Re: shim boot-loader problem

To: KCB Leigh <kcbl2003@yahoo.co.uk>, "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: Re: shim boot-loader problem
From: Max Nikulin <manikulin@gmail.com>
Date: Sat, 25 Mar 2023 10:43:41 +0700
Message-id: <[🔎] df5059c1-d8d2-c802-39b8-9a72adf0ea07@gmail.com>
Mail-followup-to: KCB Leigh <kcbl2003@yahoo.co.uk>, "debian-user@lists.debian.org" <debian-user@lists.debian.org>
In-reply-to: <[🔎] 789909868.694531.1679694511647@mail.yahoo.com>
References: <789909868.694531.1679694511647.ref@mail.yahoo.com> <[🔎] 789909868.694531.1679694511647@mail.yahoo.com>

On 25/03/2023 04:48, KCB Leigh wrote:

     > Through about May of 2022 I was able to also boot with
       Ubuntu, with no problems... but some time in the last half
       of 2022, I updated Debian, & now, although the Ubuntu option
       exists in the GRUB boot loader menu, when I select it, I get
       the error message: 'bad shim signature' & I cannot boot with
       Ubuntu any more.

Perhaps old key that was used to sign shim in ubuntu has been revokedsince that time due to a vulnerability in grub. If so then you need toupdate the shim-signed package.

         /EFI/debian/
         fbx64.efi, grubx64.efi, mmx64.efi, shimx64.efi
         BOOTX64.CSV & grub.cfg
       I think the relevant file is the shimx64.efi file.  On the

The relevant file can be found in output of (it does not matter ifDebian or Ubuntu is booted)


    efibootmgr -v

Likely you are right.

       Ubuntu volume, the /boot/efi/ directory is completely empty &
       I've not been able to find any files with names containing shim.

Perhaps a wrong partition is mounted to /boot/efi. Usually the samepartition should be mounted in Debian and Ubuntu. Compare


    fdisk -l
    findmnt /boot/efi

My QUESTION: can I simply copy the /EFI/debian/... directory & files
to the UBUNTU volume to enable the machine to boot when secure boot is
enabled?

No. Files are signed with distribution-specific keys and have differentcompiled in paths (/EFI/debian, /EFI/ubuntu)

Ensure that the proper partition is mounted to /boot/efi and runupdate-grub. I do not remember if it is enough or shim package has itsown script.

I suggest to look into EFI/BOOT directory on the EFI System Partition.It may contain fallback from some OS. This directory is intended forremovable media, but firmware may prefer it even for built-in drives.Signed shim .efi file may be installed as EFI/BOOT/BOOTX64.EFI. Severalyears ago buggy EFI was not uncommon.

Notice that os-probber was disabled by default some time ago, soalternative OS entries disappeared from *grub* menu unless it isexplicitly enabled. It should not affect the firmware (BIOS) boot menu.

You may get some impression of expected file layout for EFI systempartition from

https://wiki.debian.org/UEFI

Reply to:

References:
- shim boot-loader problem
  - From: KCB Leigh <kcbl2003@yahoo.co.uk>

Prev by Date: Re: differences between hwclock <-> date due to time zone issues? ...
Next by Date: Re: exim failure
Previous by thread: shim boot-loader problem
Next by thread: Question for this IP's PTR
Index(es):
- Date
- Thread