[solved] Cannot dual booting Ubuntu with Debian: error: bad shim signature, you need to load the kernel first

[klatls]

Are the packages named "grub-efi-amd64-signed", "shim-unsigned" and "shim-signed" installed in your Debian ?

Hello Aki
yes are installed
but ubuntu does not yet boot from debian grub menu
Have to find ubuntu certificate to save in bios

problem solved on debian grub menu too, after imported the ubuntu certificate in Debian

[pbear]

Out of curiosity, I created a dual boot VM (Debian + Ubuntu) in QEMU using UEFI mode with secure boot. I observe the shim errors reported by klatls when booting from either Grub menu.
I get similar errors, worded differently, trying to chainload boot loaders with custom.cfg, as I proposed in the other thread (linked by Aki above).

Will mention, there's a solution between installing certificates (see above) and disabling secure boot altogether (what I do).
mokutil --disable-validation will leave secure boot in force for Windows, but disable it for Linux. Tested in my VM; worked fine.

[Aki]

Hello,

That's quite interesting.

What is the list of configured certificates after booting Ubuntu ? You can use the following command:

Code: Select all

sudo journalctl -b --no-pager --grep integrity\: 
sudo mokutil --list-enrolled
sudo mokutil --pk

What is the Ubuntu installed shim-unsigned and shim-signed version ? You can use the command for each of Ubuntu and Debian installations:

Code: Select all

apt list "shim*"

[pbear]

As an aside, I would like to mention for the benefit of folks finding the thread by forum search, there's a simple way to boot the 'other' OS in this scenario. It's how the OP was able to test both Grub menus before solving the problem. The Grub menu will have an option to open UEFI Firmware Settings, one of which is a firmware boot menu. A one-time menu without changing boot order. Not especially convenient, but always should work.

Back to the mystery. Here are the requested outputs. Notice I've given the last command first.

Code: Select all

apt list "shim*" # Ubuntu
shim-dbg/noble 15.8-0ubuntu1 amd64
shim-signed/noble,now 1.58+15.8-0ubuntu1 amd64 [installed]
shim/noble 15.8-0ubuntu1 amd64
shimmer-themes/noble 2.1.3build1 all

apt list "shim*" # Debian
shim-helpers-amd64-signed-template/stable 15.8-1~deb12u1 amd64
shim-helpers-amd64-signed/stable,now 1+15.8+1~deb12u1 amd64 [installed,automatic]
shim-signed-common/stable,now 1.44~1+deb12u1+15.8-1~deb12u1 all [installed,automatic]
shim-signed/stable,now 1.44~1+deb12u1+15.8-1~deb12u1 amd64 [installed,automatic]
shim-unsigned/stable,now 15.8-1~deb12u1 amd64 [installed,automatic]


sudo journalctl -b --no-pager --grep integrity\:
Dec 04 16:44:56 ubuntu kernel: integrity: Platform Keyring initialized
Dec 04 16:44:56 ubuntu kernel: integrity: Machine keyring initialized
Dec 04 16:44:56 ubuntu kernel: integrity: Loading X.509 certificate: UEFI:db
Dec 04 16:44:56 ubuntu kernel: integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
Dec 04 16:44:56 ubuntu kernel: integrity: Loading X.509 certificate: UEFI:db
Dec 04 16:44:56 ubuntu kernel: integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
Dec 04 16:44:56 ubuntu kernel: integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
Dec 04 16:44:56 ubuntu kernel: integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63'
Dec 04 16:51:07 ubuntu sudo[2253]:    pbear : TTY=pts/0 ; PWD=/home/pbear ; USER=root ; COMMAND=/usr/bin/journalctl -b --no-pager --grep integrity:


