diff --git a/contrib/debian/rules b/contrib/debian/rules
index 7b8b19be2..e41695cae 100755
--- a/contrib/debian/rules
+++ b/contrib/debian/rules
@@ -20,7 +20,6 @@ ifeq (yes,$(shell dpkg-vendor --derives-from Ubuntu && echo yes))
 	SB_STYLE := ubuntu
 	tar_name := fwupd_$(deb_version)_$(DEB_HOST_ARCH).tar.gz
 	export FLASHROM=-Dplugin_flashrom=false
-	export DBX=-Defi_dbxdir=/usr/share/secureboot/updates/dbx
 else
 	TMPLDIR  := debian/fwupd-$(DEB_HOST_ARCH)-signed-template/usr/share/code-signing/fwupd-$(DEB_HOST_ARCH)-signed-template
 	export FLASHROM=-Dplugin_flashrom=true
@@ -43,7 +42,7 @@ override_dh_auto_configure:
 		export DELL="-Dplugin_dell=false"; \
 	fi; \
 	if pkg-config --exists efivar; then \
-		export UEFI="-Dplugin_uefi=true -Dplugin_redfish=true -Dplugin_nvme=true -Dplugin_msr=true $$DBX"; \
+		export UEFI="-Dplugin_uefi=true -Dplugin_redfish=true -Dplugin_nvme=true -Dplugin_msr=true"; \
 	else \
 		export UEFI="-Dplugin_uefi=false -Dplugin_redfish=false -Dplugin_nvme=false -Dplugin_msr=false"; \
 	fi; \
diff --git a/contrib/fwupd.spec.in b/contrib/fwupd.spec.in
index 28923ebea..fb8d43798 100644
--- a/contrib/fwupd.spec.in
+++ b/contrib/fwupd.spec.in
@@ -177,7 +177,6 @@ Data files for installed tests.
     --werror \
 %endif
     -Dgtkdoc=true \
-    -Defi_dbxdir=%{_datadir}/dbxtool \
 %if 0%{?enable_tests}
     -Dtests=true \
 %else
diff --git a/docs/hsi.xml b/docs/hsi.xml
index 288450519..522c2dce5 100644
--- a/docs/hsi.xml
+++ b/docs/hsi.xml
@@ -343,40 +343,6 @@
       </note>
     </refsect3>
 
-    <refsect3 id="org.fwupd.hsi.Uefi.Dbx">
-      <title>UEFI Secure Boot Revocation database (dbx)</title>
-      <para>
-        The UEFI Secure boot Revocation database is a list of banned hashes that
-        must not be allowed to execute when Secure Boot is turned on.
-        Vulnerabilities like the Kaspersky signed bootloader remove all
-        protections of SecureBoot and this is why an up-to-date dbx is
-        considered such an important part of firmware security.
-      </para>
-      <para>
-        The dbx list is updated infrequently and is normally part of the system
-        firmware updates issued by system manufacturers or operating system vendors.
