Bug#1127652: grub-efi-amd64-signed: Booting grub is impossible on 2.14 version with "failed to install protocols" and "cannot load image" errors

Mate Kukri mate.kukri at canonical.com
Wed Feb 11 13:39:39 GMT 2026 

With Secure Boot enabled, and if you are generating your own GRUB
image, with a manual grub-install invocation, you must include the
"peimage" module. This is included with the default setup installed by
the packaging.

On Wed, Feb 11, 2026 at 1:37 PM horsey_guy <horsey_guy at proton.me> wrote:
>
> On Wednesday, February 11th, 2026 at 2:17 AM, Mate Kukri <mate.kukri at canonical.com> wrote:
>
> > Can you provide more information about the system this runs on?
> `uname -a`:
> ```
> Linux horsey-guy-debian-lenovo 6.19-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.19~rc8-1~exp1 (2026-02-02) x86_64 GNU/Linux
> ```
>
> Secure boot was enabled the whole time.
>
> `lsblk -o NAME,FSTYPE,FSVER,LABEL,MOUNTPOINTS`:
> ```
> NAME             FSTYPE      FSVER LABEL      MOUNTPOINTS
> sda
>
> ├─sda1           exfat       1.0   Ventoy
>
> ├─sda2           vfat        FAT16 VTOYEFI
>
> └─sda3           crypto_LUKS 2
>
> zram0            swap        1                [SWAP]
> nvme0n1
>
> ├─nvme0n1p1      vfat        FAT32 SYSTEM_DRV /boot/efi
> ├─nvme0n1p2      crypto_LUKS 2     Debian
>
> │ └─debian_crypt btrfs             debian     /var/log
> │                                             /var/lib/libvirt
> │                                             /opt
> │                                             /home
> │                                             /boot
> │                                             /
> └─nvme0n1p3      crypto_LUKS 2
>
>   └─cryptswap    swap        1     cryptswap  [SWAP]
>
> ```
> `/etc/default/grub` (UUID was replaced with angle brackets and their descriptions):
> ```
> # If you change this file, run 'update-grub' afterwards to update
> # /boot/grub/grub.cfg.
> # For full documentation of the options in this file, see:
> #   info -f grub -n 'Simple configuration'
>
> GRUB_DEFAULT=0
> GRUB_TIMEOUT=5
> GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
> #GRUB_CMDLINE_LINUX_DEFAULT="intel_iommu=on iommu=pt efi=runtime i915.enable_guc=2 xe.force_probe='a7a1' i915.force_probe='!a7a1' xe.max_vfs=7 i915.max_vfs=7"
>
> GRUB_CMDLINE_LINUX_DEFAULT=""
>
> GRUB_CMDLINE_LINUX="cryptdevice=UUID=<LUKS2 encrypted partition's UUID>:debian_crypt root=UUID=</dev/mapper/debian_crypt's UUID> rd.luks.name=</dev/mapper/debian_crypt's UUID>=debian_crypt rd.luks.options=</dev/mapper/debian_crypt's UUID>=tpm2-device=auto,password-echo=no,tries=1 rootflags=rw,subvol=@rootfs intel_iommu=on iommu=pt efi=runtime i915.enable_guc=2 zswap.enabled=0"
>
> # If your computer has multiple operating systems installed, then you
> # probably want to run os-prober. However, if your computer is a host
> # for guest OSes installed via LVM or raw disk devices, running
> # os-prober can cause damage to those guest OSes as it mounts
> # filesystems to look for things.
> #GRUB_DISABLE_OS_PROBER=false
>
> # Uncomment to enable BadRAM filtering, modify to suit your needs
> # This works with Linux (no patch required) and with any kernel that obtains
> # the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
> #GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
>
> # Uncomment to disable graphical terminal
> #GRUB_TERMINAL=console
>
> # The resolution used on graphical terminal
> # note that you can use only modes which your graphic card supports via VBE
> # you can see them in real GRUB with the command `vbeinfo'
> GRUB_GFXMODE=1920x1080,auto
>
> # Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
> #GRUB_DISABLE_LINUX_UUID=true
>
> # Uncomment to disable generation of recovery mode menu entries
> #GRUB_DISABLE_RECOVERY="true"
>
> # Uncomment to get a beep at grub start
> #GRUB_INIT_TUNE="480 440 1"
>
> # Specify theme directory
> GRUB_THEME="/boot/grub/themes/vimix/theme.txt"
>
> # Enable cryptodisk in case it is needed
> GRUB_ENABLE_CRYPTODISK=y
>
> GRUB_PRELOAD_MODULES="part_gpt btrfs cryptodisk luks2"
> ```
>
> > Additionally what image was this installation derived from? And how
> > did you install the GRUB2 binary?
> What image do you mean? The Linux kernel is version 6.19.
>
> The command to install GRUB2 was `grub-install --uefi-secure-boot --boot-directory=/boot --efi-directory=/boot/efi --directory=/usr/lib/grub/x86_64-efi --themes=vimix --modules="luks2 gcry_sha512 gcry_sha256 pbkdf2 cryptodisk argon2" --target=x86_64-efi --bootloader-id=debian /dev/nvme0n1p1 --recheck`

More information about the Pkg-grub-devel mailing list