我拥有一台相当旧的服务器,戴尔 PowerEdge T20,具有最新的BIOS 版本 A20,戴尔更新链接,更新屏幕,以防链接及时失效:
今天早上,当 SSH 进入这台服务器时,我收到一条消息,有一个可用的固件更新,请参阅下面的完整详细信息,它还说我可以运行:
fwupdmgr get-upgrades
获取有关它的信息,我做到了。
$ ssh-s
up 18 hours, 31 minutes
1 device has a firmware upgrade available.
Run `fwupdmgr get-upgrades` for more information.
root @ dell-poweredge-t20 /root # fwupdmgr get-upgrades
WARNING: UEFI capsule updates not available or enabled in firmware setup
See https://github.com/fwupd/fwupd/wiki/PluginFlag:capsules-unsupported for more information.
Devices with no available firmware updates:
• Samsung SSD 860 PRO 256GB
• WDC WD5000BMVU-11A08S0
PowerEdge T20
│
└─UEFI dbx:
│ Device ID: 362301da643102b9f38477387e2193e57abaa590
│ Summary: UEFI Revocation Database
│ Current version: 77
│ Minimum Version: 77
│ Vendor: UEFI:Linux Foundation
│ Install Duration: 1 second
│ GUIDs: c6682ade-b5ec-57c4-b687-676351208742 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503
│ f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
│ Device Flags: • Internal device
│ • Updatable
│ • Supported on remote server
│ • Needs a reboot after installation
│
├─Secure Boot dbx:
│ New version: 217
│ Remote ID: lvfs
│ Summary: UEFI Secure Boot Forbidden Signature Database
│ License: Proprietary
│ Size: 13.8 kB
│ Created: 2020-07-29
│ Urgency: High
│ Vendor: Linux Foundation
│ Duration: 1 second
│ Flags: is-upgrade
│ Description:
│ This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.
│
│ Before installing the update, fwupd will check for any affected executables in the ESP and will refuse to update if it finds any boot binaries signed with any of the forbidden signatures. If the installation fails, you will need to update shim and grub packages before the update can be deployed.
│
│ Once you have installed this dbx update, any DVD or USB installer images signed with the old signatures may not work correctly. You may have to temporarily turn off secure boot when using recovery or installation media, if new images have not been made available by your distribution.
│
├─Secure Boot dbx:
│ New version: 211
│ Remote ID: lvfs
│ Summary: UEFI Secure Boot Forbidden Signature Database
│ License: Proprietary
│ Size: 13.5 kB
│ Created: 2021-04-29
│ Urgency: High
│ Vendor: Linux Foundation
│ Duration: 1 second
│ Flags: is-upgrade
│ Description:
│ This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.
│
└─Secure Boot dbx:
New version: 190
Remote ID: lvfs
Summary: UEFI Secure Boot Forbidden Signature Database
License: Proprietary
Size: 14.4 kB
Created: 2020-07-29
Urgency: High
Vendor: Linux Foundation
Duration: 1 second
Flags: is-upgrade
Description:
This updates the dbx to the latest release from Microsoft which adds insecure versions of grub and shim to the list of forbidden signatures due to multiple discovered security updates.
root @ dell-poweredge-t20 /root #
我从来没有用 Linux 更新过我的 BIOS/UEFI。我的第一个问题是:
这个更新究竟是为了什么而设计的?(新的 BIOS?)
其次,继续更新是否安全,是否有任何缺点/优点?
谢谢你。
笔记:
此服务器运行 Debian 11。
此计算机上禁用了安全启动。
作为预防措施,我在 BIOS 中禁用了UEFI 胶囊更新。
这些是UEFI 吊销列表更新;他们撤销用于安全启动的签名。
由于您不使用安全启动,因此它们与您无关。由于 UEFI 胶囊更新被禁用,您可能无论如何都无法应用它们。