-      </para>
-      <itemizedlist>
-        <listitem>
-          <para>
-            For HSI-1 this should be provided <emphasis>v1.5.0</emphasis>
-          </para>
-        </listitem>
-      </itemizedlist>
-      <note>
-        <para>
-          See also:
-          <itemizedlist>
-            <listitem>
-              <ulink url="https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance">
-                Microsoft Windows Secure Boot Guidance
-              </ulink>
-            </listitem>
-          </itemizedlist>
-        </para>
-      </note>
-    </refsect3>
-
     <refsect3 id="org.fwupd.hsi.Tpm.Version20">
       <title>TPM 2.0 Present</title>
       <para>
diff --git a/libfwupd/fwupd-security-attr.h b/libfwupd/fwupd-security-attr.h
index 343e67647..fd8c533d3 100644
--- a/libfwupd/fwupd-security-attr.h
+++ b/libfwupd/fwupd-security-attr.h
@@ -138,7 +138,6 @@ typedef enum {
 #define FWUPD_SECURITY_ATTR_ID_SUSPEND_TO_RAM		"org.fwupd.hsi.SuspendToRam"		/* Since: 1.5.0 */
 #define FWUPD_SECURITY_ATTR_ID_TPM_RECONSTRUCTION_PCR0	"org.fwupd.hsi.Tpm.ReconstructionPcr0"	/* Since: 1.5.0 */
 #define FWUPD_SECURITY_ATTR_ID_TPM_VERSION_20		"org.fwupd.hsi.Tpm.Version20"		/* Since: 1.5.0 */
-#define FWUPD_SECURITY_ATTR_ID_UEFI_DBX			"org.fwupd.hsi.Uefi.Dbx"		/* Since: 1.5.0 */
 #define FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT		"org.fwupd.hsi.Uefi.SecureBoot"		/* Since: 1.5.0 */
 #define FWUPD_SECURITY_ATTR_ID_INTEL_DCI_ENABLED	"org.fwupd.hsi.IntelDci.Enabled"	/* Since: 1.5.0 */
 #define FWUPD_SECURITY_ATTR_ID_INTEL_DCI_LOCKED		"org.fwupd.hsi.IntelDci.Locked"		/* Since: 1.5.0 */
diff --git a/libfwupdplugin/fu-common.c b/libfwupdplugin/fu-common.c
index 887a2c7d7..4822fc9d0 100644
--- a/libfwupdplugin/fu-common.c
+++ b/libfwupdplugin/fu-common.c
@@ -1112,20 +1112,6 @@ fu_common_get_path (FuPathKind path_kind)
 		return g_strdup (EFI_APP_LOCATION);
 #else
 		return NULL;
-#endif
-	/* /usr/share/fwupd/dbx */
-	case FU_PATH_KIND_EFIDBXDIR:
-		tmp = g_getenv ("FWUPD_EFIDBXDIR");
-		if (tmp != NULL)
-			return g_strdup (tmp);
-#ifdef FWUPD_EFI_DBXDIR
-		tmp = g_getenv ("SNAP");
-		if (tmp != NULL)
-			return g_build_filename (tmp, FWUPD_EFI_DBXDIR, NULL);
-		return g_strdup (FWUPD_EFI_DBXDIR);
-#else
-		basedir = fu_common_get_path (FU_PATH_KIND_LOCALSTATEDIR_PKG);
-		return g_build_filename (basedir, "dbx", NULL);
 #endif
 	/* /etc/fwupd */
 	case FU_PATH_KIND_SYSCONFDIR_PKG:
diff --git a/libfwupdplugin/fu-common.h b/libfwupdplugin/fu-common.h
index 836cc60a8..d8ac00ce2 100644
--- a/libfwupdplugin/fu-common.h
+++ b/libfwupdplugin/fu-common.h
@@ -59,7 +59,6 @@ typedef guint FuEndianType;
  * @FU_PATH_KIND_POLKIT_ACTIONS:	The directory for policy kit actions (IE /usr/share/polkit-1/actions/)
  * @FU_PATH_KIND_OFFLINE_TRIGGER:	The file for the offline trigger (IE /system-update)
  * @FU_PATH_KIND_SYSFSDIR_SECURITY:	The sysfs security location (IE /sys/kernel/security)
