shim-signed update - should new shim be copied to ESP automatically?

M

Mateo_123

New Member
May 25, 2026
2
1
3
After upgrading shim-signed (1.48+pmx1) on a bare metal PVE host (9.1 -> 9.2) I noticed that /boot/efi/EFI/debian/shimx64.efi was not updated automatically.

The new shim signed with both Microsoft UEFI CA 2011 and 2023 was available at /usr/lib/shim/shimx64.efi.signed but never made it to the ESP on its own.

I ended up copying it manually:
cp /usr/lib/shim/shimx64.efi.signed /boot/efi/EFI/debian/shimx64.efi

What is the correct way for the shim to be updated on the ESP after a package upgrade?
 
  • Like
Reactions: Sunilkumar
You’re correct—on Proxmox VE (Debian-based systems), updating the shim-signed package does not automatically copy the new shimx64.efi to the ESP.


From what I’ve observed, the package only installs the updated binary under /usr/lib/shim/, but it doesn’t trigger a post-install hook to sync it with /boot/efi. This behavior is consistent with Debian, where ESP updates are usually handled by tools like grub-install or proxmox-boot-tool (depending on your boot setup).


If you're using systemd-boot with proxmox-boot-tool, running:



<span>proxmox-boot-tool refresh</span>


might help ensure the ESP is updated properly.


For GRUB-based setups, a safer approach than manual copying could be:




<span>grub-install</span><br><span>update-grub</span>


That said, your manual copy works, but it would be good to confirm whether future updates might overwrite it or if a hook should handle this automatically.


Would be great if someone from the Proxmox team could clarify whether this is expected behavior or something that should be improved.
 
  • Like
Reactions: Johannes S
Sunilkumar said:
You’re correct—on Proxmox VE (Debian-based systems), updating the shim-signed package does not automatically copy the new shimx64.efi to the ESP.
Click to expand...

that is not true. installing a shim upgrade will trigger grub reinstallation on the ESP which will in turn install the updated copy of the shim binary:

Code: 
$ apt install --reinstall shim-signed
[..]
Preparing to unpack .../shim-signed_1.48+pmx1+16.1-1+pmx1_amd64.deb ...
Unpacking shim-signed:amd64 (1.48+pmx1+16.1-1+pmx1) over (1.48+pmx1+16.1-1+pmx1) ...
Setting up shim-signed:amd64 (1.48+pmx1+16.1-1+pmx1) ...
Installing for x86_64-efi platform.
File descriptor 3 (pipe:[45098029]) leaked on vgs invocation. Parent PID 4033710: grub-install.real
File descriptor 3 (pipe:[45098029]) leaked on vgs invocation. Parent PID 4033710: grub-install.real
Installation finished. No error reported.
No DKMS packages installed: not changing Secure Boot validation state.
Processing triggers for proxmox-kernel-helper (9.0.4) ...
Re-executing '/usr/sbin/proxmox-boot-tool' in new private mount namespace..

the "Installing for x86_64-efi platform" line is grub-install being invoked.

note that "/boot/efi/EFI/debian/shimx64.efi" is not where PVE installs its bootloader, that would be "/boot/efi/EFI/proxmox/shimx64.efi"

how did you install this system?
 
This system was originally installed as Debian and Proxmox VE was installed on top of it. That's why the ESP has /boot/efi/EFI/debian/

Also worth mentioning - all boot-related packages on this host are Proxmox
 
Last edited:
that copy of the bootloaders will not be updated by anything then, you should remove it ;)
 
You must log in or register to reply here.
Top Bottom
Back