Skip to content

Blocked executable in the ESP, ensure grub and shim are up to date

Jump to bottom Edit New page
Benjamin Kahn edited this page Mar 17, 2023 · 5 revisions

Summary

fwupd supports performing UEFI secure boot blocklist database (dbx) updates via the uefi-dbx plugin. Unlike previous mechanisms that would apply dbx updates, fwupd will ensure that applying the update won't put the system into a potentially unbootable state for any installed operating system.

It does this by examining all binaries on the EFI system partition (ESP) against the authenticode checksums that are contained within the DBX update. If one of the checksums is present, it will prevent the DBX update from being installed.

Problems

Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/EFI/BOOT/BOOTX64.EFI Authenticode checksum [af79b14064601bc0987d4747af1e914a228c05d622ceda03b7a4f67014fee767] is present in dbx

This means that the bootloader placed in the UEFI removable path has not been updated.

Blocked executable in the ESP, ensure grub and shim are up to date: /boot/efi/efi.factory/boot/bootx64.efi Authenticode checksum [2ea4cb6a1f1eb1d3dce82d54fde26ded243ba3e18de7c6d211902a594fe56788] is present in dbx

This is an issue with some systems shipped with Ubuntu from Dell. A recovery partition is present on the system, but the bootloaders on the ESP haven't been updated. Updating them would prevent the recovery partition from being bootable.

General Solution

Even if this binary is unused, fwupd won't have any means to understand user intent. So to continue applying the update, either update the binary to a newer version or remove the binary from the disk.

In other words, the /boot/ partition is shared among all the OSes installed on your machine. When installing a new OS, you will typically get a new directory added to /boot/efi/EFI/ for that new OS. Cleaning up older directories for OSes you don't use any longer is up to you. Keeping all the OSes you do use up to date is up to you. If your firmware update is blocked, delete any sub-directories of OSes you no longer use, and get updates for the OSes that need it.

A User Adds . .

In my case, the file that the update complained about was /boot/efi/EFI/BOOT/bkpbootx64.efi. I discovered that that file was a year older than the other files within the same directory. A websearch disclosed that the file was 'a backup regularly created by Boot-Repair.' Boot-Repair is a third-party program that is designed to be used on Ubuntu and which one an use - with caution - on Ubuntu-derivatives such as Linux Mint. I am on Mint and had used the program. I deleted the backup file, i.e. /boot/efi/EFI/BOOT/bkpbootx64.efi. I told fwupd to do the update. I rebooted fwupd gave little sign of having done the update but running fwupd again suggested that the update had indeed been performed; and my system seems to continue to work perfectly well.

Another user found the following. 'My problem was that I had a very old /boot/efi/EFI/ubuntu from a previous install. I am running Fedora. So the very old ubuntu components were not being updated, blocking the UEFI dbx update.'

In my case, I used a dual boot laptop (Lenovo T-480) with Fedora and Windows on two NVMe drives, both containing an EFI-partition. The factory installed EFI partition on the NVMe containing Windows was never updated and had a bootx64.efi from 2018 in it. I solved the problem like this:

  • download the Windows 11 ISO from Microsoft.com
  • open the ISO file and extract the bootx64.efi file from the efi/boot subdirectory
  • download and install https://sourceforge.net/projects/grub2win/ while being logged in as administrator
  • accept the download and installation of GNU Grub etc. They’ll be removed automatically when deinstalling Grub2Win. Just accept all the defaults.
  • Once installed, you can run Grub2Win.
  • Select EFI partition operations. On a dual boot system with two hard drives, you’ll see two lines with browse before them. Locate the line with “This is the Windows EFI Partion” and press browse. Enter the boot subdirectory and check the date of your bootx64.efi file.
  • Press cancel and in the pull-down menu of the same line, select “Backup the EFI-partition files” and press apply actions.
  • Open the backup folder. You can notice the location in update.log window.
  • Make a copy of your EFI backup folder in a safe place, but not under c:\grub2 as this will be removed later.
  • Now, open the the original EFI backup folder under C and replace the outdated bootx64.efi with the one that was previously extracted from the Win 11 iso.
  • Select restore the EFI partition files, press apply actions and select the folder to restore
  • You’re basically done now. Use browse again to verify the outdated file has been replaced with a new one.
  • Now remove the grub2 program by opening the control panel - uninstall programs - Grub2Win.
  • You will get an error that Grub2Win cannot find your Linux EFI file on the other disk, and that the system will reboot in Windows. That’s easy to rectify afterwards in the BIOS.
  • If Grub2Win ask to completely remove Grub2Win: select yes.
  • Now reboot, enter the bios and reorder the boot sequence. That’s it. Fwupdmgr should be able to download everything now
Add a custom footer
Add a custom sidebar
Clone this wiki locally