Proxmox on Debian secure boot setup

[lalaman]

Hi Experts

I'm installing Proxmox on top of Debian for disk encryption purposes. Everything seems to work fine for Proxmox but I can't get secure boot to be working. Secure boot worked for a normal Proxmox ISO installation (not with Debian).

I got this while booting up:
Loading Linux 6.8.12-8-pve ...
error: bad shim signature.
Loading initial ramdisk ...
error: you need to load the kernel first.

I looked at this thread and saw that you have to install the signed package which I've did

I've already pulled and install "proxmox-kernel-6.8.12-8-pve-signed_6.8.12-8_amd64.deb" package.

I believe when Debian is installing it has its own shim and grub but I'm installing a Proxmox kernel instead so I have to include proxmox shim and grub? Any help would be appreciated.

Thank you

 

[aabraham]

Did you read the documentation? Link: https://pve.proxmox.com/wiki/Secure_Boot_Setup

 

[lalaman]

Ok, I managed to solve it. This documentation was more useful for me (https://pve.proxmox.com/wiki/Host_Bootloader)

Some packages in "proxmox-secure-boot-support" were missing for me. Specifically "grub-efi-amd64-signed" and "shim-helpers-amd64-signed" So I decided to download those packages separately and install it on the system again. The system has no internet connection. And I'm not sure why it didn't pull those specific packages when I did recursive apt download of the proxmox-ve packages (similarly to the guide here: https://forum.proxmox.com/threads/preseed-proxmox-without-internet-connection.123888/)

When you install Proxmox on top of Debian, the system will also use the Debian bootloader path /EFI/debian/shimx64.efi rather than the Proxmox-specific path. You would need to unmount the EFI partition first, initialise the EFI system partition for Proxmox, create a directory and proxmox-boot-tools will help to create the necessary signed bootloader files.

Here are the commands I used. I hope it can help someone.

umount /boot/efi
mkdir -p /boot/efi/EFI/proxmox

#Replace with your device
proxmox-boot-tool init /dev/sda1 grub
proxmox-boot-tool refresh


mount /dev/sda1 /boot/efi
proxmox-boot-tool refresh

#You'll be prompted to do these commands
echo 'grub-efi-amd64 grub2/force_efi_extra_removable boolean true' | debconf-set-selections -v -u
apt install --reinstall grub-efi-amd64

#Check for the proxmox boot entry and you need to list it as the first order
efibootmgr -v
#Ours is 0013
efiboot -o 0013
#Last refresh
proxmox-boot-tool refresh