secure boot dbx config update

I do not see any update like this on my system.
Can you please provide more details?
Is this a package from the Ubuntu repositories or a snap package?
What is its exact name?

On a Dell system, snap-store (Ubuntu Software icon) provides the following 2 kinds of updates:
- snap packages
- BIOS updates

Note the Ubuntu OS that came with the Dell has been purged. Ubuntu was reinstalled from the liveDVD.

Note that snap-store (actual command line instruction) claims this is a Device Firmware.

I just noticed a non critical BIOS update dated 12 Sep 2022 on the Dell support site.

I will install this and get back to you with feedback.

The BIOS was updated successfully.

I still get the same update candidate as before (Secure Boot dbx Configuration Update).

Since this is a firmware issue, I will open a Dell support ticket.

When that is complete, I will update this post.

Dell tech support claim this update does NOT come from them.

They suspect it is a software issue.

Can you help?

How can I check if it is a hack?

Re: "Can you help?"

I do my best, but I am not seeing this on my own system (which isn't a Dell), so I do not know where to start.
Up to now I was not even able to ascertain what kind of Update this is, and from which source and I have not found one reference to something named "Secure Boot dbx Configuration Update"

I assume that your question it covers the same as https://askubuntu.com/questions/1429797/cant-update-device-firmware-for-dell-xps-9310-ubuntu

Is that similar to what you see? What is the name of the package (in the askubuntu pic it is hidden behind the pop-up, probably starts with "De")?

My Dell is an Optiplex 7090.

The link you provided appears to be the same issue as mine.

The only difference is that I did not have the courage to attempt installation for fear of being hacked. It would appear that this update fails or pretends to fail.

The De you are referring to is (from the initial post): Device Firmware.

There is no mention of any package anywhere.

Is there a way to query the Updates database?

Open the snap store, and select "updates", such that you see this package and do a single click on the entry for this package.
This should open a details page with further information.
If you click on that page on the "Source" information in the top right corner, you should see the available versions and their sources.

Here is the result of the single click you suggested:

Version 217:
This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.

Version 211:
This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.

Version 190:
This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.

... latest release from Microsoft???

Ubuntu 22.04 is the only OS on the disk, there is no dual boot. I have win10 in a VM hosted by QEMU/KVM.

Do any of these 3 messages above make sense to you?

I cannot judge that information.

There should be some additional information about the source (e.g. "snapcraft.io"), or links to the original source (e.g. "github/...").
Do you see something like this? That could help finding and address to ask further questions.

Not sure I understand your request.

Is this of any help?

https://www.dropbox.com/s/mnes8632dgg66n8/Screenshot%20from%202022-09-18%2016-56-30.png?dl=0

I'm having the exact same issue.
It seems related to this fwupdmgr issue.
https://github.com/fwupd/fwupd/issues/5035

Re: "Is this of any help?"

No, that is not what I meant.

Open the snap-store, click on "updates" and then click on the package that is offered.
What do you see?

Please see comment #8.

Can you please provide a screen shot?

Here is the shot you requested. Note the text of Version 217 has increased (2 more paragraphs). There have been many system updates since comment #8.

https://www.dropbox.com/s/2vbdob0m6hwdohv/Screenshot%20from%202022-09-20%2014-53-01.png?dl=0

I am sorry, but I cannot help further. I have not seen anything like that so far.

I have the same dbx update on another Dell hardware platform running Ubuntu 20.04 (Optiplex 5080).

The installed software is very similar (backup machine).

Just to repeat for clarity, the Dell of this question is an Optiplex 7090 running Ubuntu 22.04

That may be Dell-specific.

Seems to be related to my question: https://answers.launchpad.net/ubuntu/+question/703268

Already updated to see impact:

In my case secure boot fails to validate focal installer with secure boot is enforced on the laptop.

i have XPS13 and see same issue. It will not install, giving this message:

Unable to update "Secure Boot dbx Configuration Update":
Blocked executable in the ESP, ensure grub and shim are up to date:
/boot/efi/efi,factory/boot/bootx64.efi Authenticode checksum
[2ea...788] is present in dbx.

Why are we Dell users getting this "Microsoft" update for a Linux OS?

I do not have a dual boot setup, just pure Ubuntu 22.04

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

There is apparent solution here: https://www.youtube.com/watch?v=wXW2AWA0l0E

However, I don't have fwupdmgr listed on apt. I did install fwupdate and gnome-firmwatre.
The first listed some firmware versions and which were updateable.
The second let me update checksums but that didn't help.

Also, this:
root# fwupdate -L
failed: Error opening file /sys/firmware/efi/efivars/FWUPDATE_DEBUG_LOG-0abba7dc-e516-4167-bbf5-4d9d1c739416: No such file or directory

fwupdate -l lists

device-firmware type, {176e090d-0ddb-495e-8173-bc998ccfecd0} version 164 can be updated to any version above 163

I think that's the one, but I have no clue how to get it.

