Problem Description:
My pc (Dell Lattitude 5580) originally had Windows 11. I got fed up with the constant unwanted updates and removed that OS when I went to Ubuntu 25.04. I updated to 25.10 when it became available. I have been getting pestered with the notice to update uefi dbx. The dbx suffix leads e to believe that this is for Linus machines, but when I downloaded the uefi update after I first installed 25.04, I was locked out of my machine and ended up re-installing the OS. Is uefi dbx safe to install on a 25.10 machine? Do I need to update anything else first?
If not safe to install, how do I prevent the frequent update requests?
Yes, you should keep your system up-to-date, i.e., fully updated.
No, itās not anything Linux related (or any other OS for that matter). They are UEFI updates and you may also see some related to UEFI CA if your certificates are about to expire. The same kind of updates would be offered in Windows.
This is how Google AI answered the question: āWhat is the UEFI dbx?ā
The UEFI dbx (Secure Boot Forbidden Signature Database) is
a revocation list that identifies and blocks vulnerable or malicious UEFI applications, drivers, and bootloaders from running during the system startup
. It acts as a security check within UEFI Secure Boot, preventing compromised codeāsuch as the BlackLotus bootkitāfrom hijacking the boot process.
Key Details About UEFI dbx:
Purpose: The dbx serves as a āblacklistā or ārevocation listā of signatures, hashes, and certificates for known-vulnerable boot loaders, ensuring only trusted code executes.
Updates: Updates to the dbx, often delivered through OS update tools (like Linux Vendor Firmware Service - LVFS), patch security holes by adding new forbidden signatures, acting similar to an antivirus update.
Security Role: Without regular updates, a system might allow, for instance, an old, vulnerable version of GRUB to run, potentially enabling a security bypass.
Management: While generally safe, updating the dbx can sometimes cause issues if it revokes boot files currently in use; it is recommended to keep it up-to-date to ensure security.
Source: The list is maintained by the UEFI Forum and, as of 2024, hosted in a Microsoft GitHub repository, providing the official list of forbidden signatures.
Essentially, keeping the dbx updated ensures that your system rejects malicious or insecure software during the boot process.
The other year (2020) a serious vulnerability was discovered in the Grub bootloader. Linux distribution developers including Canonical worked with Microsoft first to get the vulnerable Grub files blacklisted in the UEFI dbx and then to get the patched Grub files certified by Microsoft so that they would be accepted by the UEFI dbx.
GRUB BootHole vulnerability (CVE-2020-10713) is a critical buffer overflow flaw in the GRUB2 bootloader affecting nearly all Linux distributions and Windows systems using UEFI Secure Boot. It allows attackers to bypass Secure Boot, execute malicious code, and gain persistent control before the OS loads, typically requiring local access.
Key Aspects of the BootHole Vulnerability:
Root Cause: A parsing error in the grub.cfg configuration file leads to a buffer overflow in GRUB2.
Impact: Attackers with elevated privileges can bypass signature checks, allowing them to load unsigned code, alter the boot process, and install bootkits.
Scope: Affects almost all systems using GRUB2 with UEFI Secure Boot, including popular Linux distributions (Red Hat, Ubuntu, SUSE, Debian) and Windows machines.
Mitigation: Requires patching the GRUB2 bootloader, updating the shim loader, and updating the UEFI Forbidden Signature Database (DBX) to revoke vulnerable signatures.
Action Required:
System administrators must update boot components via their OS vendor (e.g., SUSE, [Red Hat], [Canonical]) and, once patched, update the UEFI DBX to block older, vulnerable bootloaders. Failure to update before applying DBX updates can render systems unbootable.
To give my personal experience, I have had a Dell for several years. The firmware updates have been flawless (except briefly when there was a bug in fwupdmgr itself; see @graymechās comment above), and it has never locked me out of my machine. Dell explicitly supports Ubuntu on most (not all) of its machines, so itās a good make to have.
It would have been nice to have seen the error messages causing you to have been locked out of your machine; it probably would have been fixable without reinstalling Ubuntu.
In your place, I would run all the normal updates first, and then the firmware updates.
I am not a linux techie and donāt strive to be an expert, so you all are a real blessing to those of us who know so little. I am good at following instructions.
when I ran:
sudo apt update all went well, though I got the following warning after it was done running:
.Warning: OpenPGP signature verification failed: https://twilio-cli-prod.s3.amazonaws.com/apt InRelease: The following signatures couldnāt be verified because the public key is not available: NO_PUBKEY 02B5018EA99E99CD
In my opinion, your problem is not in any way connected to the UEFI dbx not being updated. Your problem should be in its own topic. In my opinion.
You have installed a repository on your system as a software source. But Ubuntu cannot access that repository to check for updated software packages because the OpenPGP security key cannot be found.
This could be because the OPENPGP security key has not been downloaded. Or, it has been downloaded but in a location that is no longer being used. Please read the second answer by popey in this existing topic.