[SOLVED] Switching Existing GRUB EFI to secure boot?

S

scyto

Active Member
Aug 8, 2023
435
79
28
I have an 8.0 install originally installed with secure boot disabled in the BIOS, it has been upgraded to latest 8.1.

I am not running ZFS so i am using a grub UEFI bootloader

I am trying to understand the conversion instructions here Host System Administration (proxmox.com)

It says:

An existing UEFI installation can be switched over to Secure Boot if desired, without having to reinstall Proxmox VE from scratch.


First, ensure all your system is up-to-date. Next, install all the required pre-signed packages as listed above. GRUB automatically creates the needed EFI boot entry for booting via the default shim.
Click to expand...

I did that, installed the packages listed however when i do efibootmgr -v i get :

Code: 
root@pve1:~# efibootmgr -v
BootCurrent: 0000
Timeout: 1 seconds
BootOrder: 0000,0001,0003,0007,0005,0009
Boot0000* proxmox       HD(2,GPT,de159af4-f1a7-4b0d-a39d-000986476331,0x800,0x200000)/File(\EFI\proxmox\grubx64.efi)
Boot0001* UEFI OS       HD(2,GPT,de159af4-f1a7-4b0d-a39d-000986476331,0x800,0x200000)/File(\EFI\BOOT\BOOTX64.EFI)..BO
Boot0003* UEFI: PXE IPv4 Intel(R) Ethernet Controller I226-V    PciRoot(0x0)/Pci(0x1d,0x0)/Pci(0x0,0x0)/MAC(48210b589c45,1)/IPv4(0.0.0.00.0.0.0,0,0)..BO
Boot0005  UEFI: PXE IPv6 Intel(R) Ethernet Controller I226-V    PciRoot(0x0)/Pci(0x1d,0x0)/Pci(0x0,0x0)/MAC(48210b589c45,1)/IPv6([::]:<->[::]:,0,0)..BO
Boot0007* UEFI: PXE IPv4 Intel(R) Ethernet Controller I226-V    PciRoot(0x0)/Pci(0x1d,0x2)/Pci(0x0,0x0)/MAC(48210b57dfd7,1)/IPv4(0.0.0.00.0.0.0,0,0)..BO
Boot0009  UEFI: PXE IPv6 Intel(R) Ethernet Controller I226-V    PciRoot(0x0)/Pci(0x1d,0x2)/Pci(0x0,0x0)/MAC(48210b57dfd7,1)/IPv6([::]:<->[::]:,0,0)..BO
.

  1. This has not automatically created the needed EFI\proxmox\shimx64.efi boot entry as it has the current unshimed boot entry...
  2. the /EFI/proxmox/ location is missing the shimx64.efi file and only has grubx64.efi
  3. I see in the systemd section it says to do proxmox-boot-tool init /dev/sda2 grub however i am concerned what that will do to my exisitng boot entry - especially as sda2 has already been formatted for efi, plus i am already on grub, and not running ZFS and not using systemd - so believe i should NOT run that commabnd

Code: 
root@pve1:~# lsblk -o +FSTYPE
NAME                                           MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS FSTYPE
sda                                              8:0    0 931.5G  0 disk    
├─sda1                                           8:1    0  1007K  0 part    
├─sda2                                           8:2    0     1G  0 part /boot/efi   vfat
└─sda3                                           8:3    0 930.5G  0 part             LVM2_member
  ├─pve-swap                                   252:0    0     8G  0 lvm  [SWAP]      swap
  ├─pve-root                                   252:1    0    96G  0 lvm  /           ext4

i now realize this is normal on a system without ZFS - at least i think thats the case....
also given this i am little unsure the system is in a good place for me to be trying this?
Code: 
root@pve1:~# proxmox-boot-tool status
Re-executing '/usr/sbin/proxmox-boot-tool' in new private mount namespace..
E: /etc/kernel/proxmox-boot-uuids does not exist.

I am unclear what i should do next, it 'feels' like there is an instruction missing in the docs.... - any ideas?
 
Last edited:
  • Like
Reactions: rtorres
is the answer i should be running something like this manually?

no it isn't, see fix at end of thread


efibootmgr --unicode --disk /dev/sda --part 2 --create --label proxmox --loader /EFI/proxmox/shimx64.efi


and if i do, will efibootmgr copy the signed shimx64.efi to that location for me?

or do i need to do something like the following first?

cp /usr/lib/shim/shimx64.efi.signed /boot/efi/EFI/proxmox/shimx64.efi
cp /usr/lib/shim-signed/mmx64.efi.signed /boot/efi/EFI/BOOT/mmx64.efi (i am unclear if this goes in the proxmox dir or elsewhere?)
 
Last edited:
as a reference i also note this in the secure boot article, this is just not true, installing these packages does not create the shim etry at all
i guess someone did caveat the statement with *should* lol :-)

Required packages​

Install the signed packages from Proxmox, which should be trusted by default by your vendor’s UEFI implementation:

apt install shim-signed grub-efi-amd64-signed mokutil
This should add a boot entry for booting using shim:
 
Last edited:
  • Like
Reactions: rtorres
ahh i think i have a fix

apt --reinstall install shim-signed grub-efi-amd64-signed mokutil

testing now
 
  • Like
Reactions: rtorres
I think i call that a success, yes the forced re-install is what is important, i suspect there is a sequencing issue with package install - not sure

Code: 
root@pve1:~# bootctl

systemd-boot not installed in ESP.
System:
      Firmware: n/a (n/a)
      Firmware Arch: x64
      Secure Boot: enabled (deployed)
      TPM2 Support: yes
      Boot into FW: supported

Current Boot Loader:  
     Product: n/a
     Features:
               ✗ Boot counting
               ✗ Menu timeout control
               ✗ One-shot menu timeout control
               ✗ Default entry control
               ✗ One-shot entry control
               ✗ Support for XBOOTLDR partition
               ✗ Support for passing random seed to OS
               ✗ Load drop-in drivers
               ✗ Support Type #1 sort-key field
               ✗ Support @saved pseudo-entry
               ✗ Support Type #1 devicetree field
               ✗ Boot loader sets ESP information
          ESP: n/a
         File: └─n/a

Random Seed:
 Passed to OS: no
 System Token: not set
       Exists: no

Available Boot Loaders on ESP:
          ESP: /boot/efi (/dev/disk/by-partuuid/de159af4-f1a7-4b0d-a39d-000986476331)
         File: └─/EFI/BOOT/BOOTx64.EFI

Boot Loaders Listed in EFI Variables:
        Title: proxmox
           ID: 0x0000
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/de159af4-f1a7-4b0d-a39d-000986476331
         File: └─/EFI/proxmox/shimx64.efi

        Title: UEFI OS
           ID: 0x0001
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/de159af4-f1a7-4b0d-a39d-000986476331
         File: └─/EFI/BOOT/BOOTX64.EFI

Boot Loader Entries:
        $BOOT: /boot/efi (/dev/disk/by-partuuid/de159af4-f1a7-4b0d-a39d-000986476331)

0 entries, no entry could be determined as default.
 
Last edited:
  • Like
Reactions: rtorres
You must log in or register to reply here.
Top Bottom