I own a rather older piece of server, Dell PowerEdge T20, with the latest BIOS version A20, link to Dell updates, screen of the update in case link goes dead in time:
This morning, when SSH'd into this server, I was greeted with a message that there is one firmware update available, see below for complete details, it also said I could run:
fwupdmgr get-upgrades
to get information about it, which I did.
$ ssh-s
up 18 hours, 31 minutes
1 device has a firmware upgrade available.
Run `fwupdmgr get-upgrades` for more information.
root @ dell-poweredge-t20 /root # fwupdmgr get-upgrades
WARNING: UEFI capsule updates not available or enabled in firmware setup
See https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported for more information.
Devices with no available firmware updates:
• Samsung SSD 860 PRO 256GB
• WDC WD5000BMVU-11A08S0
PowerEdge T20
│
└─UEFI dbx:
│ Device ID: 362301da643102b9f38477387e2193e57abaa590
│ Summary: UEFI Revocation Database
│ Current version: 77
│ Minimum Version: 77
│ Vendor: UEFI:Linux Foundation
│ Install Duration: 1 second
│ GUIDs: c6682ade-b5ec-57c4-b687-676351208742 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503
│ f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
│ Device Flags: • Internal device
│ • Updatable
│ • Supported on remote server
│ • Needs a reboot after installation
│
├─Secure Boot dbx:
│ New version: 217
│ Remote ID: lvfs
│ Summary: UEFI Secure Boot Forbidden Signature Database
│ License: Proprietary
│ Size: 13.8 kB
│ Created: 2020-07-29
│ Urgency: High
│ Vendor: Linux Foundation
│ Duration: 1 second
│ Flags: is-upgrade
│ Description:
│ This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.
│
│ Before installing the update, fwupd will check for any affected executables in the ESP and will refuse to update if it finds any boot binaries signed with any of the forbidden signatures. If the installation fails, you will need to update shim and grub packages before the update can be deployed.
│
│ Once you have installed this dbx update, any DVD or USB installer images signed with the old signatures may not work correctly. You may have to temporarily turn off secure boot when using recovery or installation media, if new images have not been made available by your distribution.
│
├─Secure Boot dbx:
│ New version: 211
│ Remote ID: lvfs
│ Summary: UEFI Secure Boot Forbidden Signature Database
│ License: Proprietary
│ Size: 13.5 kB
│ Created: 2021-04-29
│ Urgency: High
│ Vendor: Linux Foundation
│ Duration: 1 second
│ Flags: is-upgrade
│ Description:
│ This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.
│
└─Secure Boot dbx:
New version: 190
Remote ID: lvfs
Summary: UEFI Secure Boot Forbidden Signature Database
License: Proprietary
Size: 14.4 kB
Created: 2020-07-29
Urgency: High
Vendor: Linux Foundation
Duration: 1 second
Flags: is-upgrade
Description:
This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.
root @ dell-poweredge-t20 /root #
I never have updated my BIOS/UEFI with/from Linux. My first question would be:
What is this update exactly designed for? (new BIOS?)
Second maybe is it safe to proceed with the update, and are there any dis-/advantages?
Thank you.
Notes:
This server runs Debian 11.
Secure Boot is disabled on this machine.
I have disabled UEFI capsule updates in the BIOS as a precaution.
