You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
Version 1
Current »
fwupdmgr get-upgrades
fwupdmgr install
oliutyi@ubuntu2510:~$ fwupdmgr get-upgrades
Devices with no available firmware updates:
• Oem Secure Boot DB 20231007
• Oem Secure Boot KEK 20231007
• Intel Management Engine
• KEK CA
• System Firmware
• UEFI Device Firmware
• UEFI Device Firmware
• UEFI Device Firmware
• UEFI Device Firmware
• UEFI Device Firmware
• WD BLACK SN850X 8000GB
• Windows UEFI CA
GMKtec NucBox_EVO-T1
│
├─UEFI CA:
│ │ Device ID: 5bc922b7bd1adb5b6f99592611404036bd9f42d0
│ │ Current version: 2011
│ │ Vendor: Microsoft (UEFI:Microsoft)
│ │ GUIDs: 26f42cba-9bf6-5365-802b-e250eb757e96 ← UEFI\VENDOR_Microsoft&NAME_Microsoft-UEFI-CA
│ │ c34a7e6a-bd86-5244-8bd0-7db66fd3c073 ← UEFI\CRT_E30CF09DABEAB32A6E3B07A7135245DE05FFB658
│ │ Device Flags: • Internal device
│ │ • Updatable
│ │ • Supported on remote server
│ │ • Needs a reboot after installation
│ │ • Signed Payload
│ │ • Can tag for emulation
│ │
│ └─Secure Boot Signature Database Configuration Update:
│ New version: 2023
│ Remote ID: lvfs
│ Release ID: 116503
│ Summary: UEFI Secure Boot Signature Database
│ License: Proprietary
│ Size: 10.0 kB
│ Created: 2025-04-29 00:00:00
│ Urgency: High
│ Tested: 2025-10-17 00:00:00
│ Distribution: fedora 42 (workstation)
│ Old version: 2011
│ Version[fwupd]: 2.0.16
│ Tested: 2025-09-17 00:00:00
│ Distribution: fedora 42 (workstation)
│ Old version: 2011
│ Version[fwupd]: 2.0.16
│ Tested: 2025-07-24 00:00:00
│ Distribution: nixos 25.11
│ Old version: 2011
│ Version[fwupd]: 2.0.12
│ Vendor: Linux Foundation
│ Release Flags: • Trusted metadata
│ • Is upgrade
│ Description:
│ This updates the 3rd Party UEFI Signature Database (the "db") to the latest release from Microsoft.It also adds the latest OptionROM UEFI Signature Database update.
│ Checksum: 6819c8098f09f4332a102194df6a033563aa288073b16315c5b88860fefb7e74
│
└─UEFI dbx:
│ Device ID: 362301da643102b9f38477387e2193e57abaa590
│ Summary: UEFI revocation database
│ Current version: 20230501
│ Minimum Version: 20230501
│ Vendor: UEFI:Microsoft
│ Install Duration: 1 second
│ GUIDs: 91aa5eb7-0f48-52ff-a68d-c01f25bc33a0 ← UEFI\CRT_9CD3A281B2EA0DE4E3D5FE17A9349C66A5256349FE36EF7A80A74051653443F0&ARCH_X64
│ d07ff664-b0e1-5f4e-a723-d7fbcbfcb94f ← UEFI\CRT_3CD3F0309EDAE228767A976DD40D9F4AFFC4FBD5218F2E8CC3C9DD97E8AC6F9D&ARCH_X64
│ f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
│ Device Flags: • Internal device
│ • Updatable
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│ • Only version upgrades are allowed
│ • Signed Payload
│ • Can tag for emulation
│
├─Secure Boot dbx Configuration Update:
│ New version: 20250902
│ Remote ID: lvfs
│ Release ID: 130035
│ Summary: UEFI Secure Boot Forbidden Signature Database
│ Variant: x64
│ License: Proprietary
│ Size: 24.1 kB
│ Created: 2025-09-02 00:00:00
│ Urgency: High
│ Tested: 2025-12-15 00:00:00
│ Distribution: ubuntu 25.10
│ Old version: 20230501
│ Version[fwupd]: 2.0.16
│ Tested: 2025-12-05 00:00:00
│ Distribution: fedora 42 (workstation)
│ Old version: 20250507
│ Version[fwupd]: 2.0.17
│ Tested: 2025-11-10 00:00:00
│ Distribution: fedora 43 (kde)
│ Old version: 20230501
│ Version[fwupd]: 2.0.16
│ Vendor: Linux Foundation
│ Duration: 1 second
│ Release Flags: • Trusted metadata
│ • Is upgrade
│ • Tested by trusted vendor
│ Description:
│ This updates the list of forbidden signatures (the "dbx") to the latest release from Microsoft.
