• ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
Are you having HotKey issues? Click here for tips and tricks.
Locked

‎11-25-2024 08:50 AM

HP Recommended
Product: HP Pavilion 500-339 Desktop PC
Operating System: Microsoft Windows 10 (64-bit)

Part of the Fedora 41 update is "UEFI dbx".

The error is

Blocked executable in the ESP, ensure grub and shim are up to date: /run/media/root/SYSTEM/EFI/HP/SystemRecovery/bootmgfw.efi
Authenticode checksum [f74947590a87a005023e9ef89cdf0c38d8d582ca4173f8201cebc443ef796790] is present in dbx

The bootmgfw.efi file exists in 2 places

EFI/HP/SystemRecovery/bootmgfw.efi -> Mar 18 2014

EFI/Microsoft/Boot/bootmgfw.efi -> Oct 9 2024

So the system is using the old HP version.

What can I do about this?

 

 

Category:
1 ACCEPTED SOLUTION

Accepted Solutions

‎11-27-2024 12:01 PM

HP Recommended

Rebuild the EFI Boot Entry

  • If Fedora is still not booting after the steps above, you may need to manually rebuild the UEFI boot entries. Use the following commands:

sudo grub2-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Fedora
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
 

Verify the UEFI Signature Database

  • If your system continues to block the bootmgfw.efi file, check the UEFI Secure Boot keys:
    • Reboot into the UEFI firmware settings.
    • Look for any secure boot options or settings related to keys, such as "Key Management" or "DBX" (which contains blocked signatures). You may be able to clear the dbx or add the necessary keys for Fedora.


After performing these steps, the issue with the UEFI dbx should be resolved, allowing you to proceed with the Fedora 41 update.

 

I hope this helps.

 

Take care and have a good day.

 

Please click “Accepted Solution” if you feel my post solved your issue, it will help others find the solution. Click the “Kudos/Thumbs Up" on the bottom right to say “Thanks” for helping!

 

Alden4

HP Support 

Raj_05
HP Support Community Moderator

View solution in original post

1 person found this reply helpful
Was this reply helpful? Yes No
3 REPLIES 3

‎11-27-2024 12:01 PM

HP Recommended

Hi @philbell,

 

Welcome to HP Support Community.

 

Thank you for posting your query, I will be glad to help you.

 

The issue you're facing is related to UEFI Secure Boot, which is blocking the old bootmgfw.efi file because its signature is listed in the UEFI "dbx" (Denied List). This is preventing the Fedora 41 upgrade, as it includes an update to the UEFI dbx list that blocks executables like this one.

 

Here’s how you can address the issue:


Update GRUB and Shim

  • The error suggests that the GRUB and Shim bootloaders may need to be updated to work with Fedora 41’s UEFI dbx.
  • To update GRUB and Shim, boot into Fedora 40 and run the following commands:

sudo dnf update shim grub2-efi
 

  • Reboot your system and ensure the updated versions are being used by checking:

sudo efibootmgr -v
 

  • This will show the boot entries and their paths.

Reinstall Shim and GRUB

  • If updating doesn't solve the issue, you may need to reinstall Shim and GRUB to ensure they're correctly signed:

sudo dnf reinstall shim grub2-efi
 

Remove the Old HP bootmgfw.efi File

  • You can try removing or renaming the old bootmgfw.efi file from the EFI/HP/SystemRecovery directory. This should prevent UEFI from attempting to load the outdated HP recovery bootloader.
    • Mount the EFI partition:
  • sudo mount /dev/sdX1 /mnt
    • (Replace /dev/sdX1 with the appropriate EFI partition.)
    • Navigate to the EFI/HP/SystemRecovery directory:
  • cd /mnt/EFI/HP/SystemRecovery
    • Rename or remove the bootmgfw.efi file:
  • sudo mv bootmgfw.efi bootmgfw.efi.bak
    • Alternatively, if you don't need recovery functionality, you can delete it.

Disable Secure Boot (Optional)

  • If updating and removing the old bootmgfw.efi file don't solve the issue, you might consider disabling Secure Boot temporarily while upgrading to Fedora 41. This can be done through the UEFI firmware settings:
    • Reboot the system and enter the UEFI/BIOS settings.
    • Look for a “Secure Boot” option and disable it.
    • After the upgrade, you can re-enable Secure Boot if desired.
Raj_05
HP Support Community Moderator
Was this reply helpful? Yes No

‎11-27-2024 12:01 PM

HP Recommended

Rebuild the EFI Boot Entry

  • If Fedora is still not booting after the steps above, you may need to manually rebuild the UEFI boot entries. Use the following commands:

sudo grub2-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=Fedora
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
 

Verify the UEFI Signature Database

  • If your system continues to block the bootmgfw.efi file, check the UEFI Secure Boot keys:
    • Reboot into the UEFI firmware settings.
    • Look for any secure boot options or settings related to keys, such as "Key Management" or "DBX" (which contains blocked signatures). You may be able to clear the dbx or add the necessary keys for Fedora.


After performing these steps, the issue with the UEFI dbx should be resolved, allowing you to proceed with the Fedora 41 update.

 

I hope this helps.

 

Take care and have a good day.

 

Please click “Accepted Solution” if you feel my post solved your issue, it will help others find the solution. Click the “Kudos/Thumbs Up" on the bottom right to say “Thanks” for helping!

 

Alden4

HP Support 

Raj_05
HP Support Community Moderator
1 person found this reply helpful
Was this reply helpful? Yes No

‎11-27-2024 01:08 PM

HP Recommended

Thanks for the detailed reply. I already resolved the problem, but my solution was included in your recommendation so I'll accept it as a solution.

I didn't want to touch a dual boot that was already functioning correctly, so I did the minimum required to achieve my main target which was to upgrade Fedora.

Here is the sequence of events:

  1. Fedora 41 upgrade requires UEFI dbx upgrade
  2. UEFI dbx upgrade fails because of SYSTEM/EFI/HP/SystemRecovery/bootmgfw.efi
  3. I mount the fs and remove SYSTEM/EFI/HP/SystemRecovery
  4. I retry UEFI dbx upgrade and succeed
  5. I restore SYSTEM/EFI/HP/SystemRecovery
  6. I proceed with Fedora 41 upgrade which succeeds
  7. I unmount the fs - probably could have done that before step 6

I've also included a screenshot of the conflicting bootmgfw.efi files to make it easier for others who read this.

bootmgfw-files.png

Was this reply helpful? Yes No
Warning
Be alert for scammers posting fake support phone numbers and/or email addresses on the community.
If you think you have received a fake HP Support message, please report it to us by clicking on "Flag Post".
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.
Didn't find what you were looking for? Ask the community
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.