安全启动 DBX 有更新 - 从 77 到 217。无法安装,因为 grub 太旧了。我已在 bios 中关闭了安全启动。什么是 DBX 更新?我不会安装它。Ubuntu 22.04.1。
sudo fwupdmgr update
Devices with no available firmware updates:
• 670p ******************* 512GB
• UEFI Device Firmware
• UEFI Device Firmware
Devices with the latest available firmware version:
• System Firmware
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 77 to 217? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the dbx to the latest release from Microsoft which adds ║
║ insecure versions of grub and shim to the list of forbidden signatures due ║
║ to multiple discovered security updates. ║
║ ║
║ Before installing the update, fwupd will check for any affected executables ║
║ in the ESP and will refuse to update if it finds any boot binaries signed ║
║ with any of the forbidden signatures.If the installation fails, you will ║
║ need to update shim and grub packages before the update can be deployed. ║
║ ║
║ Once you have installed this dbx update, any DVD or USB installer images ║
║ signed with the old signatures may not work correctly.You may have to ║
║ temporarily turn off secure boot when using recovery or installation media, ║
║ if new images have not been made available by your distribution. ║
║ ║
║ UEFI dbx and all connected devices may not be usable while updating. ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: y
Downloading… [***************************************]
Распаковка… [***************************************]
Распаковка… [***************************************]
Authenticating… [***************************************]
Authenticating… [***************************************]
Перезапуск устройства… [***************************************]
Запись… [***************************************]
Распаковка… [***************************************]
Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/efi.factory/boot/bootx64.efi Authenticode checksum [***************************] is present in dbx
答案1
正如有人在您的问题评论中所说,这看起来与许多论坛上的其他问题非常相似。解决方案似乎是删除不再更新的旧文件。这会导致升级管理器 (fwupdmg) 阻止更新,因为启动目录的其中一个文件将因未按要求签名而被 dbx 更新抑制。这是出于安全考虑,以避免您的机器在升级后无法启动。我看到的解决方案是将文件移动到您的文档中,并在您确保一切正常后将其删除。请参阅主题无法更新 UEFI dbx详细信息中,有问题的文件是 /boot/efi/EFI/Boot/shimx64.efi