On 07.06.2024 03:27, Masaru Nomiya wrote:
Hello,
In the Message;
Subject : Shim error message about "blocked executable in ESP" Message-ID : <4032842.keHCODLSVB@silversurfer> Date & Time: Thu, 06 Jun 2024 19:00:29 +0200
[S] == Stakanov via openSUSE Users <users@lists.opensuse.org> has written:
S> Question: does Tumbleweed by chance uses "boot-repair" by default?
S> I ask this because of: S> https://github-wiki-see.page/m/fwupd/fwupd/wiki/Blocked-executable-in-the-ES...
S> I have here a machine the continues to complain about: S> Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/ S> EFI/grub/shim.efi Authenticode checksum S> [be435df7cd28aa2a7c8db4fc8173475b77e5abf392f76b7c76fa3f698cb71a9a] is present S> in dbx [...]
It says that it could not update the UEFI dbx.
No. What it says - if dbx is updated the system may become unbootable because there is EFI binary that will be blocked from execution. And it shows the exact name of this binary. Now it is up to the system administrator to decide whether this binary is needed and should be updated or is not needed and can be removed.
How about this?
$ sudo fwupdmgr update --force -y
bor@bor-Latitude-E5450:~$ LANG=C rm -r / rm: it is dangerous to operate recursively on '/' rm: use --no-preserve-root to override this failsafe bor@bor-Latitude-E5450:~$ So your advice would be to force the operation?