Secure Boot dbx Failed to build error issue

General Help
41

Given numerous reports of success with this post, I have marked it as solution in order to give it greater visibility.

4 Likes
43

@Aravisian I reinstalled ZorinOS to test this and it did not work for me

44

Was there any kind of error message displayed?
Or did installing the package provided by @AZorin go smoothly, yet you still ended up with the Update Alert?

You can get the Update Alert if Secure Boot is disabled in BIOS since it must be enabled to apply the update. Users that prefer to update, but keep S.B. disabled must enable S.B., install the firmware, then may disable it once the process is complete.

45

Oh i didnt see a update yet where can i find it? i just did the terminal commands listed in the solution post. AM i missing something? THe package still trying to install

46

This is the package information:

2 Likes
47

@Aravisian Problem solved thank you. :heart_suit:

3 Likes
48

This solved it for me, and I seem to be stable. It may (or may not) be worth noting that during the process I was asked to upload a report to fwupd.org, which, when I did, I got a message that it was a known issue, and showed me a URL to look at for more information. I did not look at it, but followed the rest of the steps provided above. It was clear from feedback that the update was not applied (which makes sense, as I have secure boot off on this Linux only machine).

I bring all of this up because if the final fix shows such things to end users, they're likely to come in here asking why their update didn't install.

3 Likes
49

I think you will find it was porridge, not soup! :wink:

1 Like
50

Did someone say porridge?! :zany_face:

264
264615Γ—874 213 KB

(Sorry! Back to our regular programming ... )

1 Like
51

I tried it on a ROG computer, and I got that same error/log report too.

The update said it installed in a notification from the software app, but the version terminal listed for the dbx is a 2016 version and not the 2025 version. fwupdmgr doesn't think there are any more updates, even with a forced refresh.

Super weird.

1 Like
52

Did you enter these commands?

sudo add-apt-repository ppa:zorinos/fwupd

sudo apt update

sudo apt dist-upgrade

Then reboot and then enter these commands:

sudo fwupdmgr refresh

sudo fwupdmgr get-updates

sudo fwupdmgr update

sudo rm /var/lib/fwupd/pending.db
53

Yes, I did. I got the new fwupd version that way.

I also ran those commands on reboot. Running them again says: "No updatable devices"
But, fwupdmgr get-devices gives a current version of 20160809 for the UEFI revocation database (Aka UEFI dbx).

54

Yeah, I was having this issue as well, but for some reason after restarting a couple of times, then hitting the update button in software, it disappeared and I haven't gotten the pop up since.

1 Like
55

With the updated fwupd (1.9.29), I was able to get around fwupdmgr's lack of responsiveness to get version 20241101 with commands from this fwupd GitHub issue.

Only for x64 (64 bit) machines:

wget https://fwupd.org/downloads/d661d4a0aaca09dfa9e56967ca2467b0575fc07cb704d182fa8c68225452957f-DBXUpdate-20241101-x64.cab
sudo fwupdtool -vv --plugins uefi_dbx install d661d4a0aaca09dfa9e56967ca2467b0575fc07cb704d182fa8c68225452957f-DBXUpdate-20241101-x64.cab

However, trying to get the 2025 cab file for the dbx gives me the error that fwupd version 2.0.12 is required for it.

Edit:
So, looking at issue 8909, I found the link to a cab file to update to 2025 with, but then I get hit with a boot error center screen that prevents booting until the dbx is factory reset!

This also happened on this particular computer (ROG Strix--GL753VD) when I originally tried the update through the Software GUI, but I thought it was related to MOK keys I had signed manually, and was before I even tried the new fwupd.

Could not create MokListRT: Volume Full

Could not create MokListXRT: Volume Full

Could not create SbatLevelRT: Volume Full

Could not create MokListTrustedRT: Volume Full

Something has gone seriously wrong: import_mok_state() failed: Volume Full.

My SSD is definitely not full (43GB available), so is this some kind of BIOS storage limit on this specific computer?