- * @FU_PATH_KIND_EFIDBXDIR:		The location of the EFI dbx files
  * @FU_PATH_KIND_ACPI_TABLES:		The location of the ACPI tables
  *
  * Path types to use when dynamically determining a path at runtime
@@ -80,7 +79,6 @@ typedef enum {
 	FU_PATH_KIND_POLKIT_ACTIONS,
 	FU_PATH_KIND_OFFLINE_TRIGGER,
 	FU_PATH_KIND_SYSFSDIR_SECURITY,
-	FU_PATH_KIND_EFIDBXDIR,
 	FU_PATH_KIND_ACPI_TABLES,
 	/*< private >*/
 	FU_PATH_KIND_LAST
diff --git a/meson.build b/meson.build
index d780f24ab..8cf660d7c 100644
--- a/meson.build
+++ b/meson.build
@@ -304,19 +304,6 @@ if build_standalone and get_option('plugin_uefi')
   efi_app_location = join_paths(libexecdir, 'fwupd', 'efi')
   conf.set_quoted ('EFI_APP_LOCATION', efi_app_location)
 
-  efi_dbxdir = get_option('efi_dbxdir')
-  if efi_dbxdir == ''
-    foreach dir : ['/usr/share/secureboot/updates/dbx', '/usr/share/dbxtool']
-      if run_command('[', '-d', dir, ']').returncode() == 0
-        efi_dbxdir = dir
-      endif
-    endforeach
-  endif
-  if efi_dbxdir != ''
-    message('efi-dbxdir: "@0@"'.format(efi_dbxdir))
-    conf.set_quoted ('FWUPD_EFI_DBXDIR', efi_dbxdir)
-  endif
-
   if host_cpu == 'x86'
           EFI_MACHINE_TYPE_NAME = 'ia32'
           gnu_efi_arch = 'ia32'
diff --git a/meson_options.txt b/meson_options.txt
index 031f68ed0..c2fb1f720 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -28,7 +28,6 @@ option('systemd_root_prefix', type: 'string', value: '', description: 'Directory
 option('elogind', type : 'boolean', value : false, description : 'enable elogind support')
 option('tests', type : 'boolean', value : true, description : 'enable tests')
 option('udevdir', type: 'string', value: '', description: 'Directory for udev rules')
-option('efi_dbxdir', type: 'string', value: '', description: 'Directory for UEFI dbx files')
 option('efi-cc', type : 'string', value : 'gcc', description : 'the compiler to use for EFI modules')
 option('efi-ld', type : 'string', value : 'ld', description : 'the linker to use for EFI modules')
 option('efi-libdir', type : 'string', description : 'path to the EFI lib directory')
diff --git a/plugins/uefi-dbx/fu-plugin-uefi-dbx.c b/plugins/uefi-dbx/fu-plugin-uefi-dbx.c
index 1d3d689e8..9b9315eb2 100644
--- a/plugins/uefi-dbx/fu-plugin-uefi-dbx.c
+++ b/plugins/uefi-dbx/fu-plugin-uefi-dbx.c
@@ -31,77 +31,3 @@ fu_plugin_coldplug (FuPlugin *plugin, GError **error)
 	fu_plugin_device_add (plugin, FU_DEVICE (device));
 	return TRUE;
 }
-
-void
-fu_plugin_add_security_attrs (FuPlugin *plugin, FuSecurityAttrs *attrs)
-{
-	gsize bufsz = 0;
-	g_autofree guint8 *buf_system = NULL;
-	g_autofree guint8 *buf_update = NULL;
-	g_autoptr(GPtrArray) dbx_system = NULL;
-	g_autoptr(GPtrArray) dbx_update = NULL;
-	g_autoptr(FwupdSecurityAttr) attr = NULL;
-	g_autoptr(GError) error_local = NULL;
-	g_autofree gchar *fn = NULL;
-
-	/* find the latest DBX on the system */
-	fn = fu_uefi_dbx_get_dbxupdate (&error_local);
-	if (fn == NULL) {
