Help! secure boot is preventing boot of debian, after opensuse update
I have a PC with two operating systems installed, Debian, and Opensuse. Both are installed with Secure Boot. Each has its own grub installation. Normally I boot debian, and if I want to boot opensuse I select UEFI settings from the main menu and select opensuse from there which launches the opensuse grub. Today I booted opensuse, and did an update which included an update to grub. Now I cannot boot debian as it says bad shim or bad signature. Each grub menu has the alternate O.S. on it, but booting debian from the opensuse grub menu did not work either. Should I disable secure boot temporarily? will that allow booting?
Op zaterdag 1 juni 2024 21:02:59 CEST schreef Richmond via openSUSE Users:
I have a PC with two operating systems installed, Debian, and Opensuse. Both are installed with Secure Boot. Each has its own grub installation. Normally I boot debian, and if I want to boot opensuse I select UEFI settings from the main menu and select opensuse from there which launches the opensuse grub. Today I booted opensuse, and did an update which included an update to grub. Now I cannot boot debian as it says bad shim or bad signature.
Each grub menu has the alternate O.S. on it, but booting debian from the opensuse grub menu did not work either.
Should I disable secure boot temporarily? will that allow booting? It should. Why not just give it a try?
-- Gertjan Lettink a.k.a. Knurpht openSUSE Forums Team openSUSE Mods Team
Knurpht-openSUSE wrote:
Op zaterdag 1 juni 2024 21:02:59 CEST schreef Richmond via openSUSE Users:
I have a PC with two operating systems installed, Debian, and Opensuse. Both are installed with Secure Boot. Each has its own grub installation. Normally I boot debian, and if I want to boot opensuse I select UEFI settings from the main menu and select opensuse from there which launches the opensuse grub. Today I booted opensuse, and did an update which included an update to grub. Now I cannot boot debian as it says bad shim or bad signature.
Each grub menu has the alternate O.S. on it, but booting debian from the opensuse grub menu did not work either.
Should I disable secure boot temporarily? will that allow booting? It should. Why not just give it a try?
I was afraid. But I have done it now and it worked thanks. Why did this happen? I have re-installed grub from debian, but I guess the next time opensuse upgrades grub it could happen again.
On 01.06.2024 23:04, Richmond via openSUSE Users wrote:
Knurpht-openSUSE wrote:
Op zaterdag 1 juni 2024 21:02:59 CEST schreef Richmond via openSUSE Users:
I have a PC with two operating systems installed, Debian, and Opensuse. Both are installed with Secure Boot. Each has its own grub installation. Normally I boot debian, and if I want to boot opensuse I select UEFI settings from the main menu and select opensuse from there which launches the opensuse grub. Today I booted opensuse, and did an update which included an update to grub. Now I cannot boot debian as it says bad shim or bad signature.
Each grub menu has the alternate O.S. on it, but booting debian from the opensuse grub menu did not work either.
Should I disable secure boot temporarily? will that allow booting? It should. Why not just give it a try?
I was afraid. But I have done it now and it worked thanks. Why did this happen?
You provided zero information. Show the exact error message and describe what you did and when this message is output. Make a photo of this message to avoid any manual typos.
I have re-installed grub from debian, but I guess the next time opensuse upgrades grub it could happen again.
On Sun, Jun 02, 2024 at 06:42:29AM +0300, Andrei Borzenkov wrote:
On 01.06.2024 23:04, Richmond via openSUSE Users wrote:
Knurpht-openSUSE wrote:
Op zaterdag 1 juni 2024 21:02:59 CEST schreef Richmond via openSUSE Users:
I have a PC with two operating systems installed, Debian, and Opensuse. Both are installed with Secure Boot. Each has its own grub installation. Normally I boot debian, and if I want to boot opensuse I select UEFI settings from the main menu and select opensuse from there which launches the opensuse grub. Today I booted opensuse, and did an update which included an update to grub. Now I cannot boot debian as it says bad shim or bad signature.
Each grub menu has the alternate O.S. on it, but booting debian from the opensuse grub menu did not work either.
Should I disable secure boot temporarily? will that allow booting? It should. Why not just give it a try?
I was afraid. But I have done it now and it worked thanks. Why did this happen?
You provided zero information. Show the exact error message and describe what you did and when this message is output. Make a photo of this message to avoid any manual typos.
I have re-installed grub from debian, but I guess the next time opensuse upgrades grub it could happen again.
