Discover suggests an update not shown in Pamac

Support KDE Plasma
1

Discover suggests an update not shown in Pamac: of UEFi dbx 272 —> 371

UEFI Secure Boot Forbidden Signature Database
Insecure versions of the Microsoft Windows boot manager affected by Black Lotus were added to the list of forbidden signatures due to a discovered security problem.This updates the dbx to the latest release from Microsoft.

Before installing the update, fwupd will check for any affected executables in the ESP and will refuse to update if it finds any boot binaries signed with any of the forbidden signatures.Applying this update may also cause some Windows install media to not start correctly.

UEFI Revocation List File | Unified Extensible Firmware Interface Forum

I never use Discover to apply updates, just to hint me to add-on updates which I then do manually.

2

Is what it is from. Nothing to do with system packages or pamac.

(well … aside from the fwupd package itself)

https://wiki.archlinux.org/title/Fwupd

1 Like
3

Is fwupd a package that gets installed with Discover?
Should I apply the update?

4

No.
It is an optional dep.

Thats up to you.
Do you trust your hardware manufacturer? Do you trust their firmware updates?
Do you trust fwupd to handle them properly?

Otherwise … the general rule for firmware (and security) updates is … do them.

(you would likely find the same update(s) on your manufacturer website in whatever form - EFI binaries or windoze executables, etc … and could use that to update the traditional way instead)

1 Like
5

I guess it’s not necessary , since I put Secure Boot off I remember. Which is only for Windoze…

6

Linux Vendor Firmware Service

The Linux Vendor Firmware Service is a secure portal which allows hardware vendors to upload firmware updates.

This site is used by all major Linux distributions to provide metadata for clients such as fwupdmgr and GNOME Software.

There is no charge to vendors for the hosting or distribution of content. Consulting companies can offer advice and help you get on the LVFS.
https://fwupd.org/

fwupd is the Linux tool for doing firmware updates.

firmware updates includes the updating of the certificate chain which controls which OS is signed for secure boot.

Such updates will contain certificate revocation for signing of vulnerable efi loaders.

If you do not update your certificate chain - your system will be vulnerable if you are dualbooting windows.

Not all systems is supported - as it requires the vendor to actually participate.

fwupd is only a storage/update platform - they do not provide any updates on their own - it is the respective vendor which provides the firmware.

Dell and Lenovo is among those who actively distribute firmware for their devices using fwupd platform

https://fwupd.org/lvfs/vendors/

7

Thank you, I installed the update. Does Manjaro itself also have a vendor update utility?

8

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.