EFI Installieren
EFI Bootmanagement
EFI Nachbearbeitung
EFI Problembehebung
Linux Mint Installation Guide – EFI SecureBoot
wiki.ubuntu.com SecureBoot
wiki.ubuntu.com DKMS
$ [ -d /sys/firmware/efi ] && echo UEFI || echo BIOS UEFI
$ sudo grub-install Installing for x86_64-efi platform. Installation finished. No error reported.
$ ls -la /boot/efi drwx------ 6 root root 4096 Jun 26 10:54 EFI -rwx------ 1 root root 0 Mär 10 06:48 SYSTEM drwx------ 2 root root 4096 Mär 10 08:51 System Volume Information drwx------ 2 root root 4096 Mär 18 12:11 Temp $ ls -la /boot/efi/EFI drwx------ 2 root root 4096 Mär 10 06:48 Boot drwx------ 5 root root 4096 Jun 26 10:54 HP drwx------ 4 root root 4096 Mär 10 06:48 Microsoft drwx------ 3 root root 4096 Jul 11 20:24 ubuntu $ ls -la /boot/efi/EFI/ubuntu drwx------ 2 root root 4096 Mär 18 13:47 fw -rwx------ 1 root root 64352 Mär 18 13:47 fwupx64.efi -rwx------ 1 root root 117 Mär 18 13:48 grub.cfg -rwx------ 1 root root 120832 Jul 11 21:09 grubx64.efi -rwx------ 1 root root 1289424 Mär 18 13:48 shimx64.efi
Reinstall Grub2
$ dpkg -l | grep grub ii grub-common 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader (common files) rc grub-efi-amd64 2.02~beta2-36ubuntu3.8 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version) ii grub-efi-amd64-bin 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 binaries) ii grub-gfxpayload-lists 0.7 amd64 GRUB gfxpayload blacklist ii grub-pc 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader, version 2 (PC/BIOS version) ii grub-pc-bin 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader, version 2 (PC/BIOS binaries) ii grub2 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader, version 2 (dummy package) ii grub2-common 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader (common files for version 2)
$ sudo apt-get install --reinstall grub-efi-amd64 Reading package lists... Done Building dependency tree Reading state information... Done The following package was automatically installed and is no longer required: grub-pc-bin Use 'sudo apt autoremove' to remove it. The following packages will be REMOVED: grub-gfxpayload-lists grub-pc grub2 The following NEW packages will be installed: grub-efi-amd64 0 upgraded, 1 newly installed, 3 to remove and 15 not upgraded. Need to get 65.6 kB of archives. After this operation, 430 kB disk space will be freed. Do you want to continue? [Y/n] y Get:1 http://ch.archive.ubuntu.com/ubuntu xenial-updates/main amd64 grub-efi-amd64 amd64 2.02~beta2-36ubuntu3.11 [65.6 kB] Fetched 65.6 kB in 0s (563 kB/s) Preconfiguring packages ... (Reading database ... 203932 files and directories currently installed.) Removing grub2 (2.02~beta2-36ubuntu3.11) ... Removing grub-gfxpayload-lists (0.7) ... Removing grub-pc (2.02~beta2-36ubuntu3.11) ... Processing triggers for man-db (2.7.5-1) ... Selecting previously unselected package grub-efi-amd64. (Reading database ... 203908 files and directories currently installed.) Preparing to unpack .../grub-efi-amd64_2.02~beta2-36ubuntu3.11_amd64.deb ... Unpacking grub-efi-amd64 (2.02~beta2-36ubuntu3.11) ... Setting up grub-efi-amd64 (2.02~beta2-36ubuntu3.11) ... Installing for x86_64-efi platform. Installation finished. No error reported. Generating grub configuration file ... Found Windows Boot Manager on /dev/nvme0n1p1@/EFI/Microsoft/Boot/bootmgfw.efi Found linux image: /boot/vmlinuz-4.8.0-41-generic Found initrd image: /boot/initrd.img-4.8.0-41-generic Found linux image: /boot/vmlinuz-4.8.0-36-generic Found initrd image: /boot/initrd.img-4.8.0-36-generic Adding boot menu entry for EFI firmware configuration done Processing triggers for shim-signed (1.28~16.04.1+0.9+1474479173.6c180c6-1ubuntu1) ... find: ‘/var/lib/dkms’: No such file or directory No DKMS packages installed: not changing Secure Boot validation state.