-		g_warning ("cannot find any updates: %s", error_local->message);
-		return;
-	}
-
-	/* create attr */
-	attr = fwupd_security_attr_new (FWUPD_SECURITY_ATTR_ID_UEFI_DBX);
-	fwupd_security_attr_set_plugin (attr, fu_plugin_get_name (plugin));
-	fwupd_security_attr_set_level (attr, FWUPD_SECURITY_ATTR_LEVEL_CRITICAL);
-	fu_security_attrs_append (attrs, attr);
-
-	/* no binary blob */
-	if (!fu_plugin_get_enabled (plugin)) {
-		fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND);
-		fwupd_security_attr_set_url (attr, "https://github.com/fwupd/fwupd/wiki/Missingdbx");
-		return;
-	}
-
-	/* get update dbx */
-	if (!g_file_get_contents (fn, (gchar **) &buf_update, &bufsz, &error_local)) {
-		g_warning ("failed to load %s: %s", fn, error_local->message);
-		fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID);
-		return;
-	}
-	dbx_update = fu_efi_signature_parser_new (buf_update, bufsz,
-						  FU_EFI_SIGNATURE_PARSER_FLAGS_IGNORE_HEADER,
-						  &error_local);
-	if (dbx_update == NULL) {
-		g_warning ("failed to parse %s: %s", fn, error_local->message);
-		fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID);
-		return;
-	}
-
-	/* get system dbx */
-	if (!fu_efivar_get_data (FU_EFIVAR_GUID_SECURITY_DATABASE, "dbx",
-				 &buf_system, &bufsz, NULL, &error_local)) {
-		g_warning ("failed to load EFI dbx: %s", error_local->message);
-		fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID);
-		return;
-	}
-	dbx_system = fu_efi_signature_parser_new (buf_system, bufsz,
-						  FU_EFI_SIGNATURE_PARSER_FLAGS_NONE,
-						  &error_local);
-	if (dbx_system == NULL) {
-		g_warning ("failed to parse EFI dbx: %s", error_local->message);
-		fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_VALID);
-		return;
-	}
-
-	/* look for each checksum in the update in the system version */
-	if (!fu_efi_signature_list_array_inclusive (dbx_system, dbx_update)) {
-		fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_NOT_FOUND);
-		return;
-	}
-
-	/* success */
-	fwupd_security_attr_add_flag (attr, FWUPD_SECURITY_ATTR_FLAG_SUCCESS);
-	fwupd_security_attr_set_result (attr, FWUPD_SECURITY_ATTR_RESULT_FOUND);
-}
diff --git a/plugins/uefi-dbx/fu-self-test.c b/plugins/uefi-dbx/fu-self-test.c
index fb310e30f..b50a98cf4 100644
--- a/plugins/uefi-dbx/fu-self-test.c
+++ b/plugins/uefi-dbx/fu-self-test.c
@@ -43,40 +43,6 @@ fu_efi_image_func (void)
 	g_assert_cmpstr (csum, ==, "e99707d4378140c01eb3f867240d5cc9e237b126d3db0c3b4bbcd3da1720ddff");
 }
 
-static void
-fu_efi_signature_list_parse_func (void)
-{
-	FuEfiSignatureList *siglist;
-	gboolean ret;
-	gsize bufsz = 0;
-	g_autofree gchar *fn = NULL;
-	g_autofree guint8 *buf = NULL;
-	g_autoptr(GPtrArray) siglists = NULL;
-	g_autoptr(GError) error = NULL;
-
-	/* load file */
-	fn = fu_uefi_dbx_get_dbxupdate (NULL);
-	if (fn == NULL) {
-		g_test_skip ("no dbx file, use -Defi_dbxdir=");
-		return;
-	}
-	ret = g_file_get_contents (fn, (gchar **) &buf, &bufsz, &error);
-	g_assert_no_error (error);
