shim-signed update - should new shim be copied to ESP automatically?

M

Mateo_123

New Member
May 25, 2026
2
1
3
After upgrading shim-signed (1.48+pmx1) on a bare metal PVE host (9.1 -> 9.2) I noticed that /boot/efi/EFI/debian/shimx64.efi was not updated automatically.

The new shim signed with both Microsoft UEFI CA 2011 and 2023 was available at /usr/lib/shim/shimx64.efi.signed but never made it to the ESP on its own.

I ended up copying it manually:
cp /usr/lib/shim/shimx64.efi.signed /boot/efi/EFI/debian/shimx64.efi

What is the correct way for the shim to be updated on the ESP after a package upgrade?
 
  • Like
Reactions: Sunilkumar
Sunilkumar said:
You’re correct—on Proxmox VE (Debian-based systems), updating the shim-signed package does not automatically copy the new shimx64.efi to the ESP.
Click to expand...

that is not true. installing a shim upgrade will trigger grub reinstallation on the ESP which will in turn install the updated copy of the shim binary:

Code: 
$ apt install --reinstall shim-signed
[..]
Preparing to unpack .../shim-signed_1.48+pmx1+16.1-1+pmx1_amd64.deb ...
Unpacking shim-signed:amd64 (1.48+pmx1+16.1-1+pmx1) over (1.48+pmx1+16.1-1+pmx1) ...
Setting up shim-signed:amd64 (1.48+pmx1+16.1-1+pmx1) ...
Installing for x86_64-efi platform.
File descriptor 3 (pipe:[45098029]) leaked on vgs invocation. Parent PID 4033710: grub-install.real
File descriptor 3 (pipe:[45098029]) leaked on vgs invocation. Parent PID 4033710: grub-install.real
Installation finished. No error reported.
No DKMS packages installed: not changing Secure Boot validation state.
Processing triggers for proxmox-kernel-helper (9.0.4) ...
Re-executing '/usr/sbin/proxmox-boot-tool' in new private mount namespace..

the "Installing for x86_64-efi platform" line is grub-install being invoked.

note that "/boot/efi/EFI/debian/shimx64.efi" is not where PVE installs its bootloader, that would be "/boot/efi/EFI/proxmox/shimx64.efi"

how did you install this system?
 
This system was originally installed as Debian and Proxmox VE was installed on top of it. That's why the ESP has /boot/efi/EFI/debian/

Also worth mentioning - all boot-related packages on this host are Proxmox
 
Last edited:
that copy of the bootloaders will not be updated by anything then, you should remove it ;)
 
You must log in or register to reply here.
Top Bottom
Back