The usual case would be for openSUSE Leap 15.x that we released a shim 15.8 update. This blocks all older shims (<15.8) even that from other vendors from the secure boot chain. You need to update to the Debian shim 5.18 to make it boot again. Ciao, Marcus
On 02.06.2024 13:22, Marcus Meissner wrote:
On Sun, Jun 02, 2024 at 06:42:29AM +0300, Andrei Borzenkov wrote:
On 01.06.2024 23:04, Richmond via openSUSE Users wrote:
Knurpht-openSUSE wrote:
Op zaterdag 1 juni 2024 21:02:59 CEST schreef Richmond via openSUSE Users:
I have a PC with two operating systems installed, Debian, and Opensuse. Both are installed with Secure Boot. Each has its own grub installation. Normally I boot debian, and if I want to boot opensuse I select UEFI settings from the main menu and select opensuse from there which launches the opensuse grub. Today I booted opensuse, and did an update which included an update to grub. Now I cannot boot debian as it says bad shim or bad signature.
Each grub menu has the alternate O.S. on it, but booting debian from the opensuse grub menu did not work either.
Should I disable secure boot temporarily? will that allow booting? It should. Why not just give it a try?
I was afraid. But I have done it now and it worked thanks. Why did this happen?
You provided zero information. Show the exact error message and describe what you did and when this message is output. Make a photo of this message to avoid any manual typos.
I have re-installed grub from debian, but I guess the next time opensuse upgrades grub it could happen again.
The usual case would be for openSUSE Leap 15.x that we released a shim 15.8 update.
This blocks all older shims (<15.8) even that from other vendors from the secure boot chain.
Sure, but how "reinstalling grub" fixes it?
You need to update to the Debian shim 5.18 to make it boot again.
Ciao, Marcus
On 2024-06-02 12:22, Marcus Meissner wrote:
On Sun, Jun 02, 2024 at 06:42:29AM +0300, Andrei Borzenkov wrote:
On 01.06.2024 23:04, Richmond via openSUSE Users wrote:
Knurpht-openSUSE wrote:
Op zaterdag 1 juni 2024 21:02:59 CEST schreef Richmond via openSUSE Users:
I have a PC with two operating systems installed, Debian, and Opensuse. Both are installed with Secure Boot. Each has its own grub installation. Normally I boot debian, and if I want to boot opensuse I select UEFI settings from the main menu and select opensuse from there which launches the opensuse grub. Today I booted opensuse, and did an update which included an update to grub. Now I cannot boot debian as it says bad shim or bad signature.
Each grub menu has the alternate O.S. on it, but booting debian from the opensuse grub menu did not work either.
Should I disable secure boot temporarily? will that allow booting? It should. Why not just give it a try?
I was afraid. But I have done it now and it worked thanks. Why did this happen?
You provided zero information. Show the exact error message and describe what you did and when this message is output. Make a photo of this message to avoid any manual typos.
I have re-installed grub from debian, but I guess the next time opensuse upgrades grub it could happen again.
The usual case would be for openSUSE Leap 15.x that we released a shim 15.8 update.
This blocks all older shims (<15.8) even that from other vendors from the secure boot chain.
You need to update to the Debian shim 5.18 to make it boot again.
I don't understand how this works. (1) UEFI boot menu--\ | \ | \ debian (2) \opensuse (3) grub grub menu----\ menu------\ | \ \ \ debian oS boot oS boot debian boot (5) (6) boot (4) (7) I understand the shim of (3) was updated, which would affect 6 and 7 booting. But (1) is intact, so (2) should keep working, no? -- Cheers / Saludos, Carlos E. R. (from 15.5 x86_64 at Telcontar)
On 02.06.2024 15:58, Carlos E. R. wrote:
On 2024-06-02 12:22, Marcus Meissner wrote:
On Sun, Jun 02, 2024 at 06:42:29AM +0300, Andrei Borzenkov wrote:
On 01.06.2024 23:04, Richmond via openSUSE Users wrote:
Knurpht-openSUSE wrote:
Op zaterdag 1 juni 2024 21:02:59 CEST schreef Richmond via openSUSE Users:
I have a PC with two operating systems installed, Debian, and Opensuse. Both are installed with Secure Boot. Each has its own grub installation. Normally I boot debian, and if I want to boot opensuse I select UEFI settings from the main menu and select opensuse from there which launches the opensuse grub. Today I booted opensuse, and did an update which included an update to grub. Now I cannot boot debian as it says bad shim or bad signature.
Each grub menu has the alternate O.S. on it, but booting debian from the opensuse grub menu did not work either.
Should I disable secure boot temporarily? will that allow booting? It should. Why not just give it a try?
I was afraid. But I have done it now and it worked thanks. Why did this happen?
You provided zero information. Show the exact error message and describe what you did and when this message is output. Make a photo of this message to avoid any manual typos.
I have re-installed grub from debian, but I guess the next time opensuse upgrades grub it could happen again.
The usual case would be for openSUSE Leap 15.x that we released a shim 15.8 update.
This blocks all older shims (<15.8) even that from other vendors from the secure boot chain.
You need to update to the Debian shim 5.18 to make it boot again.
I don't understand how this works.
(1) UEFI boot menu--\ | \ | \ debian (2) \opensuse (3) grub grub menu----\ menu------\
At least one step is missing
| \ \ \ debian oS boot oS boot debian boot (5) (6) boot (4) (7)
I understand the shim of (3) was updated, which would affect 6 and 7 booting. But (1) is intact, so (2) should keep working, no?
https://en.opensuse.org/openSUSE:UEFI#Reset_SBAT_string_for_booting_to_old_s...
On Sun, Jun 02, 2024 at 02:58:18PM +0200, Carlos E. R. wrote:
On 2024-06-02 12:22, Marcus Meissner wrote:
On Sun, Jun 02, 2024 at 06:42:29AM +0300, Andrei Borzenkov wrote:
On 01.06.2024 23:04, Richmond via openSUSE Users wrote:
Knurpht-openSUSE wrote:
Op zaterdag 1 juni 2024 21:02:59 CEST schreef Richmond via openSUSE Users:
I have a PC with two operating systems installed, Debian, and Opensuse. Both are installed with Secure Boot. Each has its own grub installation. Normally I boot debian, and if I want to boot opensuse I select UEFI settings from the main menu and select opensuse from there which launches the opensuse grub. Today I booted opensuse, and did an update which included an update to grub. Now I cannot boot debian as it says bad shim or bad signature.
Each grub menu has the alternate O.S. on it, but booting debian from the opensuse grub menu did not work either.
Should I disable secure boot temporarily? will that allow booting? It should. Why not just give it a try?
I was afraid. But I have done it now and it worked thanks. Why did this happen?
You provided zero information. Show the exact error message and describe what you did and when this message is output. Make a photo of this message to avoid any manual typos.
I have re-installed grub from debian, but I guess the next time opensuse upgrades grub it could happen again.
The usual case would be for openSUSE Leap 15.x that we released a shim 15.8 update.
This blocks all older shims (<15.8) even that from other vendors from the secure boot chain.
You need to update to the Debian shim 5.18 to make it boot again.
I don't understand how this works.
(1) UEFI boot menu--\ | \ | \ debian (2) \opensuse (3) grub grub menu----\ menu------\ | \ \ \ debian oS boot oS boot debian boot (5) (6) boot (4) (7)
I understand the shim of (3) was updated, which would affect 6 and 7 booting. But (1) is intact, so (2) should keep working, no?
No. The boot of (3) updates a UEFI variable read by (1) saying that older shims are not considered secure boot safe anymore. This is a global shim version indicator, so it impacts also (2). Ciao, Marcus
On 2024-06-03 09:33, Marcus Meissner wrote:
On Sun, Jun 02, 2024 at 02:58:18PM +0200, Carlos E. R. wrote:
On 2024-06-02 12:22, Marcus Meissner wrote:
On Sun, Jun 02, 2024 at 06:42:29AM +0300, Andrei Borzenkov wrote:
On 01.06.2024 23:04, Richmond via openSUSE Users wrote:
Knurpht-openSUSE wrote:
...
The usual case would be for openSUSE Leap 15.x that we released a shim 15.8 update.
This blocks all older shims (<15.8) even that from other vendors from the secure boot chain.
You need to update to the Debian shim 5.18 to make it boot again.
I don't understand how this works.
(1) UEFI boot menu--\ | \ | \ debian (2) \opensuse (3) grub grub menu----\ menu------\ | \ \ \ debian oS boot oS boot debian boot (5) (6) boot (4) (7)
I understand the shim of (3) was updated, which would affect 6 and 7 booting. But (1) is intact, so (2) should keep working, no?
No.
The boot of (3) updates a UEFI variable read by (1) saying that older shims are not considered secure boot safe anymore.
This is a global shim version indicator, so it impacts also (2).
Ow! :-( Thanks, I understand now. -- Cheers / Saludos, Carlos E. R. (from 15.5 x86_64 at Telcontar)
participants (5)
-
Andrei Borzenkov -
Carlos E. R. -
Knurpht-openSUSE -
Marcus Meissner -
Richmond