EFI system partition
EFI Installieren
EFI Bootmanagement
EFI Nachbearbeitung
EFI Problembehebung
Linux Mint Installation Guide – EFI SecureBoot
wiki.ubuntu.com SecureBoot
wiki.ubuntu.com DKMS
$ [ -d /sys/firmware/efi ] && echo UEFI || echo BIOS
UEFI
$ sudo grub-install
Installing for x86_64-efi platform.
Installation finished. No error reported.
$ ls -la /boot/efi
drwx------ 6 root root 4096 Jun 26 10:54 EFI
-rwx------ 1 root root 0 Mär 10 06:48 SYSTEM
drwx------ 2 root root 4096 Mär 10 08:51 System Volume Information
drwx------ 2 root root 4096 Mär 18 12:11 Temp
$ ls -la /boot/efi/EFI
drwx------ 2 root root 4096 Mär 10 06:48 Boot
drwx------ 5 root root 4096 Jun 26 10:54 HP
drwx------ 4 root root 4096 Mär 10 06:48 Microsoft
drwx------ 3 root root 4096 Jul 11 20:24 ubuntu
$ ls -la /boot/efi/EFI/ubuntu
drwx------ 2 root root 4096 Mär 18 13:47 fw
-rwx------ 1 root root 64352 Mär 18 13:47 fwupx64.efi
-rwx------ 1 root root 117 Mär 18 13:48 grub.cfg
-rwx------ 1 root root 120832 Jul 11 21:09 grubx64.efi
-rwx------ 1 root root 1289424 Mär 18 13:48 shimx64.efi
Reinstall Grub2
How to reinstall GRUB2 EFI?
$ dpkg -l | grep grub
ii grub-common 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader (common files)
rc grub-efi-amd64 2.02~beta2-36ubuntu3.8 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version)
ii grub-efi-amd64-bin 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 binaries)
ii grub-gfxpayload-lists 0.7 amd64 GRUB gfxpayload blacklist
ii grub-pc 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader, version 2 (PC/BIOS version)
ii grub-pc-bin 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader, version 2 (PC/BIOS binaries)
ii grub2 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader, version 2 (dummy package)
ii grub2-common 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader (common files for version 2)
$ sudo apt-get install --reinstall grub-efi-amd64
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following package was automatically installed and is no longer required:
grub-pc-bin
Use 'sudo apt autoremove' to remove it.
The following packages will be REMOVED:
grub-gfxpayload-lists grub-pc grub2
The following NEW packages will be installed:
grub-efi-amd64
0 upgraded, 1 newly installed, 3 to remove and 15 not upgraded.
Need to get 65.6 kB of archives.
After this operation, 430 kB disk space will be freed.
Do you want to continue? [Y/n] y
Get:1 http://ch.archive.ubuntu.com/ubuntu xenial-updates/main amd64 grub-efi-amd64 amd64 2.02~beta2-36ubuntu3.11 [65.6 kB]
Fetched 65.6 kB in 0s (563 kB/s)
Preconfiguring packages ...
(Reading database ... 203932 files and directories currently installed.)
Removing grub2 (2.02~beta2-36ubuntu3.11) ...
Removing grub-gfxpayload-lists (0.7) ...
Removing grub-pc (2.02~beta2-36ubuntu3.11) ...
Processing triggers for man-db (2.7.5-1) ...
Selecting previously unselected package grub-efi-amd64.
(Reading database ... 203908 files and directories currently installed.)
Preparing to unpack .../grub-efi-amd64_2.02~beta2-36ubuntu3.11_amd64.deb ...
Unpacking grub-efi-amd64 (2.02~beta2-36ubuntu3.11) ...
Setting up grub-efi-amd64 (2.02~beta2-36ubuntu3.11) ...
Installing for x86_64-efi platform.
Installation finished. No error reported.
Generating grub configuration file ...
Found Windows Boot Manager on /dev/nvme0n1p1@/EFI/Microsoft/Boot/bootmgfw.efi
Found linux image: /boot/vmlinuz-4.8.0-41-generic
Found initrd image: /boot/initrd.img-4.8.0-41-generic
Found linux image: /boot/vmlinuz-4.8.0-36-generic
Found initrd image: /boot/initrd.img-4.8.0-36-generic
Adding boot menu entry for EFI firmware configuration
done
Processing triggers for shim-signed (1.28~16.04.1+0.9+1474479173.6c180c6-1ubuntu1) ...
find: ‘/var/lib/dkms’: No such file or directory
No DKMS packages installed: not changing Secure Boot validation state.