│
│ Some insecure versions of the IGEL bootloader were added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
│ Issue: CVE-2025-47827
│ Checksum: 7178302fa23fcb875e7540900e299fb30a76758663efb7e1c56edc25cd3f316a
│
├─Secure Boot dbx Configuration Update:
│ New version: 20250507
│ Remote ID: lvfs
│ Release ID: 115586
│ Summary: UEFI Secure Boot Forbidden Signature Database
│ Variant: x64
│ License: Proprietary
│ Size: 24.0 kB
│ Created: 2025-01-17 00:00:00
│ Urgency: High
│ Tested: 2025-10-17 00:00:00
│ Distribution: fedora 42 (workstation)
│ Old version: 20230501
│ Version[fwupd]: 2.0.16
│ Tested: 2025-06-11 00:00:00
│ Distribution: fedora 42 (workstation)
│ Old version: 20241101
│ Version[fwupd]: 2.0.11
│ Vendor: Linux Foundation
│ Duration: 1 second
│ Release Flags: • Trusted metadata
│ • Is upgrade
│ • Tested by trusted vendor
│ Description:
│ This updates the list of forbidden signatures (the "dbx") to the latest release from Microsoft.
│
│ Some insecure versions of BiosFlashShell and Dtbios by DT Research Inc were added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
│ Issues: 806555
│ CVE-2025-3052
│ Checksum: 40d3a4630619b83026f66bc64d97a582bbd9223ad53aa3f519ff5e2121d11ca6
│
└─Secure Boot dbx Configuration Update:
New version: 20241101
Remote ID: lvfs
Release ID: 105821
Summary: UEFI Secure Boot Forbidden Signature Database
Variant: x64
License: Proprietary
Size: 15.1 kB
Created: 2025-01-17 00:00:00
Urgency: High
Tested: 2025-10-31 00:00:00
Distribution: ubuntu 24.04
Old version: 20230501
Version[fwupd]: 1.9.28
Vendor: Linux Foundation
Duration: 1 second
Release Flags: • Trusted metadata
• Is upgrade
Description:
This updates the list of forbidden signatures (the "dbx") to the latest release from Microsoft.
An insecure version of Howyar's SysReturn software was added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
Issues: 529659
CVE-2024-7344
Checksum: 093e6913dfecefbdaa9374a2e1caee7bf7e74c7eda847624e456e344884ba5f6
oliutyi@ubuntu2510:~$ fwupdmgr install
0. Cancel
1. 5bc922b7bd1adb5b6f99592611404036bd9f42d0 (UEFI CA)
2. 362301da643102b9f38477387e2193e57abaa590 (UEFI dbx)
Choose device [0-2]: 1
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI CA from 2011 to 2023? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the 3rd Party UEFI Signature Database (the "db") to the latest ║
║ release from Microsoft.It also adds the latest OptionROM UEFI Signature ║
║ Database update. ║
║ ║
║ UEFI CA and all connected devices may not be usable while updating. ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: Y
Authenticating… [***************************************]==== AUTHENTICATING FOR org.freedesktop.fwupd.update-internal-trusted ====
Authentication is required to update the firmware on this machine
Authenticating as: oleksandr liutyi (oliutyi)
Password:
==== AUTHENTICATION COMPLETE ====
Waiting… [***************************************]
Successfully installed firmware
An update requires a reboot to complete. Restart now? [y|N]: N
oliutyi@ubuntu2510:~$ fwupdmgr install
0. Cancel
1. 5bc922b7bd1adb5b6f99592611404036bd9f42d0 (UEFI CA)
2. 362301da643102b9f38477387e2193e57abaa590 (UEFI dbx)
Choose device [0-2]: 2
0. Cancel
1. 20250902
2. 20250507
3. 20241101
Choose release [0-3]: 1
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 20230501 to 20250902? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the list of forbidden signatures (the "dbx") to the latest ║
║ release from Microsoft. ║
║ ║
║ Some insecure versions of the IGEL bootloader were added, due to a security ║
║ vulnerability that allowed an attacker to bypass UEFI Secure Boot. ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: Y
Authenticating… [***************************************]==== AUTHENTICATING FOR org.freedesktop.fwupd.update-internal-trusted ====
Authentication is required to update the firmware on this machine
Authenticating as: oleksandr liutyi (oliutyi)
Password:
==== AUTHENTICATION COMPLETE ====
Waiting… [***************************************]
Successfully installed firmware
An update requires a reboot to complete. Restart now? [y|N]: N
oliutyi@ubuntu2510:~$