57

This solution has fixed the issue with the secure boot dbx failed to build error issue. So far the operating system has been running smooth since the fix has been applied will update if anything changes.

1 Like
58

I'm predicting that anyone (at the very least with an older laptop) who factory reset their bios secure boot keys trying to solve the original issue isn't receiving an update to dbx (or other secure boot features β€” KEK, PK, etc) at all.

With the fix, fwupd 1.9.29 is able to handle installing the newer dbx version, but the motherboard needs to have sufficient space (I think it's called NVram) to hold the update as well, but that's motherboard specific.

More relevantly, I don't think the fix solves problems with fwupd that prevent it from recognizing when updates need to happen after resetting keys (maybe to certain ages, i.e. 2016), and I know a couple of other people did key resets (@Omnimaxus) trying to fix this. People who did key resets might need to check their secure boot dbx version with
fwupdmgr get-devices
and manually update them if necessary.

It's not about getting the error to disappear (unless you don't use secure boot), it's about being up-to-date on dbx, so make sure you are really good-to-go and check your version: It's only trying to push 20241101 for dbx right now, so make sure you have at least that.

59

I did each command is not worked so you say go to last command and excute it this one right fwupdmgr get-devices so this is the ouput of it cyber@cyber:~$ fwupdmgr get-devices
ROG STRIX G16CHR_G16CHR
β”‚
β”œβ”€MZVL22T0HDLB-00BT7:
β”‚ Device ID: 03281da317dccd2b18de2bd1cc70a782df40ed7e
β”‚ Summary: NVM Express solid state drive
β”‚ Current version: GXD71W2Q
β”‚ Vendor: Samsung (NVME:0x144D)
β”‚ GUIDs: 4d7a2791-106b-5e72-9cfb-8ea3d89f5421
β”‚ 310f81b5-6fce-501e-acfb-487d10501e78
β”‚ 60c89aac-f321-515b-b419-3cf02aa9d375
β”‚ bec63ed7-a95f-54fe-b8cc-8e9fee64ba5a
β”‚ 60fc7801-9f4e-5a6e-a3de-df9ea73c619d
β”‚ Device Flags: β€’ Internal device
β”‚ β€’ Updatable
β”‚ β€’ System requires external power source
β”‚ β€’ Needs a reboot after installation
β”‚ β€’ Device is usable for the duration of the update
β”‚ β€’ Signed Payload
β”‚
β”œβ”€System Firmware:
β”‚ β”‚ Device ID: a45df35ac0e948ee180fe216a5f703f32dda163f
β”‚ β”‚ Summary: UEFI ESRT device
β”‚ β”‚ Current version: 807
β”‚ β”‚ Minimum Version: 807
β”‚ β”‚ Vendor: ASUSTeK COMPUTER INC. (DMI:ASUSTeK COMPUTER INC. (Licensed by AMI, LLC.))
