Understanding What Firmware Updates Really Are
Firmware updates shown by
fwupdmgr can look intimidating, especially when they mention UEFI, Secure Boot, or system components you normally never touch. But most of these updates are routine, safe, and designed to improve security or compatibility.
Not all firmware updates modify your motherboard BIOS. Some update small components like:
- Secure Boot databases (db, dbx)
- Thunderbolt controllers
- SSD firmware
- Embedded controllers
- Device metadata
Many of these updates are low-risk and apply safely during reboot.
Why Firmware Updates Look Scary
Linux users often assume anything involving UEFI or firmware can brick a system. In reality, most updates:
- Do not rewrite your BIOS
- Do not modify your bootloader
- Do not affect your OS installation
- Do not risk hardware failure
The update process is designed to be safe.
How to Check Your Secure Boot State
Before applying updates, it can help to check whether Secure Boot is active:
mokutil --sb-state
If you see:
SecureBoot disabled
Platform is in Setup Mode
Then your system is in one of the safest possible states for firmware updates. With Secure Boot disabled, updates to Secure Boot databases (
like dbx) cannot affect your ability to boot.
If Secure Boot is enabled, updates to Secure Boot databases can affect your bootloader and OS. In that case, you may want to temporarily disable Secure Boot before applying updates.
What Secure Boot Disabled and Setup Mode Mean
Secure Boot Disabled
Your system is not enforcing signature checks. Updates to Secure Boot components will not impact your boot process.
Setup Mode
Your system has no Platform Key (PK) enrolled. Secure Boot cannot be enabled until keys are added. Updates to Secure Boot databases remain inactive until Secure Boot is turned on.
This means you can safely apply updates without worrying about breaking anything.
How to Install Firmware Updates
Most firmware updates can be applied with a single command:
sudo fwupdmgr update
After running it, reboot your system. The update will apply automatically during startup.
What to Expect After Reboot
You may briefly see a firmware update screen or progress bar. This is normal. The system will reboot again and continue normally.
If Secure Boot is disabled, updates to Secure Boot components will not affect your bootloader or OS.
Should You Enable Secure Boot Later?
You have two options:
Option 1 - Leave Secure Boot Disabled
This is perfectly fine for home labs, servers, and systems using custom kernels or drivers.
Option 2 - Enable Secure Boot Safely
If you want Secure Boot later, you must:
- Enter BIOS/UEFI
- Enroll factory default keys (PK, KEK, db, dbx)
- Enable Secure Boot
Modern Linux distributions like Ubuntu >24.04 support Secure Boot out of the box.
Why Firmware Updates Matter
Firmware updates often fix:
- Security vulnerabilities
- Bootloader bypass flaws
- Device stability issues
- Compatibility problems
Even if you don't use Secure Boot or advanced features, keeping firmware current ensures your system remains secure and functional.
Example of dbx firmware update
Update available
1 device has a firmware upgrade available.
Run `fwupdmgr get-upgrades` for more information.
user@server:~ $ sudo fwupdmgr get-upgrades
WARNING: UEFI capsule updates not available or enabled in firmware setup
See https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported for more information.
