Hello:
I started getting a warning about problems with secure boot dbx, which really caught my attention because it had never happened to me before.
I tried disabling secure boot mode in the BIOS, but my Asus Prime B450M-AII motherboard doesn't allow me to do so (it appears dimmed).
Does anyone know how to fix this? I found some pages that discussed the topic, but they were too technical, so I didn't understand a thing.
Thank you very much in advance.
You're not the only one having issues. Other people have reported the same, including myself. @Aravisian has said that the Zorin Group is aware, but we all haven't heard anything from them about a resolution to this problem. Nothing we can do except sit tight and wait. I hope the Zorin Group says something sooner rather than later, and quick. It's been a few days, and I suspect this issue is much larger than we all realize. This adds to the urgency of it, given the audience Zorin OS is intended for and the likelihood that most users (Windows migrants) will not know what to do (while expecting acknowledgment or communication), and probably move on from Zorin in relatively short order if this persists. Mind you, when I say "Windows migrants," I mean the (likely large) subgroup of users who just straight up moved to Zorin without learning much about Linux, the terminal, and so on. They're liable to switch if this isn't fixed (or communicated about) ASAP. (Not being deliberately "negative" or anything; just keeping it "real.")
2 Likes
This is a known Problem at the Moment. Some Examples:
The Zorin Team was informed about this. So, we have to wait what they will find about this.
2 Likes
Thank you very much for the reply.
This problem isn't present in Linux Mint, Zorin OS's main competitor. I think the Zorin brothers should learn lessons from the Mint group: they communicate more fluidly with their users and provide much more information about what they're doing (every month they post information on their blog and engage with some community members).
Best regards.
3 Likes
Exactly. This is something I have repeatedly said in the past. Others, too.
1 Like
Linux Distributions Affected by UEFI CVE DBX
Several Linux distributions are affected by the UEFI-related CVE issues in respect of the dbx (revocation list).
For instance, Ubuntu has faced issues with updating the UEFI dbx, where users reported that the update process did not work as expected, and the list would not update after a reboot. Similarly, Rocky Linux users have encountered difficulties in updating the DBX database, with the current version being 371, while some systems, like VMware, only provide version 77. Additionally, Fedora users have raised concerns about the safety of UEFI dbx updates, questioning whether installing them could potentially affect their system's ability to boot into Linux or a dual-boot Windows installation.
These issues highlight the importance of keeping the dbx updated to ensure the security of the UEFI Secure Boot process.
AI-generated answer. Please verify critical facts.
[
From Trust to Trouble: The Supply Chain Implications of a Broken DBX
](From Trust to Trouble: The Supply Chain Implications of a Broken DBX)[
forums.rockylinux.org
Unable to update DBX data base for UEFI - Rocky Linux Help & Support - Rocky Linux Forum
](Unable to update DBX data base for UEFI - Rocky Linux Help & Support - Rocky Linux Forum)[
uefi.org
UEFI Revocation List File | Unified Extensible Firmware Interface Forum
](UEFI Revocation List File | Unified Extensible Firmware Interface Forum)[
askubuntu.com
boot - Impossible to update UEFI dbx - Ask Ubuntu
](https://askubuntu.com/questions/1429678/impossible-to-update-uefi-dbx)[
eclypsium.com
The Real Shim Shady - How CVE-2023-40547 Impacts Most Linux Systems - Eclypsium | Supply Chain Security for the Modern Enterprise
](The Real Shim Shady - How CVE-2023-40547 Impacts Most Linux Systems - Eclypsium | Supply Chain Security for the Modern Enterprise)[
helpnetsecurity.com
New UEFI Secure Boot bypass vulnerability discovered (CVE-2024-7344) - Help Net Security
](New UEFI Secure Boot bypass vulnerability discovered (CVE-2024-7344) - Help Net Security)[
pcspecialist.co.uk
UEFI dbx update on Linux | PCSPECIALIST
](https://www.pcspecialist.co.uk/forums/threads/uefi-dbx-update-on-linux.101427/)[
eclypsium.com
Firmware Security Realizations - Part 1 - Secure Boot and DBX - Eclypsium | Supply Chain Security for the Modern Enterprise
](Firmware Security Realizations - Part 1 - Secure Boot and DBX - Eclypsium | Supply Chain Security for the Modern Enterprise)[
github.com
Unable to update UEFI dbx while dual booting Ubuntu and Windows 11 · Issue #8710 · fwupd/fwupd
](Unable to update UEFI dbx while dual booting Ubuntu and Windows 11 · Issue #8710 · fwupd/fwupd · GitHub)[
discussion.fedoraproject.org
UEFI dbx updates - Fedora Discussion
](UEFI dbx updates - Fedora Discussion)
Anything to do with the revocation list rests with Microsoft, no GNU/Linux OS can resolve this issue.
