On my laptop, with Tumbleweed, discover do not update UEFI (list of revoked certificates) via lvfs. No error messages, simply update all was disabled and near immediately was enabled again.
Iβm going to guess that if you run (as root):
fwupdmgr update
Youβll see something like this:
# fwupdmgr update
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Upgrade UEFI dbx from 371 to 20241101? β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ£
β This updates the list of forbidden signatures (the "dbx") to the latest β
β release from Microsoft. β
β β
β An insecure version of Howyar's SysReturn software was added, due to a β
β security vulnerability that allowed an attacker to bypass UEFI Secure Boot. β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Perform operation? [Y|n]: Y
Writing⦠[ ]
failed to write-firmware: failed to write data to efivarsfs: Error writing to file descriptor: No space left on device
If thatβs the case, then you need to go into your EFI BIOS and reset the certificate database to the default. You probably will want to disable secure boot while doing this (just in case a signed moduleβs certificate isnβt in the stock database on your system).
How you do that will depend on the BIOS - youβll need to check the manufacturerβs documentation.
Once thatβs done, you should be able to run the fwupdmgr command again.
Thanks. Error message was different:
Verifying⦠[ ]
failed to write-firmware: Blocked executable in the ESP, ensure grub and shim are up to date: failed to load /boot/efi/EFI/Boot/Shell.efi: failed to read section 0x2: invalid section name
I test Shell exist and Shell.efi exists.
Sounds like a problem with the file itself; my setup looks different (that file doesnβt appear to exist), so hopefully someone else with a similar setup can provide some guidance here.
I remind myself I probably install EFI Shell, but I am not 100% sure. To start EFI shell, I must disable secure boot, I remember. So I try to remove this file. Maybe it does not contain some section with digital signature?
Really? I wonderβ¦
Yes. My motherboard does not have EFI Shell and it allows to to malicious stuff, so disabling SecureBoot was probably necessary. I move this file to different location and now everything works.
1 Like
Until today I also had a problem with Upgrade UEFI dbx to 371 when using the command fwupdmgr update.
After using the extended version of the command fwupdmgr update --force
the upgrade was successful.
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.