I’ve installed fwupd for curiosity and now it shows packages to update
sudo LC_ALL=C fwupdmgr get-updates
[sudo] password di computer:
Devices with no available firmware updates:
? SSD 980 PRO 500GB
? SSD 990 PRO 1TB
? UEFI Device Firmware
? UEFI Device Firmware
? UEFI Device Firmware
? UEFI Device Firmware
? 067A:00 04F3:3197
? Internal SPI Controller (BIOS)
? Internal SPI Controller (Embedded Controller)
? KEK CA
? KEK CA
? PCH SPI Controller
? ThinkPad Product CA
? UEFI CA
? Windows Production PCA
Devices with the latest available firmware version:
? Battery
? Embedded Controller
? Intel Management Engine
? System Firmware
LENOVO 20Y3CTO1WW
?
??UEFI CA:
? ? Device ID: 5bc922b7bd1adb5b6f99592611404036bd9f42d0
? ? Current version: 2011
? ? Vendor: Microsoft (UEFI:Microsoft)
? ? GUIDs: 26f42cba-9bf6-5365-802b-e250eb757e96 ? UEFI\VENDOR_Microsoft&NAME_Microsoft-UEFI-CA
? ? c34a7e6a-bd86-5244-8bd0-7db66fd3c073 ? UEFI\CRT_E30CF09DABEAB32A6E3B07A7135245DE05FFB658
? ? Device Flags: ? Internal device
? ? ? Updatable
? ? ? Supported on remote server
? ? ? Needs a reboot after installation
? ? ? Signed Payload
? ? ? Can tag for emulation
? ?
? ??Secure Boot Signature Database Configuration Update:
? New version: 2023
? Remote ID: lvfs
? Release ID: 116503
? Summary: UEFI Secure Boot Signature Database
? License: Proprietary
? Size: 10.0?kB
? Created: 2025-04-29 00:00:00
? Urgency: High
? Tested: 2025-10-17 00:00:00
? Distribution: fedora 42 (workstation)
? Old version: 2011
? Version[fwupd]: 2.0.16
? Tested: 2025-09-17 00:00:00
? Distribution: fedora 42 (workstation)
? Old version: 2011
? Version[fwupd]: 2.0.16
? Tested: 2025-07-24 00:00:00
? Distribution: nixos 25.11
? Old version: 2011
? Version[fwupd]: 2.0.12
? Vendor: Linux Foundation
? Release Flags: ? Trusted metadata
? ? Is upgrade
? Description:
? This updates the 3rd Party UEFI Signature Database (the "db") to the latest release from Microsoft. It also adds the latest OptionROM UEFI Signature Database update.
? Checksum: 6819c8098f09f4332a102194df6a033563aa288073b16315c5b88860fefb7e74
?
??UEFI dbx:
? Device ID: 362301da643102b9f38477387e2193e57abaa590
? Summary: UEFI revocation database
? Current version: 20230501
? Minimum Version: 20230501
? Vendor: Microsoft (UEFI:Microsoft)
? Install Duration: 1 second
? GUIDs: 5971a208-da00-5fce-b5f5-1234342f9cf7 ? UEFI\CRT_A9087D1044AD18F7A94916D284CBC01827CF23CD8F60B79072C9CAA1FEF4D649&ARCH_X64
? f8ba2887-9411-5c36-9cee-88995bb39731 ? UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
? Device Flags: ? Internal device
? ? Updatable
? ? Supported on remote server
? ? Needs a reboot after installation
? ? Device is usable for the duration of the update
? ? Only version upgrades are allowed
? ? Signed Payload
? ? Can tag for emulation
?
??Secure Boot dbx Configuration Update:
? New version: 20250902
? Remote ID: lvfs
? Release ID: 130035
? Summary: UEFI Secure Boot Forbidden Signature Database
? Variant: x64
? License: Proprietary
? Size: 24.1?kB
? Created: 2025-09-02 00:00:00
? Urgency: High
? Tested: 2025-11-10 00:00:00
? Distribution: fedora 43 (kde)
? Old version: 20230501
? Version[fwupd]: 2.0.16
? Tested: 2025-10-17 00:00:00
? Distribution: fedora 42 (workstation)
? Old version: 20250507
? Version[fwupd]: 2.0.17
? Vendor: Linux Foundation
? Duration: 1 second
? Release Flags: ? Trusted metadata
? ? Is upgrade
? ? Tested by trusted vendor
? Description:
? This updates the list of forbidden signatures (the "dbx") to the latest release from Microsoft.
?
? Some insecure versions of the IGEL bootloader were added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
? Issue: CVE-2025-47827
? Checksum: 7178302fa23fcb875e7540900e299fb30a76758663efb7e1c56edc25cd3f316a
?
??Secure Boot dbx Configuration Update:
? New version: 20250507
? Remote ID: lvfs
? Release ID: 115586
? Summary: UEFI Secure Boot Forbidden Signature Database
? Variant: x64
? License: Proprietary
? Size: 24.0?kB
? Created: 2025-01-17 00:00:00
? Urgency: High
? Tested: 2025-10-17 00:00:00
? Distribution: fedora 42 (workstation)
? Old version: 20230501
? Version[fwupd]: 2.0.16
? Tested: 2025-06-11 00:00:00
? Distribution: fedora 42 (workstation)
? Old version: 20241101
? Version[fwupd]: 2.0.11
? Vendor: Linux Foundation
? Duration: 1 second
? Release Flags: ? Trusted metadata
? ? Is upgrade
? ? Tested by trusted vendor
? Description:
? This updates the list of forbidden signatures (the "dbx") to the latest release from Microsoft.
?
? Some insecure versions of BiosFlashShell and Dtbios by DT Research Inc were added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
? Issues: 806555
? CVE-2025-3052
? Checksum: 40d3a4630619b83026f66bc64d97a582bbd9223ad53aa3f519ff5e2121d11ca6
?
??Secure Boot dbx Configuration Update:
New version: 20241101
Remote ID: lvfs
Release ID: 105821
Summary: UEFI Secure Boot Forbidden Signature Database
Variant: x64
License: Proprietary
Size: 15.1?kB
Created: 2025-01-17 00:00:00
Urgency: High
Tested: 2025-10-31 00:00:00
Distribution: ubuntu 24.04
Old version: 20230501
Version[fwupd]: 1.9.28
Vendor: Linux Foundation
Duration: 1 second
Release Flags: ? Trusted metadata
? Is upgrade
Description:
This updates the list of forbidden signatures (the "dbx") to the latest release from Microsoft.
An insecure version of Howyar's SysReturn software was added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
Issues: 529659
CVE-2024-7344
Checksum: 093e6913dfecefbdaa9374a2e1caee7bf7e74c7eda847624e456e344884ba5f6
generally I do updates in win11 via lenovo-update and it is updated
my system is with secure boot ant TPM disable, key erased in TPM
so my question is if I can let fwupd apply those updates or stay only with lenovo-update
Is there any risk using fwupd?