β”‚ β”‚ Update State: Success
β”‚ β”‚ GUIDs: 499c5557-9973-5c1d-b0e8-bbb5ce8f2b15
β”‚ β”‚ 230c8b18-8d9b-53ec-838b-6cfc0383493a
β”‚ β”‚ Device Flags: β€’ Internal device
β”‚ β”‚ β€’ Updatable
β”‚ β”‚ β€’ System requires external power source
β”‚ β”‚ β€’ Needs a reboot after installation
β”‚ β”‚ β€’ Cryptographic hash verification is available
β”‚ β”‚ β€’ Device is usable for the duration of the update
β”‚ β”‚
β”‚ └─UEFI dbx:
β”‚ Device ID: 362301da643102b9f38477387e2193e57abaa590
β”‚ Summary: UEFI revocation database
β”‚ Current version: 466
β”‚ Minimum Version: 466
β”‚ Vendor: UEFI:Linux Foundation
β”‚ Install Duration: 1 second
β”‚ GUIDs: 6c9777b8-19f2-5e2c-9210-66ef3691a9f3
β”‚ c8749f7f-439b-5c3c-a2ea-3baacf663a5a
β”‚ c6682ade-b5ec-57c4-b687-676351208742
β”‚ f8ba2887-9411-5c36-9cee-88995bb39731
β”‚ 3425d762-b684-51ab-8088-3f4175888c7a
β”‚ d07ff664-b0e1-5f4e-a723-d7fbcbfcb94f
β”‚ Device Flags: β€’ Internal device
β”‚ β€’ Updatable
β”‚ β€’ Supported on remote server
β”‚ β€’ Needs a reboot after installation
β”‚ β€’ Only version upgrades are allowed
β”‚ β€’ Signed Payload
β”‚
β”œβ”€UEFI Device Firmware:
β”‚ Device ID: 2292ae5236790b47884e37cf162dcf23bfcd1c60
β”‚ Summary: UEFI ESRT device
β”‚ Current version: 1
β”‚ Vendor: DMI:ASUSTeK COMPUTER INC. (Licensed by AMI, LLC.)
β”‚ Update State: Success
β”‚ GUID: 2fe2cbfc-b9aa-4a93-ab5b-40173b581c42
β”‚ Device Flags: β€’ Internal device
β”‚ β€’ Updatable
β”‚ β€’ System requires external power source
β”‚ β€’ Needs a reboot after installation
β”‚ β€’ Device is usable for the duration of the update
β”‚
β”œβ”€UEFI Device Firmware:
β”‚ Device ID: f95c9218acd12697af946874bfe4239587209232
β”‚ Summary: UEFI ESRT device
β”‚ Current version: 1
β”‚ Vendor: DMI:ASUSTeK COMPUTER INC. (Licensed by AMI, LLC.)
β”‚ Update State: Success
β”‚ GUID: 86a885ee-d71e-2ed6-0fc1-9d6ccc9677eb
β”‚ Device Flags: β€’ Internal device
β”‚ β€’ Updatable
β”‚ β€’ System requires external power source
β”‚ β€’ Needs a reboot after installation
β”‚ β€’ Device is usable for the duration of the update
β”‚
└─UEFI Device Firmware:
Device ID: d96de5c124b60ed6241ebcb6bb2c839cb5580786
Summary: UEFI ESRT device
Current version: 18876841
Vendor: DMI:ASUSTeK COMPUTER INC. (Licensed by AMI, LLC.)
Update State: Success
GUID: 7aa69739-8f78-41cb-bf44-854e2cb516bd
Device Flags: β€’ Internal device
β€’ Updatable
β€’ System requires external power source
β€’ Needs a reboot after installation
β€’ Device is usable for the duration of the update

