Re: x86_64: grub-install for secure boot

[Zvi Vered]

Hi Andrei, All,

You wrote: "Most likely the system was booted in legacy BIOS mode"
I booted knoppix with: secure boot=disable
Under this knoppix I ran: grub-install.

Should I boot the PC with secure boot=enable and then run grub-install ?

Thank you,
Zvika

On Fri, Jul 28, 2023 at 8:42 PM Andrei Borzenkov <arvidjaar@gmail.com> wrote:
>
> On 28.07.2023 20:26, Pascal Hambourg wrote:
> > On 28/07/2023 at 17:58, Andrei Borzenkov wrote:
> >> On 28.07.2023 18:52, Zvi Vered wrote:
> >>>
> >>> In the PC boot menu, it's marked "debian".
> >>
> >> What makes you think "debian" refers to whatever you installed?
> >
> > Due to the failure of grub-install to update EFI boot variables (see
> > below), I suspect that "debian" still points to grubx64.efi (signed by
> > Debian, not trusted by default) instead of shimx64.efi (signed by
> > Microsoft, trusted by default).
> >
> >> Show full output of
> >>
> >> efibootmgr -v
> >
> > I am afraid efibootmgr won't show anything if EFI variables are not
> > available.
> >
>
> Sorry, you are right of course.
>
> >>>>> grub-install: info: copying `/usr/lib/shim/shimx64.efi.signed' ->
> >>>>> `/media/sdb1/EFI/debian/shimx64.efi'.
> >
> > Good, this time grub-install installed the shim files for secure boot.
> >
> >>>>> grub-install: info: Registering with EFI: distributor = `debian', path
> >>>>> = `\EFI\debian\shimx64.efi', ESP at hostdisk//dev/sdb,msdos1.
> >>>>> grub-install: info: executing modprobe efivars 2>/dev/null.
> >>>>> grub-install: warning: EFI variables are not supported on this system..
> >
> > As explained above, grub-install failed to update EFI boot variables.
> > Is efivarfs mounted on /sys/firmware/efi/efivars ?
> >
>
> Most likely system was booted in legacy BIOS mode.
>
> >>>>> In the attached file I noticed info messages like:
> >>>>> grub-install: info: cannot open
> >>>>> `/usr/share/locale/be/LC_MESSAGES/grub.mo': No such file or directory.
> >
> > Irrelevant.
> >
>
>