[SOLVED] Switching Existing GRUB EFI to secure boot?

scyto

Active Member
Aug 8, 2023
397
70
28
I have an 8.0 install originally installed with secure boot disabled in the BIOS, it has been upgraded to latest 8.1.

I am not running ZFS so i am using a grub UEFI bootloader

I am trying to understand the conversion instructions here Host System Administration (proxmox.com)

It says:

An existing UEFI installation can be switched over to Secure Boot if desired, without having to reinstall Proxmox VE from scratch.


First, ensure all your system is up-to-date. Next, install all the required pre-signed packages as listed above. GRUB automatically creates the needed EFI boot entry for booting via the default shim.

I did that, installed the packages listed however when i do efibootmgr -v i get :

Code:
root@pve1:~# efibootmgr -v
BootCurrent: 0000
Timeout: 1 seconds
BootOrder: 0000,0001,0003,0007,0005,0009
Boot0000* proxmox       HD(2,GPT,de159af4-f1a7-4b0d-a39d-000986476331,0x800,0x200000)/File(\EFI\proxmox\grubx64.efi)
Boot0001* UEFI OS       HD(2,GPT,de159af4-f1a7-4b0d-a39d-000986476331,0x800,0x200000)/File(\EFI\BOOT\BOOTX64.EFI)..BO
Boot0003* UEFI: PXE IPv4 Intel(R) Ethernet Controller I226-V    PciRoot(0x0)/Pci(0x1d,0x0)/Pci(0x0,0x0)/MAC(48210b589c45,1)/IPv4(0.0.0.00.0.0.0,0,0)..BO
Boot0005  UEFI: PXE IPv6 Intel(R) Ethernet Controller I226-V    PciRoot(0x0)/Pci(0x1d,0x0)/Pci(0x0,0x0)/MAC(48210b589c45,1)/IPv6([::]:<->[::]:,0,0)..BO
Boot0007* UEFI: PXE IPv4 Intel(R) Ethernet Controller I226-V    PciRoot(0x0)/Pci(0x1d,0x2)/Pci(0x0,0x0)/MAC(48210b57dfd7,1)/IPv4(0.0.0.00.0.0.0,0,0)..BO
Boot0009  UEFI: PXE IPv6 Intel(R) Ethernet Controller I226-V    PciRoot(0x0)/Pci(0x1d,0x2)/Pci(0x0,0x0)/MAC(48210b57dfd7,1)/IPv6([::]:<->[::]:,0,0)..BO
.

  1. This has not automatically created the needed EFI\proxmox\shimx64.efi boot entry as it has the current unshimed boot entry...
  2. the /EFI/proxmox/ location is missing the shimx64.efi file and only has grubx64.efi
  3. I see in the systemd section it says to do proxmox-boot-tool init /dev/sda2 grub however i am concerned what that will do to my exisitng boot entry - especially as sda2 has already been formatted for efi, plus i am already on grub, and not running ZFS and not using systemd - so believe i should NOT run that commabnd

Code:
root@pve1:~# lsblk -o +FSTYPE
NAME                                           MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS FSTYPE
sda                                              8:0    0 931.5G  0 disk    
├─sda1                                           8:1    0  1007K  0 part    
├─sda2                                           8:2    0     1G  0 part /boot/efi   vfat
└─sda3                                           8:3    0 930.5G  0 part             LVM2_member
  ├─pve-swap                                   252:0    0     8G  0 lvm  [SWAP]      swap
  ├─pve-root                                   252:1    0    96G  0 lvm  /           ext4

i now realize this is normal on a system without ZFS - at least i think thats the case....
also given this i am little unsure the system is in a good place for me to be trying this?
Code:
root@pve1:~# proxmox-boot-tool status
Re-executing '/usr/sbin/proxmox-boot-tool' in new private mount namespace..
E: /etc/kernel/proxmox-boot-uuids does not exist.

I am unclear what i should do next, it 'feels' like there is an instruction missing in the docs.... - any ideas?
 
Last edited:
  • Like
Reactions: rtorres
is the answer i should be running something like this manually?

no it isn't, see fix at end of thread


efibootmgr --unicode --disk /dev/sda --part 2 --create --label proxmox --loader /EFI/proxmox/shimx64.efi


and if i do, will efibootmgr copy the signed shimx64.efi to that location for me?

or do i need to do something like the following first?

cp /usr/lib/shim/shimx64.efi.signed /boot/efi/EFI/proxmox/shimx64.efi
cp /usr/lib/shim-signed/mmx64.efi.signed /boot/efi/EFI/BOOT/mmx64.efi (i am unclear if this goes in the proxmox dir or elsewhere?)
 
Last edited:
as a reference i also note this in the secure boot article, this is just not true, installing these packages does not create the shim etry at all
i guess someone did caveat the statement with *should* lol :-)

Required packages​

Install the signed packages from Proxmox, which should be trusted by default by your vendor’s UEFI implementation:

apt install shim-signed grub-efi-amd64-signed mokutil
This should add a boot entry for booting using shim:
 
Last edited:
  • Like
Reactions: rtorres
ahh i think i have a fix

apt --reinstall install shim-signed grub-efi-amd64-signed mokutil

testing now
 
  • Like
Reactions: rtorres
I think i call that a success, yes the forced re-install is what is important, i suspect there is a sequencing issue with package install - not sure

Code:
root@pve1:~# bootctl

systemd-boot not installed in ESP.
System:
      Firmware: n/a (n/a)
      Firmware Arch: x64
      Secure Boot: enabled (deployed)
      TPM2 Support: yes
      Boot into FW: supported

Current Boot Loader:  
     Product: n/a
     Features:
               ✗ Boot counting
               ✗ Menu timeout control
               ✗ One-shot menu timeout control
               ✗ Default entry control
               ✗ One-shot entry control
               ✗ Support for XBOOTLDR partition
               ✗ Support for passing random seed to OS
               ✗ Load drop-in drivers
               ✗ Support Type #1 sort-key field
               ✗ Support @saved pseudo-entry
               ✗ Support Type #1 devicetree field
               ✗ Boot loader sets ESP information
          ESP: n/a
         File: └─n/a

Random Seed:
 Passed to OS: no
 System Token: not set
       Exists: no

Available Boot Loaders on ESP:
          ESP: /boot/efi (/dev/disk/by-partuuid/de159af4-f1a7-4b0d-a39d-000986476331)
         File: └─/EFI/BOOT/BOOTx64.EFI

Boot Loaders Listed in EFI Variables:
        Title: proxmox
           ID: 0x0000
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/de159af4-f1a7-4b0d-a39d-000986476331
         File: └─/EFI/proxmox/shimx64.efi

        Title: UEFI OS
           ID: 0x0001
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/de159af4-f1a7-4b0d-a39d-000986476331
         File: └─/EFI/BOOT/BOOTX64.EFI

Boot Loader Entries:
        $BOOT: /boot/efi (/dev/disk/by-partuuid/de159af4-f1a7-4b0d-a39d-000986476331)

0 entries, no entry could be determined as default.
 
Last edited:
  • Like
Reactions: rtorres

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!