$ sudo apt-get install linux-signed-generic $ sudo apt-get install grub-efi-amd64-signed $ sudo apt-get install shim-signed $ dpkg -l | grep grub ii grub-common 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader (common files) ii grub-efi-amd64 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version) ii grub-efi-amd64-bin 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 binaries) ii grub-efi-amd64-signed 1.66.11+2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed) rc grub-pc 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader, version 2 (PC/BIOS version) rc grub2 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader, version 2 (dummy package) ii grub2-common 2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader (common files for version 2) $ dpkg -l | grep signed ii fonts-kacst-one 5.0+svn11846-7 all TrueType font designed for Arabic language ii fwupdate-signed 1.11+0.5-2ubuntu4 amd64 Linux Firmware Updater EFI signed binary ii grub-efi-amd64-signed 1.66.11+2.02~beta2-36ubuntu3.11 amd64 GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed) ii linux-signed-generic 4.4.0.83.89 amd64 Complete Signed Generic Linux kernel and headers ii linux-signed-generic-hwe-16.04 4.8.0.41.12 amd64 Complete Signed Generic Linux kernel and headers ii linux-signed-image-4.4.0-83-generic 4.4.0-83.106 amd64 Signed kernel image generic ii linux-signed-image-4.8.0-41-generic 4.8.0-41.44~16.04.1 amd64 Signed kernel image generic ii linux-signed-image-generic 4.4.0.83.89 amd64 Signed Generic Linux kernel image ii linux-signed-image-generic-hwe-16.04 4.8.0.41.12 amd64 Signed Generic Linux kernel image ii shim 0.9+1474479173.6c180c6-1ubuntu1 amd64 boot loader to chain-load signed boot loaders under Secure Boot ii shim-signed 1.28~16.04.1+0.9+1474479173.6c180c6-1ubuntu1 amd64 Secure Boot chain-loading bootloader (Microsoft-signed binary) $ sudo ls -la /boot/efi/EFI/ubuntu drwx------ 2 root root 4096 Mär 18 13:47 fw -rwx------ 1 root root 64352 Mär 18 13:47 fwupx64.efi -rwx------ 1 root root 117 Jul 11 21:28 grub.cfg -rwx------ 1 root root 1121144 Jul 11 21:28 grubx64.efi -rwx------ 1 root root 1168464 Jul 11 21:28 mmx64.efi -rwx------ 1 root root 1169992 Jul 11 21:28 shimx64.efi
Div
How does Secure Boot actually work?