It appears NVRAM is another poorly protected vector from attack:
Also worth a read:
That's all well and good, but I, as a paid user, want to know specifically what the Zorin Group will do about this. Be nice to get an update, even if a solution isn't readily available or deployable.
1 Like
Well the first step would be to check with your motherboard manufacturer/vendor as the security flaw is at low-level, not OS level.
Update: So after seeing @swarfendor437's post above, I went ahead and checked my motherboard's BIOS version. Much to my surprise, I saw it was several updates behind. So I've updated the BIOS, and all is OK. So, thank you to swarfendor437. Still, it'd be good to hear from the Zorin Group for the sake of clarity. Thanks to all.
LOL, I was just as bad, but ASUS has come in for some criticism generally:
My motherboard only updates to stuff released last year, nothing current, but I don't have the dbx issue - guess because I only occasionally put my Windows 7 in the hotswap bay when needed and Fast Boot disabled and TPM set to discrete so I don't get .dbx updates showing in the Updates.
Interesting read here (including the comments section below the article:
I think 'endof10.org' should change to 'endofWindows ... period dot org'!
1 Like
Still. The case remains to be made. The Zorin Group could use more communication to their benefit. I was an administrator on several occasions in my professional life, and I understood the absolute value of communication to employees. It honestly does not take much effort or time to put together a missive to a wide body of people. The end result can be extremely advantageous to those in management roles, especially when they sincerely believe in doing "right" by those they serve and work with. It builds loyalty, commitment - and if you want to get financial about it - it helps establish a consistent revenue stream in that you have loyal employees who endeavor to work towards the same goal you have as a manager (or in the Zorin Group's case, users who can also act as ambassadors for Zorin, and help "up" the rate of "Pro" purchases through not just these ambassadors, but also public instances of the Zorin Group's commitment to communication which potential purchasers can judge for themselves are inherently "good" and beneficial). This is basic "Management 101" stuff. It's dead simple. This equals that. I am sure Artyom and Kyrill are nice people in real life (which I get the sense of that being just the case, honestly), but ... communication is very vital. Start a monthly blog. Reserve critical and time-sensitive announcements for the "general help" page, and make a habit out of that so users know what to expect in times of difficulty, such as this ongoing problem many others have undoubtedly had to contend with (regarding the DBX issue). Anyway, moving on. The problem is resolved for me, and that's where my involvement ends. Thanks again to all.
2 Likes
Hello everyone:
First of all, I appreciate your comments. One of the most valued aspects is the Zorin community.
Now, most rookie users who enter GNU Linux want simple and fast solutions and everything works. Therefore, it can be frustrating to find problems of this type, which is probably linked to some update of the motherboard, since yesterday this problem was not presented.
Maybe it is related to the Ubuntu version on which Zorin OS is built, since, for what I have been able to investigate, it is not present at Linux Mint 22.1 based on the latest version of Ubuntu. This is a problem that developers have not been able to solve: the slowness in updating the operating system (we are less than a year after the arrival of a new Ubuntu and a version released in 2022) is still used.
I am a basic user and I am interested that everything works 100%, since it would not be so, I would continue in Windows. Perhaps for another person the problem is not so important, but for me it is even more so, considering that I have acquired, (from version 12 onwards) Zorin os de Pago to support the project. Quiźas could go to the support but they take a few days to respond and I need a solution now.
Zorin you use not only for leisure, but also for work and therefore I am interested in being 100%.
For all that said I will have to resort to Linux Mint 22.1 where, at least in this case, everything works much better than Zorin.
I reiterate my thanks for bothering to answer.
Greetings.
2 Likes
I am sorry to see you go. Best wishes.
Wow. This guy has been with Zorin since version 12, and is leaving because there has been no communication from the Zorin Group. Incredible. Just incredible. I am sorry to see him go. Really goes to support what I said earlier. Unfortunate. I don't get the apparent resistance on the Zorin Group's part to "up" the communication. I just don't. Why resist? Just do it. It has so many benefits. Easy and effortless. 
The Question would be: Is this a Snap Package? If yes, then You can't have this on Linux Mint because Mint doesn't support Snap's.