Matt,

Do you have dual boot with Microsoft Windows?

I do not.

peterzay, I do not. Just Ubuntu 22.04. On Dell XPS-13 9310.

There appear to be 2 issues here.

One issue is that this update fails. The other is why we are getting this update at all.

When you click on the update in Ubuntu Software (snap-store), you get the following details:

Version 217:
This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.

Before installing the update, fwupd will check for any affected executables in the ESP and will refuse to update if it finds any boot binaries signed with any of the forbidden signatures.If the installation fails, you will need to update shim and grub packages before the update can be deployed.

Once you have installed this dbx update, any DVD or USB installer images signed with the old signatures may not work correctly.You may have to temporarily turn off secure boot when using recovery or installation media, if new images have not been made available by your distribution.

Version 211:
This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.

Version 190:
This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.

The issue here is what is this Microsoft software doing on Ubuntu 22.04?

another ref: https://askubuntu.com/questions/1429797/cant-update-device-firmware-for-dell-xps-9310-ubuntu

I wish Canonical would address this issue.

I fixed for my machine. I did backups etc, but effectively this:

$ sudo -s
password:
root# cd /boot/efi/efi.factor/boot
root# rm bootx64.efi grubx64.efi

Then I clicked on the dbx update and it completed. I rebooted to make sure that would work. It did.
The files I deleted were dated April 26, 2021.

matt-rw

My directory structure is different: I do not have a efi.factor folder. My structure is /boot/efi/EFI/BOOT/BOOTX64.EFI and there is no grubx64.efi file (not upper case either).

When you removed those 2 files, the dbx update worked, from what I understand. After completion, where those 2 files recreated with today's date?

Even if so, why are we getting a Microsoft update on Linux?

Could it be because I have win10 in a libvirt VM?

I have the following 2 files grubx64.efi and shimx64.efi in folder /boot/efi/EFI/ubuntu

peterzay, Those files were not repleaced. A "find" did not turn up any updated files under /boot/efi.

My Dell Optiplex 7090 is receiving the dbx update via snap-store. libvirt is installed. I have a win10 VM.

My Dell Latitude 5591 is NOT receiving the dbx update via snap-store. libvirt is NOT installed. There is NO win10 VM.

Those of you who are receiving this dbx update, do you have libvirt installed?

My system does not have libvert installed.

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

I have this exactly problem since yesterday.

I have a "Memory PC" recent desktop (not Dell). I have a dual boot with Windows.

I went ahead with the recommended update which crashed the PC during the install.

After powering off (forced power off) and restarting everything seems to be OK. (But I have not tried Windows)

"do you have libvirt installed?" I do not think so.

After a lot of reading about dbx, it appears that this update is probably "safe".

So, I installed it. The process worked fine on first attempt. The requested restart was performed.

There appear to be no issues with my system.

Should that change, I will update this thread.

1. I have been experiencing what OP said and what the #20 post author described. And even though I too have a Dell laptop, there has never been Windows installed on it, only Ubuntu. So this whole story of a Microsoft Windows update even for machines without Windows sounds even more strange. Satya Nadella, if you hear us...

2. I applied that dbx update candidate and saw a popup inviting me to restart machine. However, the "Restart" button did not work. So I performed a manual reboot. Nothing changed. That dbx 77 --> 217 update candidate was still pending.

3. I googled a little and did this (https://askubuntu.com/questions/1203732/how-to-update-fwupdmgr-itself/1205598#1205598)

4. Back to the dbx update, this time the error message changed to a longer message (that I had to OCR to paste it here):

Unable to update "Secure Boot dbx Configuration Update": An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":- 1.135" (uid=1001 pid=5445 comm="/snap/snap-store/638/usr/bin/- snap-store--gapplica" label="snap.snap-store.snap-store (enforce)") interface="org.freedesktop.fwupd" member="Install" error name="(unset)" requested_reply="0" destination="org.freedesktop.fwupd" (uid=0 pid=14439 comm="/- snap/fwupd/4498/libexec/fwupd/fwupd" label="snap.fwupd.fwupd (complain)")

5. Here I am so far.

(P.S. This message board lacks Markdown support and that's just sad)

Update:

6. Reboot

7. A global update (apt, snap, flatpak) showed there was an Nvidia update pending — which was not there before the update.

8. Reboot once more. The dbx 77 --> 217 update candidate was gone.

I assume the key move was to upgrade fwupd / fwupdmgr

I got this update today (2023-01-01) on an Alienware M17 R5 AMD with Ubuntu 22.10 and it was performed successfully.
Secure Boot dbx Configuration Update 217.