[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: fbx64.efi hangs after Debian 10.10 shim update


Le 21/06/2021 à 21:12, Pascal Hambourg a écrit :
Le 21/06/2021 à 19:44, Steve McIntyre a écrit :
On Sun, Jun 20, 2021 at 07:44:58PM +0200, Pascal Hambourg wrote:

I have Debian 10 amd64 installed on an old HP EliteBook 2570p. The UEFI
firmware seems to ignore the EFI boot entries and only be able to boot from the removable device path EFI\BOOT\BOOTX64.EFI by default. After each boot a
new "debian" EFI boot entry was added, so I removed
/boot/efi/EFI/BOOT/fbx64.efi to avoid this. So far so good.


After the latest shim update which ran grub-install and installed the new /boot/efi/EFI/BOOT/fbx64.efi, UEFI boot hangs with no error message, only the
HP logo, and GRUB does not show up.

Using "Boot from EFI file" in the firmware boot menu, it appears that :
- grubx64.efi (from either EFI\debian or EFI\BOOT) works
- shimx64.efi (from EFI\debian) works
- BOOTX64.efi (from EFI\BOOT) hangs
- fbx64.efi (from either EFI\debian or EFI\BOOT) hangs

So as a workaround, I removed /boot/efi/EFI/BOOT/fbx64.efi again.

OK. That's surprising, any I imagine annoying for you. :-/

Not really, as I would have removed fbx64.efi anyway to avoid creating multiple debian entries. I am actually expecting trouble with this EFI setup, it serves as a kind of sentinel. If I wanted no trouble, I would remove the shim and grub signed stuff as I do not use secure boot, or even disable EFI boot and enable only the BIOS boot. But that would be boring.

If you're prepared to help with testing the problem here (please!),
could you please:

1. run "mokutil --set-verbosity true" from the Linux command line (as
2. put the fbx64.efi file in place again (grub-install should do that)
3. reboot and try to capture any output

First screen with blue frame saying "Secure boot not enabled - OK"
After a long list of scrolled "mok.c:" lines ending with "returning Success", the last lines before it stops are (partial, copied by hand) :

shim.c:1727:shim_init() UEFI SHIM
$Version: 15.4 $
$BuildMachine: buildhost $
$Commit: XXXX $
shim.c:898:load_image() attempting to load \EFI\Boot\fbx64.efi
pe.c:574:generate_hash() sha1 authenticode hash:
pe.c:575:generate_hash() (2 lines of XX and hex codes)
pe.c:576:generate_hash() sha256 authenticode hash:
pe.c:577:generate_hash() (2 more lines of hex codes)
pe.c:1057:handle_image() sbat section base:0xB9DED000 size:0xC6

More information :

The firmware has two UEFI boot modes : Hybrid (with CSM) and Native (without CSM). In hybrid mode, secure boot is disabled. In native mode, secure boot can be enabled or disabled.

Until now I always used hybrid mode which allows either EFI and legacy BIOS boot. I discovered that the issue happens only in hybrid mode, not in native mode. In native mode with secure boot disabled, here are the next lines displayed after the above lines :

shim.c:1926:efi_main() vendor_authorized:0xB9BA6010 vendor_authorized_size:930 shim.c:1928:efi_main() vendor_deauthorized:0xB9BA63B2 vendor_deauthorized_size:8664 sbat.c:346:set_sbat_uefi_variable() SbatLevel variable is 18 bytes, attributes are 0x00000003

Then the blue frame "Secure boot not enabled" is displayed again (supposedly when \EFI\debian\shimx64.efi is executed).

With secure mode enabled the frame is not displayed so it does not pause and allow me to see anything until GRUB menu is displayed.

FWIW, the latest shim-helpers-amd64-signed 1+15.4+6~deb10u1 from buster-proposed-updates did not fix the issue.

Reply to: