How to update Bazzite ?

by

Go to terminal and type (without quotes)

“ujust update”

logs for the update command

satyendra@bazzite:~$ ujust update

── 09:04:52 – System update ────────────────────────────────────────────────────
Pulling manifest: ostree-image-signed:docker://ghcr.io/ublue-os/bazzite-gnome:stable
No upgrade available.

── 09:04:55 – Firmware upgrades ────────────────────────────────────────────────
Updating lvfs
Downloading… [************************************** ]
Successfully downloaded new metadata:
• 9 devices are updatable
• 4 devices are supported in the enabled remotes (an update has been published)
Devices with no available firmware updates:
• Key Exchange Key
• SSD 860 QVO 1TB
• UEFI DB
• WD10JPVX-75JC3T0
• Windows Production PCA
Devices with the latest available firmware version:
• System Firmware
Dell Inc. Inspiron 14-3467

├─KEK CA:
│ │ Device ID: b7a1d3d90faa1f6275d9a98da4fb3be7118e61c7
│ │ Current version: 2011
│ │ Vendor: Microsoft (UEFI:Microsoft)
│ │ GUIDs: 814e950f-1449-566a-a190-42c9d3a3a2df ← UEFI\VENDOR_Microsoft&NAME_Microsoft-KEK-CA
│ │ dfa66406-6568-5bdf-bb8e-b53ddb4be4cf ← UEFI\CRT_9F402B1CC0243CBEDC58A525789816CCCA7687A9
│ │ Device Flags: • Internal device
│ │ • Updatable
│ │ • Supported on remote server
│ │ • Needs a reboot after installation
│ │ • Device is usable for the duration of the update
│ │ • Signed Payload
│ │ • Can tag for emulation
│ │
│ └─Secure Boot KEK Configuration Update:
│ New version: 2023
│ Remote ID: lvfs
│ Release ID: 113921
│ Summary: UEFI Secure Boot Key Exchange Key
│ Variant: Dell
│ License: Proprietary
│ Size: 2.9 kB
│ Created: 2025-04-29 00:00:00
│ Urgency: High
│ Vendor: Linux Foundation
│ Release Flags: • Trusted metadata
│ • Is upgrade
│ Description:
│ This updates the UEFI Signature Database (the “KEK”) to the latest release from Microsoft, signed by Dell Inc.Platform Key.
│ Checksum: 8c6f7c473afceac2bd26b1598e26991f710875cc25d0ce08cbe0a90867ea9914

├─UEFI CA:
│ │ Device ID: 5bc922b7bd1adb5b6f99592611404036bd9f42d0
│ │ Current version: 2011
│ │ Vendor: Microsoft (UEFI:Microsoft)
│ │ GUIDs: 26f42cba-9bf6-5365-802b-e250eb757e96 ← UEFI\VENDOR_Microsoft&NAME_Microsoft-UEFI-CA
│ │ c34a7e6a-bd86-5244-8bd0-7db66fd3c073 ← UEFI\CRT_E30CF09DABEAB32A6E3B07A7135245DE05FFB658
│ │ Device Flags: • Internal device
│ │ • Updatable
│ │ • Supported on remote server
│ │ • Needs a reboot after installation
│ │ • Signed Payload
│ │ • Can tag for emulation
│ │
│ └─Secure Boot Signature Database Configuration Update:
│ New version: 2023
│ Remote ID: lvfs
│ Release ID: 116503
│ Summary: UEFI Secure Boot Signature Database
│ License: Proprietary
│ Size: 10.0 kB
│ Created: 2025-04-29 00:00:00
│ Urgency: High
│ Tested: 2026-04-20 00:00:00
│ Distribution: ubuntu 25.10
│ Old version: 2011
│ Version[fwupd]: 2.0.16
│ Tested: 2025-10-17 00:00:00
│ Distribution: fedora 42 (workstation)
│ Old version: 2011
│ Version[fwupd]: 2.0.16
│ Tested: 2025-09-17 00:00:00
│ Distribution: fedora 42 (workstation)
│ Old version: 2011
│ Version[fwupd]: 2.0.16
│ Tested: 2025-07-24 00:00:00
│ Distribution: nixos 25.11
│ Old version: 2011
│ Version[fwupd]: 2.0.12
│ Vendor: Linux Foundation
│ Release Flags: • Trusted metadata
│ • Is upgrade
│ Description:
│ This updates the 3rd Party UEFI Signature Database (the “db”) to the latest release from Microsoft.It also adds the latest OptionROM UEFI Signature Database update.
│ Checksum: 6819c8098f09f4332a102194df6a033563aa288073b16315c5b88860fefb7e74

└─UEFI dbx:
│ Device ID: 362301da643102b9f38477387e2193e57abaa590
│ Summary: UEFI revocation database
│ Current version: 20230501
│ Minimum Version: 20230501
│ Vendor: Microsoft (UEFI:Microsoft)
│ Install Duration: 1 second
│ GUIDs: 4a6cd2cb-8741-5257-9d1f-89a275dacca7 ← UEFI\CRT_E28D59CA489BD2AD580F2EA5D62D6A29BB9C02AE5A818434A37DA7FC11DFF9E9&ARCH_X64
│ f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
│ Device Flags: • Internal device
│ • Updatable
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│ • Only version upgrades are allowed
│ • Signed Payload
│ • Can tag for emulation