$ sudo apt-get install linux-signed-generic
$ sudo apt-get install grub-efi-amd64-signed
$ sudo apt-get install shim-signed
$ dpkg -l | grep grub
ii grub-common 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader (common files)
ii grub-efi-amd64 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version)
ii grub-efi-amd64-bin 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 binaries)
ii grub-efi-amd64-signed 1.66.11+2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed)
rc grub-pc 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader, version 2 (PC/BIOS version)
rc grub2 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader, version 2 (dummy package)
ii grub2-common 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader (common files for version 2)
$ dpkg -l | grep signed
ii fonts-kacst-one 5.0+svn11846-7 all TrueType font designed for Arabic language
ii fwupdate-signed 1.11+0.5-2ubuntu4 amd64 Linux Firmware Updater EFI signed binary
ii grub-efi-amd64-signed 1.66.11+2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed)
ii linux-signed-generic 4.4.0.83.89 amd64 Complete Signed Generic Linux kernel and headers
ii linux-signed-generic-hwe-16.04 4.8.0.41.12 amd64 Complete Signed Generic Linux kernel and headers
ii linux-signed-image-4.4.0-83-generic 4.4.0-83.106 amd64 Signed kernel image generic
ii linux-signed-image-4.8.0-41-generic 4.8.0-41.44~16.04.1 amd64 Signed kernel image generic
ii linux-signed-image-generic 4.4.0.83.89 amd64 Signed Generic Linux kernel image
ii linux-signed-image-generic-hwe-16.04 4.8.0.41.12 amd64 Signed Generic Linux kernel image
ii shim 0.9+1474479173.6c180c6-1ubuntu1 amd64 boot loader to chain-load signed boot loaders under Secure Boot
ii shim-signed 1.28~16.04.1+0.9+1474479173.6c180c6-1ubuntu1 amd64 Secure Boot chain-loading bootloader (Microsoft-signed binary)
$ sudo ls -la /boot/efi/EFI/ubuntu
drwx------ 2 root root 4096 Mär 18 13:47 fw
-rwx------ 1 root root 64352 Mär 18 13:47 fwupx64.efi
-rwx------ 1 root root 117 Jul 11 21:28 grub.cfg
-rwx------ 1 root root 1121144 Jul 11 21:28 grubx64.efi
-rwx------ 1 root root 1168464 Jul 11 21:28 mmx64.efi
-rwx------ 1 root root 1169992 Jul 11 21:28 shimx64.efi
Div
How does Secure Boot actually work?
Sign GRUB2 bootloader to enable UEFI secure boot
Sakaki’s EFI Install Guide/Configuring Secure Boot
$ sudo efibootmgr
BootCurrent: 0011
Timeout: 0 seconds
BootOrder: 0011,0013,000D,000E,000B,000C,0000,0001,0002,0003,0004,0005,0006,0007,0008,0009,000F
Boot0000 Startup Menu
Boot0001 System Information
Boot0002 Bios Setup
Boot0003 3rd Party Option ROM Management
Boot0004 System Diagnostics
Boot0005 System Diagnostics
Boot0006 System Diagnostics
Boot0007 System Diagnostics
Boot0008 Boot Menu
Boot0009 HP Recovery
Boot000A* IPV4 Network - Intel(R) Ethernet Connection (4) I219-V
Boot000B* THNSN5512GPUK TOSHIBA-27BS1003T52T
Boot000C* Intel Corporation: IBA CL Slot 00FE v0110
Boot000D USB:
Boot000E USB:
Boot000F Network Boot
Boot0010* IPV6 Network - Intel(R) Ethernet Connection (4) I219-V
Boot0011* ubuntu
Boot0012* EFI\Microsoft\Boot\bootmgfw.efi
Boot0013* Windows Boot Manager
$ sudo efibootmgr -v
BootCurrent: 0011
Timeout: 0 seconds
BootOrder: 0011,0013,000D,000E,000B,000C,0000,0001,0002,0003,0004,0005,0006,0007,0008,0009,000F
Boot0000 Startup Menu FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)....ISPH
Boot0001 System Information FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH
Boot0002 Bios Setup FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH
Boot0003 3rd Party Option ROM Management FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH
Boot0004 System Diagnostics FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH
Boot0005 System Diagnostics FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH
Boot0006 System Diagnostics FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH
Boot0007 System Diagnostics FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH
Boot0008 Boot Menu FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH
Boot0009 HP Recovery FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH
Boot000A* IPV4 Network - Intel(R) Ethernet Connection (4) I219-V PciRoot(0x0)/Pci(0x1f,0x6)/MAC(40b034e99e48,0)/IPv4(0.0.0.0:0<->0.0.0.0:0,0,0)N.....YM....R,Y.....ISPH
Boot000B* THNSN5512GPUK TOSHIBA-27BS1003T52T BBS(HD,THNSN5512GPUK TOSHIBA-27BS1003T52T,0x400)/PciRoot(0x0)/Pci(0x1d,0x0)/Pci(0x0,0x0)/NVMe(0x1,00-08-0D-02-00-1D-9C-DA)......ISPH
Boot000C* Intel Corporation: IBA CL Slot 00FE v0110 BBS(Network,Intel Corporation: IBA CL Slot 00FE v0110,0x0)/PciRoot(0x0)/Pci(0x1f,0x6)/IPv4(0.0.0.0:0<->0.0.0.0:0,0,0)......ISPH
Boot000D USB: PciRoot(0x0)/Pci(0x14,0x0)N.....YM....R,Y.....ISPH
Boot000E USB: BBS(65535,,0x0)/PciRoot(0x0)/Pci(0x14,0x0)......ISPH
Boot000F Network Boot FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH
Boot0010* IPV6 Network - Intel(R) Ethernet Connection (4) I219-V PciRoot(0x0)/Pci(0x1f,0x6)/MAC(40b034e99e48,0)/IPv6([::]:<->[::]:,0,0)N.....YM....R,Y.....ISPH
Boot0011* ubuntu HD(1,GPT,7f3b4501-d7e9-450e-b82a-5104c336081c,0x800,0xb4000)/File(\EFI\ubuntu\grubx64.efi)
Boot0012* EFI\Microsoft\Boot\bootmgfw.efi PciRoot(0x0)/Pci(0x1d,0x0)/Pci(0x0,0x0)/NVMe(0x1,00-08-0D-02-00-1D-9C-DA)/HD(1,GPT,7f3b4501-d7e9-450e-b82a-5104c336081c,0x800,0xb4000)/File(EFI\Microsoft\Boot\bootmgfw.efi) ./.R.e.c.o.v.e.r.y.B.C.D.......ISPH
Boot0013* Windows Boot Manager HD(1,GPT,7f3b4501-d7e9-450e-b82a-5104c336081c,0x800,0xb4000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}...te...................ISPH
$ hexdump /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c
0000000 0006 0000 0000
0000005