我运行LinuxMint21
,当我运行时fwupdmgr update
,它以 1 退出(错误)。但上面没有错误STDERR
。有什么线索吗?
我的系统是最新的。
$ uname -a
Linux box 5.15.0-67-generic #74-Ubuntu SMP Wed Feb 22 14:14:39 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
# tree /boot/efi/
/boot/efi/
└── EFI
├── BOOT
│ ├── BOOTX64.EFI
│ ├── fbx64.efi
│ └── mmx64.efi
├── debian
│ ├── BOOTX64.CSV
│ ├── fbx64.efi
│ ├── grub.cfg
│ ├── grubx64.efi
│ ├── mmx64.efi
│ └── shimx64.efi
└── ubuntu
├── BOOTX64.CSV
├── fw
│ └── fwupd-0123456789abcdef.cap
├── fwupdx64.efi
├── grub.cfg
├── grubx64.efi
├── mmx64.efi
└── shimx64.efi
5 directories, 16 files
和
# fwupdmgr update
Devices with no available firmware updates:
• UEFI Device Firmware
• UEFI Device Firmware
• UEFI Device Firmware
Devices with the latest available firmware version:
• MZVLB512HBJQ-000L7
• System Firmware
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 77 to 217? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the dbx to the latest release from Microsoft which adds ║
║ insecure versions of grub and shim to the list of forbidden signatures due ║
║ to multiple discovered security updates. ║
║ ║
║ Before installing the update, fwupd will check for any affected executables ║
║ in the ESP and will refuse to update if it finds any boot binaries signed ║
║ with any of the forbidden signatures.If the installation fails, you will ║
║ need to update shim and grub packages before the update can be deployed. ║
║ ║
║ Once you have installed this dbx update, any DVD or USB installer images ║
║ signed with the old signatures may not work correctly.You may have to ║
║ temporarily turn off secure boot when using recovery or installation media, ║
║ if new images have not been made available by your distribution. ║
║ ║
║ UEFI dbx and all connected devices may not be usable while updating. ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]:
Downloading… [***************************************]
Downloading… [***************************************]
Decompressing… [***************************************]
Decompressing… [***************************************]
Authenticating… [***************************************]
Authenticating… [***************************************]
Restarting device… [***************************************]
Writing… [***************************************]
Decompressing… [***************************************]
Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/EFI/debian/shimx64.efi Authenticode checksum [0123456789abcdef] is present in dbx
和:
# fwupdmgr --version
runtime org.freedesktop.fwupd 1.7.9
runtime com.dell.libsmbios 2.4
compile org.freedesktop.gusb 0.3.10
runtime org.kernel 5.15.0-67-generic
compile com.hughsie.libjcat 0.1.9
compile org.freedesktop.fwupd 1.7.9
runtime org.freedesktop.gusb 0.3.10
错误就在那里:
# fwupdmgr get-upgrades
│
└─UEFI dbx:
│ Device ID: 0123456789abcdef
│ Summary: UEFI revocation database
│ Current version: 77
│ Minimum Version: 77
│ Vendor: UEFI:Linux Foundation
│ Install Duration: 1 second
│ Update State: Transient failure
│ Update Error: Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/EFI/debian/shimx64.efi Authenticode checksum [0123456789abcdef] is present in dbx
答案1
ESP 中阻止的可执行文件,确保 grub 和 shim 是最新的:/boot/efi/EFI/debian/shimx64.efi
它告诉您,您有一个旧版本,shimx64.efi
该版本现在将在此安全启动吊销数据库更新中列入黑名单。换句话说,如果安装了更新,您可能必须禁用安全启动才能启动您的 Debian 安装。
但如果/boot/efi/EFI/debian
不使用(例如,如果您已将 Debian 替换为 Mint,并且该目录只是 Debian 旧安装的最后残余),则可以直接删除该/boot/efi/EFI/debian
目录,然后fwupdmgr update
就可以继续进行而不会出现错误。
该fwupdmgr
命令不够智能,无法确定该/boot/efi/EFI/debian
目录是否故意保留在那里,或者它是否只是旧的、覆盖的安装的残余,因此它会停止更新过程,以确保最大程度的安全。
由于Linux Mint是基于Ubuntu的,所以它有一套自己的完整的启动文件/boot/efi/EFI/ubuntu
。因此删除该/boot/efi/EFI/debian
目录应该不会对您的 Mint 安装产生任何影响。
但是,如果您想更加确定,您应该运行sudo efibootmgr -v
并验证该行标识的引导项BootCurrent:
实际上是引用 的项\EFI\ubuntu\shimx64.efi
,而不是引用 的项\EFI\debian\shimx64.efi
。如果sudo efibootmgr -v
输出包含对 Debian 的引用并且您希望删除它,您可以使用以下efibootmgr
命令来执行此操作;有关示例,请参阅其手册页。
此 UEFI dbx(= 安全启动撤销列表)更新与2020年7月BootHole漏洞以及其后发现的相关漏洞组。到目前为止,所有发行版早已根据需要替换了任何易受攻击的引导加载程序组件,并且UEFI 论坛现已发布更新的撤销列表这将阻止易受攻击的引导加载程序版本运行。