sudo mokutil --list-enrolled

[key 1]
SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            b9:41:24:a0:18:2c:92:67
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
        Validity
            Not Before: Apr 12 11:12:51 2012 GMT
            Not After : Apr 11 11:12:51 2042 GMT
        Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bf:5b:3a:16:74:ee:21:5d:ae:61:ed:9d:56:ac:
                    bd:de:de:72:f3:dd:7e:2d:4c:62:0f:ac:c0:6d:48:
                    08:11:cf:8d:8b:fb:61:1f:27:cc:11:6e:d9:55:3d:
                    39:54:eb:40:3b:b1:bb:e2:85:34:79:ca:f7:7b:bf:
                    ba:7a:c8:10:2d:19:7d:ad:59:cf:a6:d4:e9:4e:0f:
                    da:ae:52:ea:4c:9e:90:ce:c6:99:0d:4e:67:65:78:
                    5d:f9:d1:d5:38:4a:4a:7a:8f:93:9c:7f:1a:a3:85:
                    db:ce:fa:8b:f7:c2:a2:21:2d:9b:54:41:35:10:57:
                    13:8d:6c:bc:29:06:50:4a:7e:ea:99:a9:68:a7:3b:
                    c7:07:1b:32:9e:a0:19:87:0e:79:bb:68:99:2d:7e:
                    93:52:e5:f6:eb:c9:9b:f9:2b:ed:b8:68:49:bc:d9:
                    95:50:40:5b:c5:b2:71:aa:eb:5c:57:de:71:f9:40:
                    0a:dd:5b:ac:1e:84:2d:50:1a:52:d6:e1:f3:6b:6e:
                    90:64:4f:5b:b4:eb:20:e4:61:10:da:5a:f0:ea:e4:
                    42:d7:01:c4:fe:21:1f:d9:b9:c0:54:95:42:81:52:
                    72:1f:49:64:7a:c8:6c:24:f1:08:70:0b:4d:a5:a0:
                    32:d1:a0:1c:57:a8:4d:e3:af:a5:8e:05:05:3e:10:
                    43:a1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
            X509v3 Authority Key Identifier: 
                AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: 
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 CRL Distribution Points: 
                Full Name:
                  URI:http://www.canonical.com/secure-boot-master-ca.crl
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        3f:7d:f6:76:a5:b3:83:b4:2b:7a:d0:6d:52:1a:03:83:c4:12:
        a7:50:9c:47:92:cc:c0:94:77:82:d2:ae:57:b3:99:04:f5:32:
        3a:c6:55:1d:07:db:12:a9:56:fa:d8:d4:76:20:eb:e4:c3:51:
        db:9a:5c:9c:92:3f:18:73:da:94:6a:a1:99:38:8c:a4:88:6d:
        c1:fc:39:71:d0:74:76:16:03:3e:56:23:35:d5:55:47:5b:1a:
        1d:41:c2:d3:12:4c:dc:ff:ae:0a:92:9c:62:0a:17:01:9c:73:
        e0:5e:b1:fd:bc:d6:b5:19:11:7a:7e:cd:3e:03:7e:66:db:5b:
        a8:c9:39:48:51:ff:53:e1:9c:31:53:91:1b:3b:10:75:03:17:
        ba:e6:81:02:80:94:70:4c:46:b7:94:b0:3d:15:cd:1f:8e:02:
        e0:68:02:8f:fb:f9:47:1d:7d:a2:01:c6:07:51:c4:9a:cc:ed:
        dd:cf:a3:5d:ed:92:bb:be:d1:fd:e6:ec:1f:33:51:73:04:be:
        3c:72:b0:7d:08:f8:01:ff:98:7d:cb:9c:e0:69:39:77:25:47:
        71:88:b1:8d:27:a5:2e:a8:f7:3f:5f:80:69:97:3e:a9:f4:99:
        14:db:ce:03:0e:0b:66:c4:1c:6d:bd:b8:27:77:c1:42:94:bd:
        fc:6a:0a:bc
        

