Re: shim boot-loader problem

Fri, 24 Mar 2023 21:00:17 -0700 

On 25/03/2023 04:48, KCB Leigh wrote:

     > Through about May of 2022 I was able to also boot with
       Ubuntu, with no problems... but some time in the last half
       of 2022, I updated Debian, & now, although the Ubuntu option
       exists in the GRUB boot loader menu, when I select it, I get
       the error message: 'bad shim signature' & I cannot boot with
       Ubuntu any more.



Perhaps old key that was used to sign shim in ubuntu has been revoked 
since that time due to a vulnerability in grub. If so then you need to 
update the shim-signed package.



         /EFI/debian/
         fbx64.efi, grubx64.efi, mmx64.efi, shimx64.efi
         BOOTX64.CSV & grub.cfg
       I think the relevant file is the shimx64.efi file.  On the



The relevant file can be found in output of (it does not matter if 
Debian or Ubuntu is booted)


    efibootmgr -v

Likely you are right.


       Ubuntu volume, the /boot/efi/ directory is completely empty &
       I've not been able to find any files with names containing shim.



Perhaps a wrong partition is mounted to /boot/efi. Usually the same 
partition should be mounted in Debian and Ubuntu. Compare


    fdisk -l
    findmnt /boot/efi


My QUESTION: can I simply copy the /EFI/debian/... directory & files
to the UBUNTU volume to enable the machine to boot when secure boot is
enabled?



No. Files are signed with distribution-specific keys and have different 
compiled in paths (/EFI/debian, /EFI/ubuntu)



Ensure that the proper partition is mounted to /boot/efi and run 
update-grub. I do not remember if it is enough or shim package has its 
own script.



I suggest to look into EFI/BOOT directory on the EFI System Partition. 
It may contain fallback from some OS. This directory is intended for 
removable media, but firmware may prefer it even for built-in drives. 
Signed shim .efi file may be installed as EFI/BOOT/BOOTX64.EFI. Several 
years ago buggy EFI was not uncommon.



Notice that os-probber was disabled by default some time ago, so 
alternative OS entries disappeared from *grub* menu unless it is 
explicitly enabled. It should not affect the firmware (BIOS) boot menu.



You may get some impression of expected file layout for EFI system 
partition from

https://wiki.debian.org/UEFI























					Reply via email to