我需要更新安全启动来做什么?

tag-icon tag-icon 22.04 secure-boot
我需要更新安全启动来做什么?

安全启动 DBX 有更新 - 从 77 到 217。无法安装,因为 grub 太旧了。我已在 bios 中关闭了安全启动。什么是 DBX 更新?我不会安装它。Ubuntu 22.04.1。

sudo fwupdmgr update
Devices with no available firmware updates: 
 • 670p ******************* 512GB
 • UEFI Device Firmware
 • UEFI Device Firmware
Devices with the latest available firmware version:
 • System Firmware
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 77 to 217?                                             ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the dbx to the latest release from Microsoft which adds         ║
║ insecure versions of grub and shim to the list of forbidden signatures due   ║
║ to multiple discovered security updates.                                     ║
║                                                                              ║
║ Before installing the update, fwupd will check for any affected executables  ║
║ in the ESP and will refuse to update if it finds any boot binaries signed    ║
║ with any of the forbidden signatures.If the installation fails, you will     ║
║ need to update shim and grub packages before the update can be deployed.     ║
║                                                                              ║
║ Once you have installed this dbx update, any DVD or USB installer images     ║
║ signed with the old signatures may not work correctly.You may have to        ║
║ temporarily turn off secure boot when using recovery or installation media,  ║
║ if new images have not been made available by your distribution.             ║
║                                                                              ║
║ UEFI dbx and all connected devices may not be usable while updating.         ║
╚══════════════════════════════════════════════════════════════════════════════╝

Perform operation? [Y|n]: y
Downloading…             [***************************************]
Распаковка…              [***************************************]
Распаковка…              [***************************************]
Authenticating…          [***************************************]
Authenticating…          [***************************************]
Перезапуск устройства…   [***************************************]
Запись…                  [***************************************]
Распаковка…              [***************************************]
Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/efi.factory/boot/bootx64.efi Authenticode checksum [***************************] is present in dbx

答案1

正如有人在您的问题评论中所说,这看起来与许多论坛上的其他问题非常相似。解决方案似乎是删除不再更新的旧文件。这会导致升级管理器 (fwupdmg) 阻止更新,因为启动目录的其中一个文件将因未按要求签名而被 dbx 更新抑制。这是出于安全考虑,以避免您的机器在升级后无法启动。我看到的解决方案是将文件移动到您的文档中,并在您确保一切正常后将其删除。请参阅主题无法更新 UEFI dbx详细信息中,有问题的文件是 /boot/efi/EFI/Boot/shimx64.efi

相关内容