From 997d9d36ff7e7cd0db5ba87039e21bb7b3bd04c5 Mon Sep 17 00:00:00 2001 From: Dorian Date: Wed, 25 Mar 2026 20:47:14 +0000 Subject: [PATCH] =?UTF-8?q?fix:=20remove=20Secure=20Boot=20shim=20chain=20?= =?UTF-8?q?=E2=80=94=20causes=20EFI=20boot=20failure=20on=20most=20hardwar?= =?UTF-8?q?e?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The shim (shimx64.efi.signed) was being installed as BOOTX64.EFI but it tries to load a second-stage binary with a garbled name, causing "Failed to open \EFI\BOOT\" errors on machines with Secure Boot disabled. Fix: use grub-install --removable directly (unsigned GRUB as BOOTX64.EFI). This works on all UEFI hardware. Users with Secure Boot must disable it. Co-Authored-By: Claude Opus 4.6 (1M context) --- image-recipe/build-auto-installer-iso.sh | 63 +++++------------------- 1 file changed, 13 insertions(+), 50 deletions(-) diff --git a/image-recipe/build-auto-installer-iso.sh b/image-recipe/build-auto-installer-iso.sh index 11560c1f..c1a08498 100755 --- a/image-recipe/build-auto-installer-iso.sh +++ b/image-recipe/build-auto-installer-iso.sh @@ -1464,59 +1464,22 @@ else fi fi -# Secure Boot chain: set up shim+signed-grub alongside unsigned GRUB for maximum compatibility -# Boot chain: BOOTX64.EFI (shim) → grubx64.efi (signed GRUB) → grub.cfg → kernel -# Non-Secure-Boot: falls through shim to grubx64.efi which finds grub.cfg -echo " Setting up Secure Boot chain..." -if [ "$ARCH" = "x86_64" ]; then - SHIM_SRC="/mnt/target/usr/lib/shim/shimx64.efi.signed" - GRUB_SIGNED_SRC="/mnt/target/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed" - EFI_BOOT_BINARY="BOOTX64.EFI" - GRUB_EFI_BINARY="grubx64.efi" - SHIM_EFI_BINARY="shimx64.efi" -else - SHIM_SRC="/mnt/target/usr/lib/shim/shimaa64.efi.signed" - GRUB_SIGNED_SRC="/mnt/target/usr/lib/grub/arm64-efi-signed/grubaa64.efi.signed" - EFI_BOOT_BINARY="BOOTAA64.EFI" - GRUB_EFI_BINARY="grubaa64.efi" - SHIM_EFI_BINARY="shimaa64.efi" -fi +# EFI boot: grub-install --removable already placed unsigned GRUB at /EFI/BOOT/BOOTX64.EFI +# This works on all machines without Secure Boot. For Secure Boot, users must disable it. +# The shim chain was causing "Failed to open \EFI\BOOT\" errors with garbled filenames +# on machines where Secure Boot is disabled — the shim tries to verify signatures and fails. +echo " Verifying EFI boot files..." EFI_BOOT_DIR="/mnt/target/boot/efi/EFI/BOOT" -EFI_ARCHY_DIR="/mnt/target/boot/efi/EFI/archipelago" -if [ -f "$SHIM_SRC" ] && [ -f "$GRUB_SIGNED_SRC" ]; then - # Fallback path (/EFI/BOOT/) — what UEFI firmware checks when no boot entry exists - mkdir -p "$EFI_BOOT_DIR" - # Save the unsigned GRUB that grub-install created (works without Secure Boot) - if [ -f "$EFI_BOOT_DIR/$EFI_BOOT_BINARY" ]; then - cp "$EFI_BOOT_DIR/$EFI_BOOT_BINARY" "$EFI_BOOT_DIR/grub_unsigned.efi" - fi - # Shim becomes the primary boot binary - cp "$SHIM_SRC" "$EFI_BOOT_DIR/$EFI_BOOT_BINARY" - # Signed GRUB must be next to shim (shim loads it by name) - cp "$GRUB_SIGNED_SRC" "$EFI_BOOT_DIR/$GRUB_EFI_BINARY" - # GRUB needs to find its config — create a minimal grub.cfg that chains to the real one - cat > "$EFI_BOOT_DIR/grub.cfg" <<'GRUBCFG' -search.fs_uuid ${GRUB_ROOT_UUID} root -set prefix=($root)'/boot/grub' -configfile $prefix/grub.cfg -GRUBCFG - # Replace placeholder with actual root UUID - ROOT_UUID=$(blkid -s UUID -o value "$ROOT_PART") - sed -i "s/\${GRUB_ROOT_UUID}/$ROOT_UUID/" "$EFI_BOOT_DIR/grub.cfg" - - # Named entry path (/EFI/archipelago/) — for efibootmgr-registered entries - mkdir -p "$EFI_ARCHY_DIR" - cp "$SHIM_SRC" "$EFI_ARCHY_DIR/$SHIM_EFI_BINARY" - cp "$GRUB_SIGNED_SRC" "$EFI_ARCHY_DIR/$GRUB_EFI_BINARY" - cp "$EFI_BOOT_DIR/grub.cfg" "$EFI_ARCHY_DIR/grub.cfg" - - echo " ✅ Secure Boot chain installed (shim + signed GRUB + grub.cfg)" - echo " EFI contents:" +if [ "$ARCH" = "x86_64" ]; then + EFI_BOOT_BINARY="BOOTX64.EFI" +else + EFI_BOOT_BINARY="BOOTAA64.EFI" +fi +if [ -f "$EFI_BOOT_DIR/$EFI_BOOT_BINARY" ]; then + echo " ✅ UEFI boot binary present: $EFI_BOOT_DIR/$EFI_BOOT_BINARY" ls -la "$EFI_BOOT_DIR/" else - echo " ⚠️ Signed shim/GRUB not found — Secure Boot machines must disable Secure Boot" - [ ! -f "$SHIM_SRC" ] && echo " Missing: $(basename $SHIM_SRC)" - [ ! -f "$GRUB_SIGNED_SRC" ] && echo " Missing: $(basename $GRUB_SIGNED_SRC)" + echo " ❌ Missing $EFI_BOOT_DIR/$EFI_BOOT_BINARY — boot will fail!" fi # Legacy BIOS boot: only install if the installer booted in Legacy BIOS mode