I work with RL since a long time and have it installed in many VMs inside our local VMWare infra and also at our cloud provider. We install VMs with EFI bios and secure boto enabled.
I just installed a RL10 vm for testing purposes. After the install, I get this when I log in via ssh :
1 device has a firmware upgrade available.
Run `fwupdmgr get-upgrades` for more information.
In root, with that command I can see that the VMware “UEFI dbx” has an update. Now if I do “fwupdmgr update” with the device ID, I get this :
Blocked executable in the ESP, ensure grub and shim are up to date: No valid 'EspLocation' specified in /etc/fwupd/fwupd.conf
I’m a little lost here. It’s the first time I ever encountered this even with recent UEFI VMs I’ve installed recently. All VMs are minimal install mostly.
Either “fwupdmgr update” by itself or with the device id yields the same result :
root@nick-vm:~ # fwupdmgr get-upgrades
Failed to open polkit agent: missing executable pkttyagent in PATH
WARNING: UEFI capsule updates not available or enabled in firmware setup
See https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported for more information.
VMware, Inc. VMware20,1
│
└─UEFI dbx:
│ Device ID: 362301da643102b9f38477387e2193e57abaa590
│ Summary: UEFI revocation database
│ Current version: 266
│ Minimum Version: 266
│ Vendor: UEFI:Linux Foundation
│ Install Duration: 1 second
│ GUIDs: d07ff664-b0e1-5f4e-a723-d7fbcbfcb94f ← UEFI\CRT_3CD3F0309EDAE228767A976DD40D9F4AFFC4FBD5218F2E8CC3C9DD97E8AC6F9D&ARCH_X64
│ f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
│ Device Flags: • Internal device
│ • Updatable
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│ • Only version upgrades are allowed
│ • Signed Payload
│
└─Secure Boot dbx Configuration Update:
New version: 371
Remote ID: vendor-directory
Summary: UEFI Secure Boot Forbidden Signature Database
Variant: x64
License: Proprietary
Urgency: High
Duration: 1 second
Release Flags: • Trusted payload
• Trusted metadata
• Is upgrade
Description:
Insecure versions of the Microsoft Windows boot manager affected by Black Lotus were added to the list of forbidden signatures due to a discovered security problem. This updates the dbx to the latest release from Microsoft.
Before installing the update, fwupd will check for any affected executables in the ESP and will refuse to update if it finds any boot binaries signed with any of the forbidden signatures. Applying this update may also cause some Windows install media to not start correctly.
Issue: CVE-2022-21894
Checksum: fc3feb015df2710fcfa07583d31b5975ee398357016699cfff067f422ab91e13
root@nick-vm:~ # fwupdmgr update
Failed to open polkit agent: missing executable pkttyagent in PATH
WARNING: UEFI capsule updates not available or enabled in firmware setup
See https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported for more information.
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 266 to 371? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ Insecure versions of the Microsoft Windows boot manager affected by Black ║
║ Lotus were added to the list of forbidden signatures due to a discovered ║
║ security problem. This updates the dbx to the latest release from ║
║ Microsoft. ║
║ ║
║ Before installing the update, fwupd will check for any affected executables ║
║ in the ESP and will refuse to update if it finds any boot binaries signed ║
║ with any of the forbidden signatures. Applying this update may also cause ║
║ some Windows install media to not start correctly. ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: y
Decompressing… [ ]
Blocked executable in the ESP, ensure grub and shim are up to date: No valid 'EspLocation' specified in /etc/fwupd/fwupd.conf
root@nick-vm:~ # fwupdmgr update 362301da643102b9f38477387e2193e57abaa590
Failed to open polkit agent: missing executable pkttyagent in PATH
WARNING: UEFI capsule updates not available or enabled in firmware setup
See https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported for more information.
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 266 to 371? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ Insecure versions of the Microsoft Windows boot manager affected by Black ║
║ Lotus were added to the list of forbidden signatures due to a discovered ║
║ security problem. This updates the dbx to the latest release from ║
║ Microsoft. ║
║ ║
║ Before installing the update, fwupd will check for any affected executables ║
║ in the ESP and will refuse to update if it finds any boot binaries signed ║
║ with any of the forbidden signatures. Applying this update may also cause ║
║ some Windows install media to not start correctly. ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: y
Decompressing… [ ]
Blocked executable in the ESP, ensure grub and shim are up to date: No valid 'EspLocation' specified in /etc/fwupd/fwupd.conf
I just noticed the error about polkit (which was not installed), I still get the same thing with it installed.
**EspLocation=**
Set the preferred location used for the EFI system partition (ESP) path. This is typically used if UDisks was not able to automatically identify the location for any reason.
For the record, our Ansible playbooks that do a lot of stuff after a new VM is installed was removing polkit, and doing so removed udisks2. So I’ve adjusted our playbook to leave polkit and do the “fwupdmgr update” before the firsts reboots.