60

What does:
fwupdmgr --version
give you?

The new fwupd got pushed to the main branch! Two laptops updated to 20241102 successfully without having to do any terminal steps, just the software updater.

61

I have had no success in updating 20241101 update. I did apply the solution commands posted by azorin to no avail. I checked both bios and get devices with no success at updating the dbx. So I sat on it and later installed the latest update for BIOS issued 07/07/2025. After that update, I entered terminal command get devices, and discovered the dbx vendor is now showing Microsoft with an unknown number in the version. Secure boot is off. I tried to reenter the ppa in the terminal twice, but it timed out both times. Suggestions please
Micro-Star International Co., Ltd. MS-7E27
β”‚
β”œβ”€AMD Ryzen 5 8500G w/ Radeon 740M Graphics:
β”‚ β”‚ Device ID: 4bde70ba4e39b28f9eab1628f9dd6e6244c03027
β”‚ β”‚ Current version: 0x0a70800a
β”‚ β”‚ Vendor: Advanced Micro Devices, Inc.
β”‚ β”‚ GUIDs: 4a100b34-dcd2-5cbd-aae2-ef258d5e5976 ← CPUID\PRO_0&FAM_19&MOD_78
β”‚ β”‚ 8c24b4b3-49d2-5028-86b8-42a7dbe06346 ← CPUID\PRO_0&FAM_19&MOD_78&STP_0
β”‚ β”‚ Device Flags: β€’ Internal device
β”‚ β”‚
β”‚ β”œβ”€Graphics Processing Unit (GPU):
β”‚ β”‚ Device ID: 4d01b858e1d5c1a5835722a8244c312aefda8e28
β”‚ β”‚ Summary: AMD AMD_PHOENIX_GENERIC
β”‚ β”‚ Current version: 1
β”‚ β”‚ Vendor: Advanced Micro Devices, Inc. [AMD/ATI] (PCI:0x1002)
β”‚ β”‚ GUID: 4a1501b7-b500-5255-9d9c-41d652a4d5bc ← AMD\113-PHXGEN
β”‚ β”‚ Device Flags: β€’ Internal device
β”‚ β”‚
β”‚ └─Secure Processor:
β”‚ Device ID: c54ab0237d7a8db8c717b68e0be78e4374a2a079
β”‚ Current version: 00.2d.00.aa
β”‚ Bootloader Version:00.2d.00.aa
β”‚ Vendor: Advanced Micro Devices, Inc. (PCI:0x1022)
β”‚ GUIDs: 9eb6a793-7f97-5fb5-b49c-139d2ce3ee46 ← PCI\VEN_1022&DEV_15C7
β”‚ bb136fdf-c745-5745-9dd6-36e603332fa0 ← PCI\VEN_1022&DEV_15C7&SUBSYS_14627E27
β”‚ Device Flags: β€’ Internal device
β”‚
β”œβ”€Mass storage controller:
β”‚ Device ID: ca36afdb961fb855d3cc753a0e49204fb6193e25
β”‚ Current version: 01
β”‚ Vendor: Advanced Micro Devices, Inc. [AMD] (PCI:0x1022)
β”‚ GUIDs: c12a74b6-78b0-5cfb-95a3-cd65a12f9e94 ← PCI\VEN_1022&DEV_43F6
β”‚ 38b47a77-8710-5b30-b79b-91df5c9a6d96 ← PCI\VEN_1022&DEV_43F6&SUBSYS_1B211062
β”‚ 67d3b17f-d200-5c56-979e-8a3a4ab46c2b ← PCI\VEN_1022&DEV_43F5
β”‚ 6b2e126d-81a8-530b-a8d3-a93e65bd30b2 ← PCI\VEN_1022&DEV_43F5&SUBSYS_1B213328
β”‚ Device Flags: β€’ Internal device
β”‚ β€’ Cryptographic hash verification is available
β”‚
β”œβ”€ST500DM002-1BD142:
β”‚ Device ID: eb90258c3e252a45a4a7ca1f89471e7a76f742d5
β”‚ Summary: ATA drive
β”‚ Current version: KC48
β”‚ Vendor: Seagate (ATA:0x1BB1, OUI:000c50)
β”‚ Serial Number: Z6ENHASP
β”‚ GUIDs: 0d7919af-d3e2-5a2a-910f-184f25cd6b32 ← IDE\ST500DM002-1BD142_______________________KC48
β”‚ e4a2970a-fad3-5fea-9852-cf359901412d ← IDE\0ST500DM002-1BD142_______________________
β”‚ 9087451b-8084-5dc1-a3b7-fe5901912e95 ← ST500DM002-1BD142
β”‚ Device Flags: β€’ Updatable
β”‚ β€’ System requires external power source
β”‚ β€’ Needs a reboot after installation
β”‚
β”œβ”€System Firmware:
