Advice on enabling Secure Boot

[Taomyn]

I want to enable Secure Boot on my host (v8.2.4), that does boot via UEFI, but I need some advice that I'm going to be ok following the instructions at https://pve.proxmox.com/pve-docs/chapter-sysadmin.html#sysboot_secure_boot

I have installed proxmox-secure-boot-support

My boot device is ZFS:

TARGET SOURCE           FSTYPE OPTIONS
/      rpool/ROOT/pve-1 zfs    rw,relatime,xattr,noacl,casesensitive

My boot device is:

nvme0n1     259:0    0 238.5G  0 disk
├─nvme0n1p1 259:1    0  1007K  0 part
├─nvme0n1p2 259:2    0     1G  0 part             vfat
└─nvme0n1p3 259:3    0 237.5G  0 part             zfs_member

BTW, the statement They can be identified by the their size of 512M and their FSTYPE being vfat doesn't seem to be right for me hence asking with this thread. No idea why mine is 1GB.

I have not yet run the boot tool to set up the partition, didn't want to break something or now, i.e: proxmox-boot-tool init /dev/nvme0n1p2 grub

Currently the EFI boot sanity check returns:

root@abe:~# efibootmgr -v
BootCurrent: 000B
Timeout: 1 seconds
BootOrder: 000B,0001
Boot0001  Linux Boot Manager    HD(2,GPT,761b801c-6450-4283-9a56-e99f0fc6030d,0x800,0x200000)/File(\EFI\SYSTEMD\SYSTEMD-BOOTX64.EFI)
Boot000B* UEFI OS       HD(2,GPT,761b801c-6450-4283-9a56-e99f0fc6030d,0x800,0x200000)/File(\EFI\BOOT\BOOTX64.EFI)..BO

Is there anything I should change or check?

 

[Taomyn]

So with no reply I decided to give it a go so I was able to complete enabling secure boot for my test system, and it worked fine. It didn't matter that my EFI partition was 1G instead 512MB, so that's not a fixed indicator which the correct partition.

Now to my main host, I have one question: unlike the test system the boot drive is made up of a raid-1 pair of disks, so as per the instructions I ran the "proxmox-boot-tool init" on each EFI partition I found:

proxmox-boot-tool init /dev/nvme0n1p2 grub
proxmox-boot-tool init /dev/nvme1n1p2 grub

After the first one the sanity check returned:

BootOrder: 0001,0003,0000,0004,0005,0006
Boot0000* Linux Boot Manager    HD(2,GPT,f09f04f2-b554-4182-9b23-7528246ebe99,0x800,0x200000)/File(\EFI\SYSTEMD\SYSTEMD-BOOTX64.EFI)
Boot0001* proxmox       HD(2,GPT,f09f04f2-b554-4182-9b23-7528246ebe99,0x800,0x200000)/File(\EFI\proxmox\shimx64.efi)
Boot0003* Linux Boot Manager    HD(2,GPT,5ffdc5d1-5629-499a-8c83-876d0e19d96e,0x800,0x200000)/File(\EFI\SYSTEMD\SYSTEMD-BOOTX64.EFI)
Boot0004* UEFI OS       HD(2,GPT,f09f04f2-b554-4182-9b23-7528246ebe99,0x800,0x200000)/File(\EFI\BOOT\BOOTX64.EFI)..BO
Boot0005* UEFI OS       HD(2,GPT,5ffdc5d1-5629-499a-8c83-876d0e19d96e,0x800,0x200000)/File(\EFI\BOOT\BOOTX64.EFI)..BO
Boot0006* UEFI: Built-in EFI Shell      VenMedia(5023b95c-db26-429b-a648-bd47664c8012)..BO

But after the second it was:

BootOrder: 0001,0003,0000,0004,0005,0006
Boot0000* Linux Boot Manager    HD(2,GPT,f09f04f2-b554-4182-9b23-7528246ebe99,0x800,0x200000)/File(\EFI\SYSTEMD\SYSTEMD-BOOTX64.EFI)
Boot0001* proxmox       HD(2,GPT,5ffdc5d1-5629-499a-8c83-876d0e19d96e,0x800,0x200000)/File(\EFI\proxmox\shimx64.efi)
Boot0003* Linux Boot Manager    HD(2,GPT,5ffdc5d1-5629-499a-8c83-876d0e19d96e,0x800,0x200000)/File(\EFI\SYSTEMD\SYSTEMD-BOOTX64.EFI)
Boot0004* UEFI OS       HD(2,GPT,f09f04f2-b554-4182-9b23-7528246ebe99,0x800,0x200000)/File(\EFI\BOOT\BOOTX64.EFI)..BO
Boot0005* UEFI OS       HD(2,GPT,5ffdc5d1-5629-499a-8c83-876d0e19d96e,0x800,0x200000)/File(\EFI\BOOT\BOOTX64.EFI)..BO
Boot0006* UEFI: Built-in EFI Shell      VenMedia(5023b95c-db26-429b-a648-bd47664c8012)..BO

I was expecting there to be two proxmox entries, one for each drive but it only shows the second one it just configured. Is that not the way this works?

I haven't rebooted yet to enable secure boot in the bios as I want to be sure I've not done something wrong.