Re: fbx64.efi hangs after Debian 10.10 shim update
Le 21/06/2021 à 21:12, Pascal Hambourg a écrit :
Le 21/06/2021 à 19:44, Steve McIntyre a écrit :
On Sun, Jun 20, 2021 at 07:44:58PM +0200, Pascal Hambourg wrote:
I have Debian 10 amd64 installed on an old HP EliteBook 2570p. The UEFI
firmware seems to ignore the EFI boot entries and only be able to
the removable device path EFI\BOOT\BOOTX64.EFI by default. After each
new "debian" EFI boot entry was added, so I removed
/boot/efi/EFI/BOOT/fbx64.efi to avoid this. So far so good.
After the latest shim update which ran grub-install and installed the
/boot/efi/EFI/BOOT/fbx64.efi, UEFI boot hangs with no error message,
HP logo, and GRUB does not show up.
Using "Boot from EFI file" in the firmware boot menu, it appears that :
- grubx64.efi (from either EFI\debian or EFI\BOOT) works
- shimx64.efi (from EFI\debian) works
- BOOTX64.efi (from EFI\BOOT) hangs
- fbx64.efi (from either EFI\debian or EFI\BOOT) hangs
So as a workaround, I removed /boot/efi/EFI/BOOT/fbx64.efi again.
OK. That's surprising, any I imagine annoying for you. :-/
Not really, as I would have removed fbx64.efi anyway to avoid creating
multiple debian entries. I am actually expecting trouble with this EFI
setup, it serves as a kind of sentinel. If I wanted no trouble, I would
remove the shim and grub signed stuff as I do not use secure boot, or
even disable EFI boot and enable only the BIOS boot. But that would be
If you're prepared to help with testing the problem here (please!),
could you please:
1. run "mokutil --set-verbosity true" from the Linux command line (as
2. put the fbx64.efi file in place again (grub-install should do that)
3. reboot and try to capture any output
First screen with blue frame saying "Secure boot not enabled - OK"
After a long list of scrolled "mok.c:" lines ending with "returning
Success", the last lines before it stops are (partial, copied by hand) :
shim.c:1727:shim_init() UEFI SHIM
$Version: 15.4 $
$BuildMachine: buildhost $
$Commit: XXXX $
shim.c:898:load_image() attempting to load \EFI\Boot\fbx64.efi
pe.c:574:generate_hash() sha1 authenticode hash:
pe.c:575:generate_hash() (2 lines of XX and hex codes)
pe.c:576:generate_hash() sha256 authenticode hash:
pe.c:577:generate_hash() (2 more lines of hex codes)
pe.c:1057:handle_image() sbat section base:0xB9DED000 size:0xC6
More information :
The firmware has two UEFI boot modes : Hybrid (with CSM) and Native
(without CSM). In hybrid mode, secure boot is disabled. In native mode,
secure boot can be enabled or disabled.
Until now I always used hybrid mode which allows either EFI and legacy
BIOS boot. I discovered that the issue happens only in hybrid mode, not
in native mode. In native mode with secure boot disabled, here are the
next lines displayed after the above lines :
sbat.c:346:set_sbat_uefi_variable() SbatLevel variable is 18 bytes,
attributes are 0x00000003
Then the blue frame "Secure boot not enabled" is displayed again
(supposedly when \EFI\debian\shimx64.efi is executed).
With secure mode enabled the frame is not displayed so it does not pause
and allow me to see anything until GRUB menu is displayed.
FWIW, the latest shim-helpers-amd64-signed 1+15.4+6~deb10u1 from
buster-proposed-updates did not fix the issue.