Bug#1017887: grub-efi-amd64-signed: SecureBoot Grub-Install with Custom Bootloader ID Drops Grub into Grub Shell

Chew Kean Ho hollowaykeanho at gmail.com
Mon Aug 22 03:58:06 BST 2022 

Package: grub-efi-amd64-bin
Version: 1+2.04+20
Severity: important
X-Debbugs-Cc: hollowaykeanho at gmail.com

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
When performing a manual grub-install in a debootstrap Debian OS setup,
installing SecureBoot Grub with --bootloader-id value other than 'debian' causes
the Grub to drop into Grub Shell (failed to locate /boot/grub/grub.cfg) despite
having the UUID and root prefix values correct at /boot/EFI/<name>/grub.cfg
level.

Exact cause is unknown (still not sure what causes the drop). The only
workaround is NOT to mess with the --bootloader-id or set --bootloader-id to
strictly 'debian' as value.

The same thing happens when SecureBoot is turned off at BIOS.

Investigation steps are properly documented, made available at:
https://salsa.debian.org/-/snippets/617


   * What exactly did you do (or not do) that was effective (or
     ineffective)?

Don't mess with --bootloader-id or set --bootloader-id to 'debian' only have
the target OS bootable and not drop into Grub Shell.

Messing it with anything else than 'debian', Grub will drop into Grub Shell.


   * What was the outcome of this action?

Option is offered but not functioning as expected. At the moment, it's
compulsory not to use that option.


   * What outcome did you expect instead?

Some unknown bug(s) are fixed or detailed documentations are published regarding
the --bootloader-id usage.




-- System Information:
Debian Release: 11.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.18.0-0.bpo.1-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages grub-efi-amd64-signed depends on:
ii  grub-common  2.04-20

Versions of packages grub-efi-amd64-signed recommends:
ii  shim-signed  1.38+15.4-7

grub-efi-amd64-signed suggests no packages.

Versions of packages grub-efi-amd64-bin depends on:
ii  grub-common  2.04-20

Versions of packages grub-efi-amd64-bin recommends:
ii  efibootmgr  17-1

-- no debconf information

More information about the Pkg-grub-devel mailing list