sudo mokutil --pk

[key 1]
SHA1 Fingerprint: cd:cf:07:5a:e4:05:d5:fc:99:ba:09:54:7c:a5:5f:b7:fa:c2:e0:ff
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            45:01:ee:39:3e:52:29:78:36:df:85:42:c8:e5:7b:bb:88:d1:4b:37
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=Debian, CN=Debian UEFI Secure Boot (PK\/KEK key)/emailAddress=debian-devel@lists.debian.org
        Validity
            Not Before: Jul  8 23:42:49 2019 GMT
            Not After : Jul  5 23:42:49 2029 GMT
        Subject: O=Debian, CN=Debian UEFI Secure Boot (PK\/KEK key)/emailAddress=debian-devel@lists.debian.org
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:9b:ab:49:8b:ba:a5:fa:54:2a:71:9a:79:05:c4:
                    1b:46:11:c5:b3:bd:59:62:80:71:ad:bb:6c:c4:50:
                    a8:96:d6:89:eb:e8:11:d4:88:3c:49:e4:8f:51:cd:
                    a5:87:c3:d2:fe:51:1e:3a:1b:bf:d8:5b:38:53:b5:
                    9d:68:52:d1:3e:82:cb:db:fd:5e:01:81:30:c4:be:
                    73:e0:d6:56:3f:4a:28:f1:33:d7:52:61:7b:84:a2:
                    40:a2:18:88:78:5b:14:d0:1e:6d:6a:b8:ae:10:44:
                    af:12:99:a6:7b:2d:e9:ba:8d:0a:58:93:38:69:eb:
                    6d:f0:6f:97:22:fe:e0:0f:b4:a4:f9:c8:2b:3b:73:
                    b9:51:cf:1f:1f:e5:66:07:cb:dd:f7:4e:f3:57:2a:
                    49:69:53:41:80:fc:d5:6a:75:d9:ba:0d:67:bd:53:
                    c6:1d:d5:e5:65:bf:0b:8d:fc:16:58:65:ed:59:a6:
                    57:8f:33:48:a6:6c:27:dc:b4:1d:9e:94:9e:63:8b:
                    19:02:bf:e0:01:52:34:28:a4:13:88:fe:f9:7b:06:
                    1d:e2:77:85:07:9e:4e:1b:aa:ca:0c:6a:e4:df:2b:
                    e9:8a:ac:42:05:de:32:d5:34:f9:e2:6f:96:c2:d4:
                    05:5f:c9:20:d8:33:9a:01:82:5d:94:69:78:4e:2e:
                    e0:c7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                88:09:EB:9F:FA:7D:2D:5D:DB:30:67:A7:AF:B9:89:8E:A3:EE:02:73
            X509v3 Authority Key Identifier: 
                88:09:EB:9F:FA:7D:2D:5D:DB:30:67:A7:AF:B9:89:8E:A3:EE:02:73
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        0a:74:2f:89:80:5e:1e:c4:f2:c9:a2:4d:b6:34:ee:b1:68:9d:
        f2:bd:77:85:e5:68:66:d5:ff:76:20:29:9f:0d:f3:cd:1b:9f:
        22:4e:26:9d:11:19:93:96:a3:9b:0c:fd:88:df:a0:ef:11:09:
        1e:c2:70:6f:20:f6:fe:be:c3:5a:3c:40:47:79:a0:2c:82:c6:
        42:3c:c4:3c:af:55:7f:8a:c3:0d:0c:6a:cf:9f:7c:9d:bc:b5:
        6d:33:73:cd:f9:13:0e:8e:4d:ce:f8:f6:54:74:c7:90:28:eb:
        6f:58:31:d6:41:9e:25:a7:04:40:8a:28:db:36:39:73:ea:e4:
        9e:8c:3e:42:5a:7b:05:20:78:e6:4d:69:1f:ba:bf:a1:b7:02:
        d9:e3:ab:fc:42:d9:77:cd:e0:dd:08:3b:be:96:79:5c:5d:71:
        ee:c7:68:e8:a6:08:69:2d:ff:98:ad:51:cb:1b:ef:39:b0:52:
        70:03:d3:3c:a7:ce:a5:f0:93:62:ca:6b:61:4b:dc:7b:c7:00:
        9e:80:3a:bf:af:95:79:f7:f6:14:7e:45:f1:b4:6c:c8:31:9f:
        0a:38:27:fc:3c:fb:44:22:4e:7a:d3:72:17:2f:76:5c:c6:00:
        8b:26:05:15:95:eb:71:52:5f:5b:90:c8:cb:fd:53:01:a4:ff:
        0a:c8:ad:25

On reflection, I've come to the conclusion this problem is inherent in the shim procedure. I'm no expert on secure boot, though, so maybe I'm missing an important piece of the puzzle.
Edit: Reviewing articles, I notice Rod Smith mentions this scenario (calling it Cross-Distribution Booting), so yes it's well known. Notice also link to his repo of public keys.

[pbear]

Have been fiddling with this for a couple days and found another solution worth mentioning.

To recap, the problem is that, if one multi-boots Linux with secure boot enabled, will get an error (bad shim signature) when booting a non-primary OS from the Grub menu. This is because the primary OS's shim (shimx64.efi) doesn't authorize boot from the non-primary OS's boot loader or kernel images.* The ordinary solution (what the OP did) is to copy the non-primary OS's secure boot certificate to the EFI partition (precise location not important), then enroll the certificate with MOK (machine owner key) (mmx64.efi). Command in the form sudo mokutil --import /path/to/filename.cer ; enter one-time MOK password (I use eight ones) ; reboot ; follow prompts.

* This isn't an issue, though, if both systems use the same shim, e.g., Debian + MX or LMDE, or Ubuntu + Mint or Linux Lite.

An alternative - and what I probably would do if I used secure boot - is to switch to rEFInd as boot manager. This has two advantages. First, it's easier than Grub for handling multi-boot systems. Rather than complex config files, it scans for bootable objects and presents a list. Second, as part of a default rEFInd installation, it copies all major secure boot certificates to the EFI partition, so no searching the internet. They still need to be enrolled (as does rEFInd's), but seems to me a good deal easier. There are several options for installing rEFInd. For Stable, I think deb file is the best option.

If you want to try rEFInd, there's a page on how to configure its settings. If you decide not to stick with rEFInd after all, the MOK enrollments will stay in place. Simply modify boot order to place whatever OS you want in charge of Grub at top of the boot list. Easily done with the firmware and/or efibootmgr.

[Aki]

@Best_Threads