我拥有一台相当旧的服务器,Dell PowerEdge T20,带有最新的BIOS 版本 A20,戴尔更新链接,万一链接及时失效时的更新屏幕:
今天早上,当通过 SSH 连接到这台服务器时,我收到一条消息,说有一个可用的固件更新,请参阅下面的完整详细信息,它还说我可以运行:
fwupdmgr get-upgrades
获取有关它的信息,我就是这样做的。
$ ssh-s
up 18 hours, 31 minutes
1 device has a firmware upgrade available.
Run `fwupdmgr get-upgrades` for more information.
root @ dell-poweredge-t20 /root # fwupdmgr get-upgrades
WARNING: UEFI capsule updates not available or enabled in firmware setup
See https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported for more information.
Devices with no available firmware updates:
• Samsung SSD 860 PRO 256GB
• WDC WD5000BMVU-11A08S0
PowerEdge T20
│
└─UEFI dbx:
│ Device ID: 362301da643102b9f38477387e2193e57abaa590
│ Summary: UEFI Revocation Database
│ Current version: 77
│ Minimum Version: 77
│ Vendor: UEFI:Linux Foundation
│ Install Duration: 1 second
│ GUIDs: c6682ade-b5ec-57c4-b687-676351208742 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503
│ f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
│ Device Flags: • Internal device
│ • Updatable
│ • Supported on remote server
│ • Needs a reboot after installation
│
├─Secure Boot dbx:
│ New version: 217
│ Remote ID: lvfs
│ Summary: UEFI Secure Boot Forbidden Signature Database
│ License: Proprietary
│ Size: 13.8 kB
│ Created: 2020-07-29
│ Urgency: High
│ Vendor: Linux Foundation
│ Duration: 1 second
│ Flags: is-upgrade
│ Description:
│ This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.
│
│ Before installing the update, fwupd will check for any affected executables in the ESP and will refuse to update if it finds any boot binaries signed with any of the forbidden signatures. If the installation fails, you will need to update shim and grub packages before the update can be deployed.
│
│ Once you have installed this dbx update, any DVD or USB installer images signed with the old signatures may not work correctly. You may have to temporarily turn off secure boot when using recovery or installation media, if new images have not been made available by your distribution.
│
├─Secure Boot dbx:
│ New version: 211
│ Remote ID: lvfs
│ Summary: UEFI Secure Boot Forbidden Signature Database
│ License: Proprietary
│ Size: 13.5 kB
│ Created: 2021-04-29
│ Urgency: High
│ Vendor: Linux Foundation
│ Duration: 1 second
│ Flags: is-upgrade
│ Description:
│ This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.
│
└─Secure Boot dbx:
New version: 190
Remote ID: lvfs
Summary: UEFI Secure Boot Forbidden Signature Database
License: Proprietary
Size: 14.4 kB
Created: 2020-07-29
Urgency: High
Vendor: Linux Foundation
Duration: 1 second
Flags: is-upgrade
Description:
This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.
root @ dell-poweredge-t20 /root #
我从未使用 Linux 更新过我的 BIOS/UEFI。我的第一个问题是:
此更新的具体目的是什么? (新BIOS?)
其次,继续更新是否安全,有什么缺点/优点吗?
谢谢。
笔记:
该服务器运行 Debian 11。
此计算机上禁用了安全启动。
我已禁用UEFI胶囊作为预防措施,请更新 BIOS。
答案1
这些都是UEFI 撤销列表更新;他们撤销用于安全启动的签名。
由于您不使用安全启动,因此它们与您无关。由于 UEFI 胶囊更新被禁用,您可能无法应用它们。