├─Secure Boot dbx Configuration Update:
│ New version: 20250902
│ Remote ID: lvfs
│ Release ID: 130035
│ Summary: UEFI Secure Boot Forbidden Signature Database
│ Variant: x64
│ License: Proprietary
│ Size: 24.1 kB
│ Created: 2025-09-02 00:00:00
│ Urgency: High
│ Tested: 2026-04-20 00:00:00
│ Distribution: ubuntu 25.10
│ Old version: 20230501
│ Version[fwupd]: 2.0.16
│ Tested: 2026-02-25 00:00:00
│ Distribution: ubuntu 25.10
│ Old version: 20230501
│ Version[fwupd]: 2.0.18
│ Tested: 2026-02-13 00:00:00
│ Distribution: ubuntu 25.10
│ Old version: 20230501
│ Version[fwupd]: 2.0.17
│ Tested: 2025-12-05 00:00:00
│ Distribution: fedora 42 (workstation)
│ Old version: 20250507
│ Version[fwupd]: 2.0.17
│ Tested: 2025-11-10 00:00:00
│ Distribution: fedora 43 (kde)
│ Old version: 20230501
│ Version[fwupd]: 2.0.16
│ Vendor: Linux Foundation
│ Duration: 1 second
│ Release Flags: • Trusted metadata
│ • Is upgrade
│ • Tested by trusted vendor
│ Description:
│ This updates the list of forbidden signatures (the “dbx”) to the latest release from Microsoft.

│ Some insecure versions of the IGEL bootloader were added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
│ Issue: CVE-2025-47827
│ Checksum: 7178302fa23fcb875e7540900e299fb30a76758663efb7e1c56edc25cd3f316a

├─Secure Boot dbx Configuration Update:
│ New version: 20250507
│ Remote ID: lvfs
│ Release ID: 115586
│ Summary: UEFI Secure Boot Forbidden Signature Database
│ Variant: x64
│ License: Proprietary
│ Size: 24.0 kB
│ Created: 2025-01-17 00:00:00
│ Urgency: High
│ Tested: 2025-10-17 00:00:00
│ Distribution: fedora 42 (workstation)
│ Old version: 20230501
│ Version[fwupd]: 2.0.16
│ Tested: 2025-06-11 00:00:00
│ Distribution: fedora 42 (workstation)
│ Old version: 20241101
│ Version[fwupd]: 2.0.11
│ Vendor: Linux Foundation
│ Duration: 1 second
│ Release Flags: • Trusted metadata
│ • Is upgrade
│ • Tested by trusted vendor
│ Description:
│ This updates the list of forbidden signatures (the “dbx”) to the latest release from Microsoft.

│ Some insecure versions of BiosFlashShell and Dtbios by DT Research Inc were added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
│ Issues: 806555
│ CVE-2025-3052
│ Checksum: 40d3a4630619b83026f66bc64d97a582bbd9223ad53aa3f519ff5e2121d11ca6

└─Secure Boot dbx Configuration Update:
New version: 20241101
Remote ID: lvfs
Release ID: 105821
Summary: UEFI Secure Boot Forbidden Signature Database
Variant: x64
License: Proprietary
Size: 15.1 kB
Created: 2025-01-17 00:00:00
Urgency: High
Tested: 2026-02-25 00:00:00
Distribution: ubuntu 24.04
Old version: 20230501
Version[fwupd]: 1.9.28
Vendor: Linux Foundation
Duration: 1 second
Release Flags: • Trusted metadata
• Is upgrade
Description:
This updates the list of forbidden signatures (the “dbx”) to the latest release from Microsoft.

An insecure version of Howyar’s SysReturn software was added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
Issues: 529659
CVE-2024-7344
Checksum: 093e6913dfecefbdaa9374a2e1caee7bf7e74c7eda847624e456e344884ba5f6

── 09:05:04 – Flatpak User Packages ────────────────────────────────────────────
Looking for updates…

Nothing to do.

── 09:05:04 – Flatpak System Packages ──────────────────────────────────────────
Looking for updates…

Nothing to do.

── 09:05:07 – Brew ─────────────────────────────────────────────────────────────
==> Updating Homebrew…
Already up-to-date.

── 09:05:17 – Mozilla GNOME Themes ─────────────────────────────────────────────
Looking for updates…

── 09:05:17 – Third Party CSS Loader Themes ────────────────────────────────────
Looking for updates…

── 09:05:17 – Summary ──────────────────────────────────────────────────────────
System update: OK
Firmware upgrades: OK
Flatpak: OK
Brew: OK
Mozilla GNOME Themes: OK
Third Party CSS Loader Themes: OK
en-US.
(R)eboot
(S)hell
(Q)uit

Leave a Comment