Hello:
As I am stubborn I decided to try an unorthodox solution. I had read that sometimes the problem can be solved with draconian actions: formatting and reinstalling the operating system, but, without downloading the updates as they are downloaded, but doing it later, once downloaded.
I abandoned Linux Mint quite some time ago and switched to Zorin Os. One of the reasons is linked to the Gnome desktop. I find Cinnamon a bit more limited, especially when it comes to multitasking.
In short, it worked! Installed all the necessary drivers.
I had previously tried to download and install drivers for the motherboard, however, I had only found drivers for Windows.
Regards.
1 Like
Well, welcome back. Looks like your "stubbornness" (I prefer to think of it as "persistence") paid off. And just for reference - BIOS files are universal; they are for the motherboards themselves, and not strictly Linux or Windows. So you might want to look into updating your BIOS, regardless (aside from the drivers; two different things). It's good practice to keep your motherboard's firmware updated. I didn't do it with mine until yesterday because with my old PC (which I had for a long time after putting it together), the motherboard hadn't received updates for a long time, so I fell out of the habit of checking and seeing if there were any BIOS updates. And that's interesting about your opinion re: Linux Mint. I think it does multitasking just fine. And stock Cinnamon is more customizable on its own than stock GNOME (aside from the extensions GNOME has available; once these enter the mix, then OK, sure, GNOME has more customizability potential that way). That's just me, though. But again, as I said, welcome back. Enjoy Zorin.
3 Likes
One more thing. You're also right about how a total reinstall can fix things. Been there, done that (a couple times with Zorin). I would recommend that you make a clone of your drive (after you're done setting up Zorin the way you want it to be with all your applications and settings) with the Disks utility, and use the .img file in the future if anything goes wrong (instead of doing a reinstall). Good luck.
2 Likes
I may end up having to splinter this off to a new thread if this becomes a tangent.
Have you ever been preparing for a meeting... and you anticipate what will be said and how you might respond?
You run through the important issues; simulate multiple scenarios on how the other person may react and how you can validate your points.
And when you have the meeting, it goes nothing like you'd imagined.
They focus on things you considered trivial. Are dismissive of what you thought was of great importance. You walk away not just feeling misunderstood, but fundamentally out of sync.
We can be average. Like many of the same things. Agree more than disagree. And then, in communication, discover that their mind is utterly alien.
Foreign.
Unfathomable. Some preferences feel so intuitive to us that encountering resistance makes others seem irrational.
Our differences are unthinkable, bordering on unbearable. "You have not seen Such-and-such movie? What is Wrong with you? Why do you culturally deprive yourself. It is so good..."
"You don't like slug n' snail icecream? It's smooth, yet crunchy! How can you exist having such radically different tastes? You better get with the program, buddy."
I have long noticed how alien minds have a very different workflow.
For me, Gnome is resistant to logical workflow.
I need to anticipate its illogical pathways, then adapt myself to it in order to get things done. it infuriates me as it does things that I did not want it to do. Big previews jumping in front of my work. Modal dialogues taking over, demanding attention, not giving in until I stop what I am doing... and do what it wants me to do. It reminds me of another OS I tried to leave behind.
My tools hidden behind hamburgers.
Yet, other alien minds prefer Gnome. They are different from me. Not wrong.
Not lacking taste.
Not culturally deprived.
Just different. And for them, Gnome fits like a glove.
This is why we need the variety and diversity GnuLInux offers. Because we are alien to each other. We cannot be force fit into the molds the developers want to cram us into.
By asserting itself as the Dominant Desktop, Gnome seeks to stifle anyone that is not their mindset. Control them. Dismiss them.
GNOME's tighter integration with systemd, PipeWire, Wayland, and Flatpak may have strategic appeal for ZorinGroup. But they have narrowed their base users in dropping support for XFCE. Zorin OS was already starkly limited in D.E. choices.
Now, they have gone for centralization.
Zorin distances itself from those with older hardware, lightweight needs, or cognitive workflows that simply don’t align with GNOME’s demands.
This alienates a large percentage of not only their base, but distances new comers, Windows OS refugees that Zorin OS was conceived of to support and enable. Zorin OS once embraced user diversity. But now, it begins to resemble the very monocultures it once positioned itself against.
Soon, Zorin OS will only be for those of the same mindset.
Those that can conform rigidly to the demands put on them as users, instead of being users reclaiming ownership of their own devices. We will no longer shape our environment, but be expected to conform our shape to it.