier: 
                A9:29:02:39:8E:16:C4:97:78:CD:90:F9:9E:4F:9A:E1:7C:55:AF:53
            1.3.6.1.4.1.311.20.2: 
                .
.S.u.b.C.A
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Authority Key Identifier: 
                D5:F6:56:CB:8F:E8:A2:5C:62:68:D1:3D:94:90:5B:D7:CE:9A:18:C4
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl

            Authority Information Access: 
                CA Issuers - URI:http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        14:fc:7c:71:51:a5:79:c2:6e:b2:ef:39:3e:bc:3c:52:0f:6e:
        2b:3f:10:13:73:fe:a8:68:d0:48:a6:34:4d:8a:96:05:26:ee:
        31:46:90:61:79:d6:ff:38:2e:45:6b:f4:c0:e5:28:b8:da:1d:
        8f:8a:db:09:d7:1a:c7:4c:0a:36:66:6a:8c:ec:1b:d7:04:90:
        a8:18:17:a4:9b:b9:e2:40:32:36:76:c4:c1:5a:c6:bf:e4:04:
        c0:ea:16:d3:ac:c3:68:ef:62:ac:dd:54:6c:50:30:58:a6:eb:
        7c:fe:94:a7:4e:8e:f4:ec:7c:86:73:57:c2:52:21:73:34:5a:
        f3:a3:8a:56:c8:04:da:07:09:ed:f8:8b:e3:ce:f4:7e:8e:ae:
        f0:f6:0b:8a:08:fb:3f:c9:1d:72:7f:53:b8:eb:be:63:e0:e3:
        3d:31:65:b0:81:e5:f2:ac:cd:16:a4:9f:3d:a8:b1:9b:c2:42:
        d0:90:84:5f:54:1d:ff:89:ea:ba:1d:47:90:6f:b0:73:4e:41:
        9f:40:9f:5f:e5:a1:2a:b2:11:91:73:8a:21:28:f0:ce:de:73:
        39:5f:3e:ab:5c:60:ec:df:03:10:a8:d3:09:e9:f4:f6:96:85:
        b6:7f:51:88:66:47:19:8d:a2:b0:12:3d:81:2a:68:05:77:bb:
        91:4c:62:7b:b6:c1:07:c7:ba:7a:87:34:03:0e:4b:62:7a:99:
        e9:ca:fc:ce:4a:37:c9:2d:a4:57:7c:1c:fe:3d:dc:b8:0f:5a:
        fa:d6:c4:b3:02:85:02:3a:ea:b3:d9:6e:e4:69:21:37:de:81:
        d1:f6:75:19:05:67:d3:93:57:5e:29:1b:39:c8:ee:2d:e1:cd:
        e4:45:73:5b:d0:d2:ce:7a:ab:16:19:82:46:58:d0:5e:9d:81:
        b3:67:af:6c:35:f2:bc:e5:3f:24:e2:35:a2:0a:75:06:f6:18:
        56:99:d4:78:2c:d1:05:1b:eb:d0:88:01:9d:aa:10:f1:05:df:
        ba:7e:2c:63:b7:06:9b:23:21:c4:f9:78:6c:e2:58:17:06:36:
        2b:91:12:03:cc:a4:d9:f2:2d:ba:f9:94:9d:40:ed:18:45:f1:
        ce:8a:5c:6b:3e:ab:03:d3:70:18:2a:0a:6a:e0:5f:47:d1:d5:
        63:0a:32:f2:af:d7:36:1f:2a:70:5a:e5:42:59:08:71:4b:57:
        ba:7e:83:81:f0:21:3c:f4:1c:c1:c5:b9:90:93:0e:88:45:93:
        86:e9:b1:20:99:be:98:cb:c5:95:a4:5d:62:d6:a0:63:08:20:
        bd:75:10:77:7d:3d:f3:45:b9:9f:97:9f:cb:57:80:6f:33:a9:
        04:cf:77:a4:62:1c:59:7e

According to the link.
On the 11th September 2025 a certificate used for signing boot media will expire. Microsoft will not sign updated boot media with the old key, and that at least one major OEM is not going to be shipping the expired key on new hardware. This means that existing install media may not boot on some new laptop, desktop and server devices, and that future updates to boot packages may not boot on old hardware.

Microsoft is shipping fixes for select OEMs using Windows Updates automatically. The workaround for Linux is to manually disable secure boot which would be unpopular with anyone that cares about security. Using fwupd is a way that can distribute the updated certificates in Linux.

My DELL OptiPlex-5080 from 2020 hardware is considered old and has entered legacy mode. I just have openSUSE as a single user. If i can delete anything that has to do with Windows, I’m ready since i have no business with that system, real or virtual.

This thing is beyond my preparation, so please guide me on how to proceed without breaking the system or existing opensuse data on my PC.

14

It has nothing to do with Windows. The current SUSE shim is signed by the old key. Period. There is no way to add certificate - only OEM or Microsoft normally can do it.