β”‚ β”‚ Device ID: 823e346631882bd3e8ed3258d84b4cd6f53bbe03
β”‚ β”‚ Summary: UEFI System Resource Table device (updated via NVRAM)
β”‚ β”‚ Current version: 1
β”‚ β”‚ Minimum Version: 1
β”‚ β”‚ Vendor: Micro-Star International Co., Ltd. (DMI:American Megatrends International, LLC.)
β”‚ β”‚ Update State: Success
β”‚ β”‚ GUID: 6a36ab4a-d43d-4747-8c25-a5194448c8de
β”‚ β”‚ Device Flags: β€’ Internal device
β”‚ β”‚ β€’ Updatable
β”‚ β”‚ β€’ System requires external power source
β”‚ β”‚ β€’ Needs a reboot after installation
β”‚ β”‚ β€’ Cryptographic hash verification is available
β”‚ β”‚ β€’ Device is usable for the duration of the update
β”‚ β”‚ Device Requests: β€’ Message
β”‚ β”‚
β”‚ └─UEFI dbx:
β”‚ Device ID: 362301da643102b9f38477387e2193e57abaa590
β”‚ Summary: UEFI revocation database 939aeef4
β”‚ Vendor: UEFI:Microsoft
β”‚ Install Duration: 1 second
β”‚ GUIDs: f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
β”‚ d07ff664-b0e1-5f4e-a723-d7fbcbfcb94f ← UEFI\CRT_3CD3F0309EDAE228767A976DD40D9F4AFFC4FBD5218F2E8CC3C9DD97E8AC6F9D&ARCH_X64
β”‚ 5c6c0596-253d-560d-a120-cb32286764c6 ← UEFI\CRT_9C25AE3ECE9D93079A158B01AE21E92E520B05D6BBD5CE6C4FA95249D300E38B&ARCH_X64
β”‚ Device Flags: β€’ Internal device
β”‚ β€’ Updatable
β”‚ β€’ Needs a reboot after installation
β”‚ β€’ Device is usable for the duration of the update
β”‚ β€’ Only version upgrades are allowed
β”‚ β€’ Signed Payload
β”‚
β”œβ”€TPM:
β”‚ Device ID: c6a80ac3a22083423992a3cb15018989f37834d6
β”‚ Summary: TPM 2.0 Device
β”‚ Current version: 6.24.0.7
β”‚ Vendor: Advanced Micro Devices, Inc. (TPM:AMD)
β”‚ GUIDs: 9305de1c-1e12-5665-81c4-37f8e51219b8 ← TPM\VEN_AMD&DEV_0001
β”‚ 78a291ae-b499-5b0f-8f1d-74e1fefd0b1c ← TPM\VEN_AMD&MOD_AMD
β”‚ 65a3fced-b423-563f-8098-bf5c329fc063 ← TPM\VEN_AMD&DEV_0001&VER_2.0
β”‚ 5e704f0d-83cb-5364-8384-f46d725a23b8 ← TPM\VEN_AMD&MOD_AMD&VER_2.0
β”‚ Device Flags: β€’ Internal device
β”‚ β€’ System requires external power source
β”‚ β€’ Needs a reboot after installation
β”‚ β€’ Device can recover flash failures
β”‚ β€’ Full disk encryption secrets may be invalidated when updating
β”‚ β€’ Signed Payload
β”‚
mmd@mmd-MS-7E27:~$ fwupdmgr get-history
Micro-Star International Co., Ltd. MS-7E27
β”‚
└─UEFI dbx:
β”‚ Device ID: 362301da643102b9f38477387e2193e57abaa590
β”‚ Previous version: 466
β”‚ Update State: Failed
β”‚ Update Error: failed to run update on reboot
β”‚ Last modified: 2025-07-04 22:44
β”‚ GUID: c6682ade-b5ec-57c4-b687-676351208742
β”‚ Device Flags: β€’ Internal device
β”‚ β€’ Updatable
β”‚ β€’ Supported on remote server
β”‚ β€’ Needs a reboot after installation
β”‚ β€’ Reported to remote server
β”‚
└─(null) Update:
New version: 20241101
Remote ID: lvfs
Description:
The vendor did not supply any release notes.

mmd@mmd-MS-7E27:~$ fwupdmgr --version
compile org.freedesktop.fwupd 1.9.29
compile com.hughsie.libxmlb 0.3.18
compile com.hughsie.libjcat 0.1.9
runtime org.freedesktop.fwupd-efi 1.4
compile org.freedesktop.gusb 0.3.10
runtime com.hughsie.libxmlb 0.3.x
runtime org.freedesktop.gusb 0.3.10
runtime org.freedesktop.fwupd 1.9.29
runtime org.kernel 6.8.0-60-generic