Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Secure Boot entry wiped by BIOS update

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
IT-Nerd
Posts: 9
Joined: 2014-03-23 23:44

Secure Boot entry wiped by BIOS update

#1 Post by IT-Nerd »

Hi all,

Today I have updated my Lenovo Ideapad 330 - 81FL laptop with the latest 7ZCN34WW BIOS and it wiped the Debian Secure Boot entry I have installed. I performed a manual installation using these information sites and a Debian 10 live CD:

https://debamax.com/blog/2019/04/19/an- ... in-debian/
https://cryptsetup-team.pages.debian.ne ... -boot.html

After installing the system with debootstrap, I installed GRUB with this:

Code: Select all

echo "GRUB_ENABLE_CRYPTODISK=y" >>/etc/default/grub
echo "GRUB_DISABLE_OS_PROBER=true" >>/etc/default/grub
update-initramfs -u
grub-install --uefi-secure-boot --target=x86_64-efi --boot-directory=/boot --efi-directory=/boot/efi --bootloader-id=Debian
update-grub
The laptop has 2 drives, an SSD with the default Win 10 installation and I installed to the additional HDD.

How can I safely re-install the boot UEFI entry for my system? I'm planing to boot with the latest Debian 10 live, mount everything and chroot in order to re-apply the GRUB commands above. Do you see any problem with my strategy?

This situation will definitely happen to other people having laptops with Secure Boot/UEFI setups.

User avatar
pylkko
Posts: 1802
Joined: 2014-11-06 19:02

Re: Secure Boot entry wiped by BIOS update

#2 Post by pylkko »

with efibootmgr you can change the boot order/entries, if that is what you mean.

https://manpages.debian.org/buster/efib ... .8.en.html

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Secure Boot entry wiped by BIOS update

#3 Post by Head_on_a_Stick »

If the boot entry has gone then you can use this from any live environment booted in UEFI mode:

Code: Select all

# efibootmgr --create --label 'Debian' --disk /dev/sdX --part Y --loader /EFI/Debian/shimx64.efi
Replace X & Y with the drive letter and partition number assigned to the EFI system partition (/dev/sda1 is the default so those options can be omitted for that configuration).

We don't need no stinkin' chroot :mrgreen:
deadbang

p.H
Global Moderator
Global Moderator
Posts: 3049
Joined: 2017-09-17 07:12
Has thanked: 5 times
Been thanked: 132 times

Re: Secure Boot entry wiped by BIOS update

#4 Post by p.H »

IT-Nerd wrote:This situation will definitely happen to other people having laptops with Secure Boot/UEFI setups.
I doubt it has anything to do with secure boot, rather with the firmware update process which recklessly erases EFI boot entries.

To allow booting without a boot entry, next time add --force-extra-removable to the grub-install command. It will install a copy of GRUB as a fallback bootloader which does not require an EFI boot entry.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Secure Boot entry wiped by BIOS update

#5 Post by Head_on_a_Stick »

p.H wrote:add --force-extra-removable to the grub-install command
Note that this method will over-write the EFI loader for operating systems such as OpenBSD, 9front & Haiku. They do not have a user space utility to create or modify NVRAM entries and so rely on the fallback loader instead.
deadbang

IT-Nerd
Posts: 9
Joined: 2014-03-23 23:44

Re: Secure Boot entry wiped by BIOS update

#6 Post by IT-Nerd »

Thank you very much for all your answers. I will try and report back. This seems like the proper solution:

Code: Select all

efibootmgr --create --label 'Debian' --disk /dev/sdX --part Y --loader /EFI/Debian/shimx64.efi

IT-Nerd
Posts: 9
Joined: 2014-03-23 23:44

Re: Secure Boot entry wiped by BIOS update

#7 Post by IT-Nerd »

Worked like a charm. Thank you everybody.

Post Reply