Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
shim boot-loader problem
369 views
Skip to first unread message
KCB Leigh
Mar 24, 2023, 6:10:05 PM3/24/23
to
I have an ACER ASPIRE 5.14 laptop with an internal hard disk, with
both Windows 10, & Ubuntu v.20.04 on separate partitions (which I use
only occasionally), but have been running the machine primarily from
a USB stick with Debian 11.6:
Linux cpe-67-241-65-193 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux
The problem:
> I can boot with Debian with no problems;
> I can boot with Windows with no problems;
> Through about May of 2022 I was able to also boot with
Ubuntu, with no problems... but some time in the last half
of 2022, I updated Debian, & now, although the Ubuntu option
exists in the GRUB boot loader menu, when I select it, I get
the error message: 'bad shim signature' & I cannot boot with
Ubuntu any more.
> To boot with Ubuntu, I have to disable secure boot in the
BIOS/UEFI setup (F2 on my computer). With earlier
versions of the kernel, I think one had to disable secure
boot to boot with debian, but after kernel 5.10, one could
boot with secure boot enabled, as my experiences through the
middle of 2022 showed.
> The APPARENT reason is that on the Debian boot volume, the
/boot/efi/ directory contains:
/EFI/debian/
fbx64.efi, grubx64.efi, mmx64.efi, shimx64.efi
BOOTX64.CSV & grub.cfg
I think the relevant file is the shimx64.efi file. On the
Ubuntu volume, the /boot/efi/ directory is completely empty &
I've not been able to find any files with names containing shim.
My QUESTION: can I simply copy the /EFI/debian/... directory & files
to the UBUNTU volume to enable the machine to boot when secure boot is
enabled? My worry is that the Ubuntu OS uses a different version of
kernel: the 2 most recent versions of kernel on each volume are:
DEBIAN 11.6 | UBUNTU
5.10.0-20-amd64 | 5.15.0-67-generic
5.10.0-21-amd64 | 5.19.0-35-generic
so the shimx64.efi may work for the debian OS but not the UBUNTU,
though this shim 'boot-loader' is 'used' before the kernel, I think.
I would be most appreciative of any advice, or suggestions for a
better place to submit this question, if this forum's not appropriate.
With many thanks,
Ken
(I have not subscribed to the list, but will try to check it; I would
be very grateful if replies could be cc to my e-mail address:
kcbl...@yahoo.co.uk.)
both Windows 10, & Ubuntu v.20.04 on separate partitions (which I use
only occasionally), but have been running the machine primarily from
a USB stick with Debian 11.6:
Linux cpe-67-241-65-193 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux
The problem:
> I can boot with Debian with no problems;
> I can boot with Windows with no problems;
> Through about May of 2022 I was able to also boot with
Ubuntu, with no problems... but some time in the last half
of 2022, I updated Debian, & now, although the Ubuntu option
exists in the GRUB boot loader menu, when I select it, I get
the error message: 'bad shim signature' & I cannot boot with
Ubuntu any more.
> To boot with Ubuntu, I have to disable secure boot in the
BIOS/UEFI setup (F2 on my computer). With earlier
versions of the kernel, I think one had to disable secure
boot to boot with debian, but after kernel 5.10, one could
boot with secure boot enabled, as my experiences through the
middle of 2022 showed.
> The APPARENT reason is that on the Debian boot volume, the
/boot/efi/ directory contains:
/EFI/debian/
fbx64.efi, grubx64.efi, mmx64.efi, shimx64.efi
BOOTX64.CSV & grub.cfg
I think the relevant file is the shimx64.efi file. On the
Ubuntu volume, the /boot/efi/ directory is completely empty &
I've not been able to find any files with names containing shim.
My QUESTION: can I simply copy the /EFI/debian/... directory & files
to the UBUNTU volume to enable the machine to boot when secure boot is
enabled? My worry is that the Ubuntu OS uses a different version of
kernel: the 2 most recent versions of kernel on each volume are:
DEBIAN 11.6 | UBUNTU
5.10.0-20-amd64 | 5.15.0-67-generic
5.10.0-21-amd64 | 5.19.0-35-generic
so the shimx64.efi may work for the debian OS but not the UBUNTU,
though this shim 'boot-loader' is 'used' before the kernel, I think.
I would be most appreciative of any advice, or suggestions for a
better place to submit this question, if this forum's not appropriate.
With many thanks,
Ken
(I have not subscribed to the list, but will try to check it; I would
be very grateful if replies could be cc to my e-mail address:
kcbl...@yahoo.co.uk.)
Max Nikulin
Mar 25, 2023, 12:10:06 AM3/25/23
to
On 25/03/2023 04:48, KCB Leigh wrote:
> > Through about May of 2022 I was able to also boot with
> Ubuntu, with no problems... but some time in the last half
> of 2022, I updated Debian, & now, although the Ubuntu option
> exists in the GRUB boot loader menu, when I select it, I get
> the error message: 'bad shim signature' & I cannot boot with
> Ubuntu any more.
Perhaps old key that was used to sign shim in ubuntu has been revoked
> > Through about May of 2022 I was able to also boot with
> Ubuntu, with no problems... but some time in the last half
> of 2022, I updated Debian, & now, although the Ubuntu option
> exists in the GRUB boot loader menu, when I select it, I get
> the error message: 'bad shim signature' & I cannot boot with
> Ubuntu any more.
since that time due to a vulnerability in grub. If so then you need to
update the shim-signed package.
> /EFI/debian/
> fbx64.efi, grubx64.efi, mmx64.efi, shimx64.efi
> BOOTX64.CSV & grub.cfg
> I think the relevant file is the shimx64.efi file. On the
Debian or Ubuntu is booted)
efibootmgr -v
Likely you are right.
> Ubuntu volume, the /boot/efi/ directory is completely empty &
> I've not been able to find any files with names containing shim.
partition should be mounted in Debian and Ubuntu. Compare
fdisk -l
findmnt /boot/efi
> My QUESTION: can I simply copy the /EFI/debian/... directory & files
> to the UBUNTU volume to enable the machine to boot when secure boot is
> enabled?
compiled in paths (/EFI/debian, /EFI/ubuntu)
Ensure that the proper partition is mounted to /boot/efi and run
update-grub. I do not remember if it is enough or shim package has its
own script.
I suggest to look into EFI/BOOT directory on the EFI System Partition.
It may contain fallback from some OS. This directory is intended for
removable media, but firmware may prefer it even for built-in drives.
Signed shim .efi file may be installed as EFI/BOOT/BOOTX64.EFI. Several
years ago buggy EFI was not uncommon.
Notice that os-probber was disabled by default some time ago, so
alternative OS entries disappeared from *grub* menu unless it is
explicitly enabled. It should not affect the firmware (BIOS) boot menu.
You may get some impression of expected file layout for EFI system
partition from
https://wiki.debian.org/UEFI
0 new messages