oliutyi@ubuntu2510:~$ fwupdmgr get-upgrades
Devices with no available firmware updates:
• Oem Secure Boot DB 20231007
• Oem Secure Boot KEK 20231007
• Intel Management Engine
• KEK CA
• System Firmware
• UEFI Device Firmware
• UEFI Device Firmware
• UEFI Device Firmware
• UEFI Device Firmware
• UEFI Device Firmware
• WD BLACK SN850X 8000GB
• Windows UEFI CA
GMKtec NucBox_EVO-T1
│
├─UEFI CA:
│ │ Device ID: 5bc922b7bd1adb5b6f99592611404036bd9f42d0
│ │ Current version: 2011
│ │ Vendor: Microsoft (UEFI:Microsoft)
│ │ GUIDs: 26f42cba-9bf6-5365-802b-e250eb757e96 ← UEFI\VENDOR_Microsoft&NAME_Microsoft-UEFI-CA
│ │ c34a7e6a-bd86-5244-8bd0-7db66fd3c073 ← UEFI\CRT_E30CF09DABEAB32A6E3B07A7135245DE05FFB658
│ │ Device Flags: • Internal device
│ │ • Updatable
│ │ • Supported on remote server
│ │ • Needs a reboot after installation
│ │ • Signed Payload
│ │ • Can tag for emulation
│ │
│ └─Secure Boot Signature Database Configuration Update:
│ New version: 2023
│ Remote ID: lvfs
│ Release ID: 116503
│ Summary: UEFI Secure Boot Signature Database
│ License: Proprietary
│ Size: 10.0 kB
│ Created: 2025-04-29 00:00:00
│ Urgency: High
│ Tested: 2025-10-17 00:00:00
│ Distribution: fedora 42 (workstation)
│ Old version: 2011
│ Version[fwupd]: 2.0.16
│ Tested: 2025-09-17 00:00:00
│ Distribution: fedora 42 (workstation)
│ Old version: 2011
│ Version[fwupd]: 2.0.16
│ Tested: 2025-07-24 00:00:00
│ Distribution: nixos 25.11
│ Old version: 2011
│ Version[fwupd]: 2.0.12
│ Vendor: Linux Foundation
│ Release Flags: • Trusted metadata
│ • Is upgrade
│ Description:
│ This updates the 3rd Party UEFI Signature Database (the "db") to the latest release from Microsoft.It also adds the latest OptionROM UEFI Signature Database update.
│ Checksum: 6819c8098f09f4332a102194df6a033563aa288073b16315c5b88860fefb7e74
│
└─UEFI dbx:
│ Device ID: 362301da643102b9f38477387e2193e57abaa590
│ Summary: UEFI revocation database
│ Current version: 20230501
│ Minimum Version: 20230501
│ Vendor: UEFI:Microsoft
│ Install Duration: 1 second
│ GUIDs: 91aa5eb7-0f48-52ff-a68d-c01f25bc33a0 ← UEFI\CRT_9CD3A281B2EA0DE4E3D5FE17A9349C66A5256349FE36EF7A80A74051653443F0&ARCH_X64
│ d07ff664-b0e1-5f4e-a723-d7fbcbfcb94f ← UEFI\CRT_3CD3F0309EDAE228767A976DD40D9F4AFFC4FBD5218F2E8CC3C9DD97E8AC6F9D&ARCH_X64
│ f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
│ Device Flags: • Internal device
│ • Updatable
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│ • Only version upgrades are allowed
│ • Signed Payload
│ • Can tag for emulation
│
├─Secure Boot dbx Configuration Update:
│ New version: 20250902
│ Remote ID: lvfs
│ Release ID: 130035
│ Summary: UEFI Secure Boot Forbidden Signature Database
│ Variant: x64
│ License: Proprietary
│ Size: 24.1 kB
│ Created: 2025-09-02 00:00:00
│ Urgency: High
│ Tested: 2025-12-15 00:00:00
│ Distribution: ubuntu 25.10
│ Old version: 20230501
│ Version[fwupd]: 2.0.16
│ Tested: 2025-12-05 00:00:00
│ Distribution: fedora 42 (workstation)
│ Old version: 20250507
│ Version[fwupd]: 2.0.17
│ Tested: 2025-11-10 00:00:00
│ Distribution: fedora 43 (kde)
│ Old version: 20230501
│ Version[fwupd]: 2.0.16
│ Vendor: Linux Foundation
│ Duration: 1 second
│ Release Flags: • Trusted metadata
│ • Is upgrade
│ • Tested by trusted vendor
│ Description:
│ This updates the list of forbidden signatures (the "dbx") to the latest release from Microsoft.
│
│ Some insecure versions of the IGEL bootloader were added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
│ Issue: CVE-2025-47827
│ Checksum: 7178302fa23fcb875e7540900e299fb30a76758663efb7e1c56edc25cd3f316a
│
├─Secure Boot dbx Configuration Update:
│ New version: 20250507
│ Remote ID: lvfs
│ Release ID: 115586
│ Summary: UEFI Secure Boot Forbidden Signature Database
│ Variant: x64
│ License: Proprietary
│ Size: 24.0 kB
│ Created: 2025-01-17 00:00:00
│ Urgency: High
│ Tested: 2025-10-17 00:00:00
│ Distribution: fedora 42 (workstation)
│ Old version: 20230501
│ Version[fwupd]: 2.0.16
│ Tested: 2025-06-11 00:00:00
│ Distribution: fedora 42 (workstation)
│ Old version: 20241101
│ Version[fwupd]: 2.0.11
│ Vendor: Linux Foundation
│ Duration: 1 second
│ Release Flags: • Trusted metadata
│ • Is upgrade
│ • Tested by trusted vendor
│ Description:
│ This updates the list of forbidden signatures (the "dbx") to the latest release from Microsoft.
│
│ Some insecure versions of BiosFlashShell and Dtbios by DT Research Inc were added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
│ Issues: 806555
│ CVE-2025-3052
│ Checksum: 40d3a4630619b83026f66bc64d97a582bbd9223ad53aa3f519ff5e2121d11ca6
│
└─Secure Boot dbx Configuration Update:
New version: 20241101
Remote ID: lvfs
Release ID: 105821
Summary: UEFI Secure Boot Forbidden Signature Database
Variant: x64
License: Proprietary
Size: 15.1 kB
Created: 2025-01-17 00:00:00
Urgency: High
Tested: 2025-10-31 00:00:00
Distribution: ubuntu 24.04
Old version: 20230501
Version[fwupd]: 1.9.28
Vendor: Linux Foundation
Duration: 1 second
Release Flags: • Trusted metadata
• Is upgrade
Description:
This updates the list of forbidden signatures (the "dbx") to the latest release from Microsoft.
An insecure version of Howyar's SysReturn software was added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
Issues: 529659
CVE-2024-7344
Checksum: 093e6913dfecefbdaa9374a2e1caee7bf7e74c7eda847624e456e344884ba5f6
|