通过升级固件fwupdmgr会导致以下错误:
$ fwupdmgr update
Devices with no available firmware updates:
• USB2.0 Hub
• USB2.0 Hub
• USB3.1 Hub
• USB3.1 Hub
• Integrated Camera
• SSD 970 EVO Plus 1TB
• UEFI Device Firmware
• UEFI Device Firmware
• UEFI Device Firmware
• UEFI Device Firmware
• UEFI Device Firmware
Devices with the latest available firmware version:
• Prometheus
• Prometheus IOTA Config
• System Firmware
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 77 to 217? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the dbx to the latest release from Microsoft which adds ║
║ insecure versions of grub and shim to the list of forbidden signatures due ║
║ to multiple discovered security updates. ║
║ ║
║ Before installing the update, fwupd will check for any affected executables ║
║ in the ESP and will refuse to update if it finds any boot binaries signed ║
║ with any of the forbidden signatures. If the installation fails, you will ║
║ need to update shim and grub packages before the update can be deployed. ║
║ ║
║ Once you have installed this dbx update, any DVD or USB installer images ║
║ signed with the old signatures may not work correctly. You may have to ║
║ temporarily turn off secure boot when using recovery or installation media, ║
║ if new images have not been made available by your distribution. ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]:
Downloading… [***************************************]
Downloading… [***************************************]
Decompressing… [***************************************]
Authenticating… [***************************************]
Waiting… [***************************************]
Writing… [***************************************]
Decompressing… [ ]
Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/EFI/BOOT/BOOTX64.EFI Authenticode checksum [af79b14064601bc0987d4747af1e914a228c05d622ceda03b7a4f67014fee868] is present in dbx
如何进行?我猜/boot/efi/EFI/BOOT/BOOTX64.EFI需要更换。我应该从最新的 Debian 安装映像中提取它吗?这是唯一应该替换的文件吗?系统变砖的机会有多大?
$ uname -a
Linux p14s 6.1.0-1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.4-1 (2023-01-07) x86_64 GNU/Linux
$ sudo tree /boot/efi/
/boot/efi/
└── EFI
├── BOOT
│ ├── BOOTX64.EFI
│ ├── fbx64.efi
│ └── grubx64.efi
└── debian
├── BOOTX64.CSV
├── fbx64.efi
├── fw
│ └── fwupd-01453b71-da0c-4832-9f4f-e378245339c7.cap
├── fwupdx64.efi
├── grub.cfg
├── grubx64.efi
├── mmx64.efi
└── shimx64.efi
编辑:
$ sudo efibootmgr -v | grep "Boot$(sudo efibootmgr -v | awk '/BootCurrent/{print $2}')"
Boot0000* debian HD(1,GPT,488c1b76-c8f0-4e08-a48d-d4a0a3a4fa81,0x800,0x106000)/File(\EFI\debian\shimx64.efi)
注意File(\EFI\debian\shimx64.efi)——这是否意味着 fwupdmgr 抱怨的文件 /boot/efi/EFI/BOOT/BOOTX64.EFI 甚至没有被使用?