-	g_assert_true (ret);
-
-	/* parse the update */
-	siglists = fu_efi_signature_parser_new (buf, bufsz,
-						FU_EFI_SIGNATURE_PARSER_FLAGS_IGNORE_HEADER,
-						&error);
-	g_assert_no_error (error);
-	g_assert_nonnull (siglists);
-	g_assert_cmpint (siglists->len, ==, 1);
-	siglist = g_ptr_array_index (siglists, 0);
-	g_assert_cmpint (fu_efi_signature_list_get_all(siglist)->len, ==, 77);
-	g_assert_true (fu_efi_signature_list_has_checksum (siglist, "72e0bd1867cf5d9d56ab158adf3bddbc82bf32a8d8aa1d8c5e2f6df29428d6d8"));
-	g_assert_false (fu_efi_signature_list_has_checksum (siglist, "dave"));
-}
-
 int
 main (int argc, char **argv)
 {
@@ -88,6 +54,5 @@ main (int argc, char **argv)
 
 	/* tests go here */
 	g_test_add_func ("/uefi-dbx/image", fu_efi_image_func);
-	g_test_add_func ("/uefi-dbx/file-parse", fu_efi_signature_list_parse_func);
 	return g_test_run ();
 }
diff --git a/plugins/uefi-dbx/fu-uefi-dbx-common.c b/plugins/uefi-dbx/fu-uefi-dbx-common.c
index bdcd0a44a..5a00a6cdd 100644
--- a/plugins/uefi-dbx/fu-uefi-dbx-common.c
+++ b/plugins/uefi-dbx/fu-uefi-dbx-common.c
@@ -13,24 +13,6 @@
 
 #include "fu-uefi-dbx-common.h"
 
-gchar *
-fu_uefi_dbx_get_dbxupdate (GError **error)
-{
-	g_autofree gchar *dbxdir = NULL;
-	g_autofree gchar *glob = NULL;
-	g_autoptr(GPtrArray) files = NULL;
-
-	/* get the newest files from dbxtool, prefer the per-arch ones first */
-	dbxdir = fu_common_get_path (FU_PATH_KIND_EFIDBXDIR);
-	glob = g_strdup_printf ("*%s*.bin", EFI_MACHINE_TYPE_NAME);
-	files = fu_common_filename_glob (dbxdir, glob, NULL);
-	if (files == NULL)
-		files = fu_common_filename_glob (dbxdir, "*.bin", error);
-	if (files == NULL)
-		return NULL;
-	return g_strdup (g_ptr_array_index (files, 0));
-}
-
 gchar *
 fu_uefi_dbx_get_authenticode_hash (const gchar *fn, GError **error)
 {
diff --git a/plugins/uefi-dbx/fu-uefi-dbx-common.h b/plugins/uefi-dbx/fu-uefi-dbx-common.h
index de33f8805..ff6b97654 100644
--- a/plugins/uefi-dbx/fu-uefi-dbx-common.h
+++ b/plugins/uefi-dbx/fu-uefi-dbx-common.h
@@ -8,7 +8,6 @@
 
 #include <gio/gio.h>
 
-gchar		*fu_uefi_dbx_get_dbxupdate		(GError		**error);
 gchar		*fu_uefi_dbx_get_authenticode_hash	(const gchar	*fn,
 							 GError		**error);
 gboolean	 fu_uefi_dbx_signature_list_validate	(GPtrArray	*siglists,
diff --git a/src/fu-security-attr.c b/src/fu-security-attr.c
index 0b0bd949b..ffdbd0e64 100644
--- a/src/fu-security-attr.c
+++ b/src/fu-security-attr.c
@@ -95,10 +95,6 @@ fu_security_attr_get_name (FwupdSecurityAttr *attr)
 		/* TRANSLATORS: Title: a better sleep state */
 		return g_strdup (_("Suspend-to-idle"));
 	}
-	if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_UEFI_DBX) == 0) {
-		/* TRANSLATORS: Title: dbx is the database with revoked hashes */
-		return g_strdup (_("UEFI dbx"));
-	}
 	if (g_strcmp0 (appstream_id, FWUPD_SECURITY_ATTR_ID_UEFI_SECUREBOOT) == 0) {
 		/* TRANSLATORS: Title: SB is a way of locking down UEFI */
 		return g_strdup (_("UEFI secure boot"));