Hi. This seems kind of serious since it mentions attack bypassing Secure Boot. Should I change the Secure Boot password to something more challenging–I’ve really never been bothered by Secure Boot. This message came about because the Software Updater is failing to install linux-firmware–if I click details, it shows the package at 100%, but I guess the attack prevents the firmware from being installed?
I entered sudo fwupdmgr refresh
per Google search for Updater failing with linux-firmware.
anthony@anthony-OptiPlex-9010:~$ sudo fwupdmgr update
[sudo] password for anthony:
WARNING: UEFI capsule updates not available or enabled in firmware setup
See https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported for more information.
Devices with no available firmware updates:
• ST1000DM003-1CH162
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 468 to 20241101? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the list of forbidden signatures (the "dbx") to the latest ║
║ release from Microsoft. ║
║ ║
║ An insecure version of Howyar's SysReturn software was added, due to a ║
║ security vulnerability that allowed an attacker to bypass UEFI Secure Boot. ║
║ ║
║ UEFI dbx and all connected devices may not be usable while updating. ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]:
I chose Yess because it mentions Microsoft security, and I figured that maybe it would do good; I rebooted, but Software Updater still says to check Internet when installing linux-firmware.
It states this operation updates signatures from Microsoft, so since I have nothing to do with Microsoft (I have no Windows OS on my computer), so am not really sure what this message means? I was concerned because it mentioned an attack. The BIOS was created by Dell.
That problem regarding downloading and installing / updating the "linux-firmware" software package is related to the following current problem, reported in the “Ubuntu Discourse” / “Ubuntu Community Hub”:
That problem is also being discussed, here in the “Ubuntu MATE Community”, in the following discussion topic:
@ricmarques Thank you very much. I think that before I posted the original message, I was alerted that it was similar to the UM Community post you linked. So, I did click the link and I think I found that it was a server issue (someone mentioned that error 500 was reported, and that meant it was a server error). Sorry about the extra post– thanks again for your help. I guess I was concerned about the attack mentioned in my post.
Secure Boot is just an UEFI feature to ensure only signed bootloaders and kernels are permitted to load at boot time. Microsoft were instrumental in building that feature.
I think Microsoft are in charge of OEM signing keys, or granting third party keys so Canonical/Ubuntu can sign their own. Or in this case, Microsoft just updated the dbx =forbidden signatures database.
Really, it's just updating that signature database, like antiviruses, nothing to do with user-defined passwords. It looks like some UEFI software had a vulnerability so that key's being revoked. I believe that once the package is updated, it should be all good.
I would like to see Open source OS’s all go to core boot. My System 76 laptop had core boot and it works well.
Coreboot does not use Windows signing keys. Instead, it is an open-source project that aims to replace proprietary BIOS firmware with a lightweight and flexible alternative. Coreboot allows users to customize their firmware and does not rely on the signing keys used by Windows for Secure Boot.
Secure Boot and Coreboot
Secure Boot: This is a feature of UEFI firmware that ensures only signed operating systems and bootloaders can be loaded. It uses keys that are typically provided by Microsoft for Windows.
Coreboot: While Coreboot can support Secure Boot, it does not inherently use Windows signing keys. Instead, it can be configured to work with its own keys or with keys that the user provides.
Coreboot was developed by a community of open-source contributors and is maintained by the coreboot project, which includes developers from various organizations and independent contributors. The project began in 1999 as "LinuxBIOS" and was later renamed to Coreboot in 2008.
Key Contributors and Organizations
Google: Heavily involved in the development of Coreboot, especially for Chromebooks and other devices.
Intel: Contributes to Coreboot, particularly for their hardware platforms.
AMD: Also supports Coreboot for some of their processors.
Various Open-Source Communities: Many independent developers and organizations contribute to the project.
FYI: coreboot, libreboot and osboot are all published from the same source (different forks). They are different compile-time profiles intended for different targets.