Sign GRUB2 bootloader to enable UEFI secure boot
Sakaki’s EFI Install Guide/Configuring Secure Boot
$ sudo efibootmgr BootCurrent: 0011 Timeout: 0 seconds BootOrder: 0011,0013,000D,000E,000B,000C,0000,0001,0002,0003,0004,0005,0006,0007,0008,0009,000F Boot0000 Startup Menu Boot0001 System Information Boot0002 Bios Setup Boot0003 3rd Party Option ROM Management Boot0004 System Diagnostics Boot0005 System Diagnostics Boot0006 System Diagnostics Boot0007 System Diagnostics Boot0008 Boot Menu Boot0009 HP Recovery Boot000A* IPV4 Network - Intel(R) Ethernet Connection (4) I219-V Boot000B* THNSN5512GPUK TOSHIBA-27BS1003T52T Boot000C* Intel Corporation: IBA CL Slot 00FE v0110 Boot000D USB: Boot000E USB: Boot000F Network Boot Boot0010* IPV6 Network - Intel(R) Ethernet Connection (4) I219-V Boot0011* ubuntu Boot0012* EFI\Microsoft\Boot\bootmgfw.efi Boot0013* Windows Boot Manager $ sudo efibootmgr -v BootCurrent: 0011 Timeout: 0 seconds BootOrder: 0011,0013,000D,000E,000B,000C,0000,0001,0002,0003,0004,0005,0006,0007,0008,0009,000F Boot0000 Startup Menu FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)....ISPH Boot0001 System Information FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH Boot0002 Bios Setup FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH Boot0003 3rd Party Option ROM Management FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH Boot0004 System Diagnostics FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH Boot0005 System Diagnostics FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH Boot0006 System Diagnostics FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH Boot0007 System Diagnostics FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH Boot0008 Boot Menu FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH Boot0009 HP Recovery FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH Boot000A* IPV4 Network - Intel(R) Ethernet Connection (4) I219-V PciRoot(0x0)/Pci(0x1f,0x6)/MAC(40b034e99e48,0)/IPv4(0.0.0.0:0<->0.0.0.0:0,0,0)N.....YM....R,Y.....ISPH Boot000B* THNSN5512GPUK TOSHIBA-27BS1003T52T BBS(HD,THNSN5512GPUK TOSHIBA-27BS1003T52T,0x400)/PciRoot(0x0)/Pci(0x1d,0x0)/Pci(0x0,0x0)/NVMe(0x1,00-08-0D-02-00-1D-9C-DA)......ISPH Boot000C* Intel Corporation: IBA CL Slot 00FE v0110 BBS(Network,Intel Corporation: IBA CL Slot 00FE v0110,0x0)/PciRoot(0x0)/Pci(0x1f,0x6)/IPv4(0.0.0.0:0<->0.0.0.0:0,0,0)......ISPH Boot000D USB: PciRoot(0x0)/Pci(0x14,0x0)N.....YM....R,Y.....ISPH Boot000E USB: BBS(65535,,0x0)/PciRoot(0x0)/Pci(0x14,0x0)......ISPH Boot000F Network Boot FvVol(a881d567-6cb0-4eee-8435-2e72d33e45b5)/FvFile(9d8243e8-8381-453d-aceb-c350ee7757ca)......ISPH Boot0010* IPV6 Network - Intel(R) Ethernet Connection (4) I219-V PciRoot(0x0)/Pci(0x1f,0x6)/MAC(40b034e99e48,0)/IPv6([::]:<->[::]:,0,0)N.....YM....R,Y.....ISPH Boot0011* ubuntu HD(1,GPT,7f3b4501-d7e9-450e-b82a-5104c336081c,0x800,0xb4000)/File(\EFI\ubuntu\grubx64.efi) Boot0012* EFI\Microsoft\Boot\bootmgfw.efi PciRoot(0x0)/Pci(0x1d,0x0)/Pci(0x0,0x0)/NVMe(0x1,00-08-0D-02-00-1D-9C-DA)/HD(1,GPT,7f3b4501-d7e9-450e-b82a-5104c336081c,0x800,0xb4000)/File(EFI\Microsoft\Boot\bootmgfw.efi) ./.R.e.c.o.v.e.r.y.B.C.D.......ISPH Boot0013* Windows Boot Manager HD(1,GPT,7f3b4501-d7e9-450e-b82a-5104c336081c,0x800,0xb4000)/File(\EFI\Microsoft\Boot\bootmgfw.efi)WINDOWS.........x...B.C.D.O.B.J.E.C.T.=.{.9.d.e.a.8.6.2.c.-.5.c.d.d.-.4.e.7.0.-.a.c.c.1.-.f.3.2.b.3.4.4.d.4.7.9.5.}...te...................ISPH
$ hexdump /sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c 0000000 0006 0000 0000 0000005