The signed db updates are available and right now they are signed by the old Microsoft key, so they can be installed on the old systems. But doing it will render your system unbootable with Secure Boot enabled until SUSE provides a new shim signed by the new key. But the new shim will not be bootable until you updated db. Catch 22.

Yes, this will be fun.

1 Like
15

Thanks for the explanation. What a salty situation this is.

This desktop is from 2020, the warranty has expired, but it still receives official security updates. I don’t think it’s old enough to be sent for scrap?

What other solution i have on the table?

Buy a new PC without an operating system or Microsoft firmware traces if possible?

Installing from scratch openSUSE with changes i need to make in the BIOS with a personal keys or something?

16

@woozy in the Linux world some would consider the hardware new… I don’t use secure boot on a number of desktop systems, it’s not like they are going anywhere…

I would use your system and enjoy openSUSE…

I run Aeon on a Dell OptiPlex 3080 Micro.

17

OK, thanks for your advice pals, I’ll see how this goes over the time and maybe I’ll turn it off secure boot when it gets stuck after the fall of this year.

18

@woozy AFAIK if the two first pass for a home setup you should be fine. Secure Boot will keep working… needed, meh… It’s on for Aeon, but not needed as use TPM 2.0 for measured boot… Perhaps look at that instead of secure boot, @arvidjaar may have thoughts…

As an aside can you show the output from cat /proc/cmdline?

19

So at least it’s good info if it continues to function properly without getting stuck somewhere thanks to the openSUSE mechanism and hopefully i’ve done some homework.

TPM 2.0 I have it enabled in the BIOS.
When i installed the OS i had this feature activated like this.

20250514_191529
20250514_1915291920×1094 197 KB

$ cat /proc/cmdline
initrd=\opensuse-tumbleweed\6.14.6-1-default\initrd-7dbdeda0fcc16ace62c3c061e6346cb81ad9ec33 root=/dev/mapper/cr_root splash=silent quiet intel_iommu=on mmio_stale_data=full,nosmt security=selinux selinux=1 enforcing=1 mitigations=auto rootflags=subvol=@/.snapshots/1/snapshot systemd.machine_id=36c21dda967847a69b1f9ddc4badaba2
1 Like
20

I stay corrected. It is exactly the opposite - there is no way to replace existing db list without reinitializing Secure Boot state, but appending is possible. Microsoft makes available new certificates on the GitHub - microsoft/secureboot_objects: Secure boot objects recommended by Microsoft., so as example:

10:~ # mokutil --sb-state
SecureBoot enabled
10:~ # mokutil --db | grep -E 'Subject:|Not After :'
            Not After : Oct 19 18:51:42 2026 GMT
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
            Not After : Jun 27 21:32:45 2026 GMT
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
10:~ # curl -LO https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/PostSignedObjects/Optional/DB/amd64/DBUpdate2024.bin
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  4832  100  4832    0     0   6076      0 --:--:-- --:--:-- --:--:--  6076
10:~ # chattr -i /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f
10:~ # efivar -n d719b2cb-3d3a-4596-a3bc-dad00e67656f-db -a -f DBUpdate2024.bin -A 0x27
10:~ # mokutil --db | grep -E 'Subject:|Not After :'
            Not After : Oct 19 18:51:42 2026 GMT
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Windows Production PCA 2011
            Not After : Jun 27 21:32:45 2026 GMT
        Subject: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation UEFI CA 2011
            Not After : Jun 13 19:08:29 2035 GMT
        Subject: C=US, O=Microsoft Corporation, CN=Windows UEFI CA 2023
10:~ #

It makes sense to do it in advance to avoid risk of failing signature check due to expired certificate (although this update itself is signed by the expired certificate and still passes verification …).

Oh, and replacing db fails.

10:~ # efivar -n d719b2cb-3d3a-4596-a3bc-dad00e67656f-db -w -f DBUpdate2024.bin -A 0x27
efivar: Permission denied
10:~ #

KEK is likely more challenging. KEK must be signed by the PK; Microsoft makes available on the mentioned site some KEK updates, but as example for Dell none is signed by the PK I have on my Latitude E5450:

bor@bor-Latitude-E5450:~/tmp$ mokutil --pk
[key 1]
SHA1 Fingerprint: 07:62:69:3d:f9:68:08:46:0e:d8:ec:b8:69:a0:2a:e2:87:ea:4f:d9
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1323793210 (0x4ee77b3a)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC=com, DC=dell, CN=Configuration, CN=Services, CN=Public Key Services, CN=AIA, CN=Dell Inc. Issuing CA 1
        Validity
            Not Before: Jul 17 00:51:45 2012 GMT
            Not After : Jul 17 01:21:45 2014 GMT
        Subject: DC=com, DC=dell, OU=1, OU=Signing, CN=Dell Inc. UEFI Platform Key
...

It may be possible that BIOS offers some ways to import certificates ignoring signatures.