Secure Boot entry wiped by BIOS update

If none of the more specific forums is the right place to ask

Secure Boot entry wiped by BIOS update

Postby IT-Nerd » 2020-03-22 18:44

Hi all,

Today I have updated my Lenovo Ideapad 330 - 81FL laptop with the latest 7ZCN34WW BIOS and it wiped the Debian Secure Boot entry I have installed. I performed a manual installation using these information sites and a Debian 10 live CD:

https://debamax.com/blog/2019/04/19/an- ... in-debian/
https://cryptsetup-team.pages.debian.ne ... -boot.html

After installing the system with debootstrap, I installed GRUB with this:

Code: Select all
echo "GRUB_ENABLE_CRYPTODISK=y" >>/etc/default/grub
echo "GRUB_DISABLE_OS_PROBER=true" >>/etc/default/grub
update-initramfs -u
grub-install --uefi-secure-boot --target=x86_64-efi --boot-directory=/boot --efi-directory=/boot/efi --bootloader-id=Debian
update-grub


The laptop has 2 drives, an SSD with the default Win 10 installation and I installed to the additional HDD.

How can I safely re-install the boot UEFI entry for my system? I'm planing to boot with the latest Debian 10 live, mount everything and chroot in order to re-apply the GRUB commands above. Do you see any problem with my strategy?

This situation will definitely happen to other people having laptops with Secure Boot/UEFI setups.
IT-Nerd
 
Posts: 3
Joined: 2014-03-23 23:44

Re: Secure Boot entry wiped by BIOS update

Postby pylkko » 2020-03-22 18:56

with efibootmgr you can change the boot order/entries, if that is what you mean.

https://manpages.debian.org/buster/efib ... .8.en.html
User avatar
pylkko
 
Posts: 1736
Joined: 2014-11-06 19:02

Re: Secure Boot entry wiped by BIOS update

Postby Head_on_a_Stick » 2020-03-22 18:59

If the boot entry has gone then you can use this from any live environment booted in UEFI mode:
Code: Select all
# efibootmgr --create --label 'Debian' --disk /dev/sdX --part Y --loader /EFI/Debian/shimx64.efi

Replace X & Y with the drive letter and partition number assigned to the EFI system partition (/dev/sda1 is the default so those options can be omitted for that configuration).

We don't need no stinkin' chroot :mrgreen:
User avatar
Head_on_a_Stick
 
Posts: 12004
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Secure Boot entry wiped by BIOS update

Postby p.H » 2020-03-22 19:12

IT-Nerd wrote:This situation will definitely happen to other people having laptops with Secure Boot/UEFI setups.

I doubt it has anything to do with secure boot, rather with the firmware update process which recklessly erases EFI boot entries.

To allow booting without a boot entry, next time add --force-extra-removable to the grub-install command. It will install a copy of GRUB as a fallback bootloader which does not require an EFI boot entry.
p.H
 
Posts: 1333
Joined: 2017-09-17 07:12

Re: Secure Boot entry wiped by BIOS update

Postby Head_on_a_Stick » 2020-03-22 19:16

p.H wrote:add --force-extra-removable to the grub-install command

Note that this method will over-write the EFI loader for operating systems such as OpenBSD, 9front & Haiku. They do not have a user space utility to create or modify NVRAM entries and so rely on the fallback loader instead.
User avatar
Head_on_a_Stick
 
Posts: 12004
Joined: 2014-06-01 17:46
Location: /dev/chair

Re: Secure Boot entry wiped by BIOS update

Postby IT-Nerd » 2020-03-22 19:26

Thank you very much for all your answers. I will try and report back. This seems like the proper solution:

Code: Select all
efibootmgr --create --label 'Debian' --disk /dev/sdX --part Y --loader /EFI/Debian/shimx64.efi
IT-Nerd
 
Posts: 3
Joined: 2014-03-23 23:44

Re: Secure Boot entry wiped by BIOS update

Postby IT-Nerd » 2020-03-22 22:55

Worked like a charm. Thank you everybody.
IT-Nerd
 
Posts: 3
Joined: 2014-03-23 23:44


Return to General Questions

Who is online

Users browsing this forum: bester69 and 5 guests

fashionable