Devices with no available firmware updates:
• MSI SHIP DB
• MSI SHIP KEK
• HDWQ140
• KEK CA
• SKC3000S1024G
• SSD 840 PRO Series
• WD5000LPVT-75G33T0
• Windows UEFI CA
Devices with the latest available firmware version:
• UEFI CA
Micro-Star International Co., Ltd. MS-7C95
│
└─UEFI dbx:
│ Device ID: 362301da643102b9f38477387e2193e57abaa590
│ Summary: UEFI revocation database
│ Current version: 20250902
│ Minimum Version: 20250902
│ Vendor: Microsoft (UEFI:Microsoft)
│ Install Duration: 1 second
│ GUIDs: f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
│ d07ff664-b0e1-5f4e-a723-d7fbcbfcb94f ← UEFI\CRT_3CD3F0309EDAE228767A976DD40D9F4AFFC4FBD5218F2E8CC3C9DD97E8AC6F9D&ARCH_X64
│ 5c6c0596-253d-560d-a120-cb32286764c6 ← UEFI\CRT_9C25AE3ECE9D93079A158B01AE21E92E520B05D6BBD5CE6C4FA95249D300E38B&ARCH_X64
│ Device Flags: • Internal device
│ • Updatable
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│ • Only version upgrades are allowed
│ • Signed Payload
│ • Can tag for emulation
│
└─Secure Boot dbx Configuration Update:
New version: 20260402
Remote ID: lvfs
Release ID: 143971
Summary: UEFI Secure Boot Forbidden Signature Database
Variant: x64
License: Proprietary
Size: 24.6 kB
Created: 2025-09-02 00:00:00
Urgency: High
Vendor: Linux Foundation
Duration: 1 second
Release Flags: • Trusted metadata
• Is upgrade
Description:
This updates the list of forbidden signatures (the "dbx") to the latest release from Microsoft.
Some insecure bootloaders were added, due to security vulnerabilities that allowed an attacker to bypass UEFI Secure Boot. The additional entries were from:
• Baramanudi Management Suite
• EAZ EasyFix
• Finland Matriculation Examination Board
• NTC IT ROSA Linux
• PC-Doctor
• Spyrus WTGCreator
• WhiteCanyon blancco
• Some ancient shim releases for OpenSUSE, Oracle and Red Hat
Issues: 616257
CVE-2026-8863
Checksum: 9edea8bc287bf9bf4659856b28cf421f330eb2f658c163eab0a03512a98c0e78
user@server:~ $
What's important to note
First off, the
New version block is nice to notice - if you are behind a couple of versions you might get several in a row, so knowing you're closing in on today's date might be nice.
Secondly, note the CVE (Common Vulnerabilities and Exposures - It is a list of publicly disclosed cybersecurity vulnerabilities and exposures. Each CVE entry contains an identification number, a description, and at least one public reference).
Go to
CVE-2026-8863 to read more about the CVE and why you will need it.
Perform the update itself
user@server:~ $ sudo fwupdmgr update
WARNING: UEFI capsule updates not available or enabled in firmware setup
See https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported for more information.
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 20250902 to 20260402? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the list of forbidden signatures (the "dbx") to the latest ║
║ release from Microsoft. ║
║ ║
║ Some insecure bootloaders were added, due to security vulnerabilities that ║
║ allowed an attacker to bypass UEFI Secure Boot. The additional entries were ║
║ from: ║
║ ║
║ • Baramanudi Management Suite ║
║ • EAZ EasyFix ║
║ • Finland Matriculation Examination Board ║
║ • NTC IT ROSA Linux ║
║ • PC-Doctor ║
║ • Spyrus WTGCreator ║
║ • WhiteCanyon blancco ║
║ • Some ancient shim releases for OpenSUSE, Oracle and Red Hat ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
Perform operation? [Y|n]: y
Waiting… [***************************************]
Successfully installed firmware
Devices with the latest available firmware version:
• UEFI CA
Devices with no available firmware updates:
• MSI SHIP DB
• MSI SHIP KEK
• HDWQ140
• KEK CA
• SKC3000S1024G
• SSD 840 PRO Series
• WD5000LPVT-75G33T0
• Windows UEFI CA
An update requires a reboot to complete. Restart now? [y|N]: n
I chose to restart later, as I wanted to copy text and had another update queued, requiring an update - otherwise, press
y and it will reboot immediately.
Conclusion
Most firmware updates on Linux are safe, simple, and low-risk. Whether you're updating the dbx, SSD firmware, or device metadata, the process is designed to protect your system. If Secure Boot is disabled or your platform is in Setup Mode, the risk is even lower.
For most users, firmware updates are a straightforward way to keep your system secure without touching anything critical.
Comments (0)
No comments yet. Be the first to comment!
Leave a Comment