all lists on lists.proxmox.com
 help / color / mirror / Atom feed
* [PATCH docs] bootloaders: add secure boot shim example
@ 2026-07-02  8:57 Maximiliano Sandoval
  2026-07-02  9:11 ` Stoiko Ivanov
  0 siblings, 1 reply; 5+ messages in thread
From: Maximiliano Sandoval @ 2026-07-02  8:57 UTC (permalink / raw)
  To: pve-devel

On a system that was migrated from systemd-boot to grub2 with secure
boot, the entry grubx64.efi would be missing and the systemd-bootx64.efi
entry would be present. If the shimx64.efi entry is not mentioned, then
the docs would incorrectly imply that the system uses systemd-boot as a
bootloader.

We add the shimx64.efi entry to the docs to fill this gap.

Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---

Notes:
    On my machine:
    
    $ efibootmgr -v
    Boot0000* Linux Boot Manager
    HD(2,GPT,[..])/File(\EFI\systemd\systemd-bootx64.efi) [..]
    [..]
    Boot0002* proxmox
    HD(2,GPT,[..])/File(\EFI\proxmox\shimx64.efi) [..]

 system-booting.adoc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/system-booting.adoc b/system-booting.adoc
index da87697..c3de158 100644
--- a/system-booting.adoc
+++ b/system-booting.adoc
@@ -209,6 +209,13 @@ used in UEFI mode.
 Boot0005* proxmox	[...] File(\EFI\proxmox\grubx64.efi)
 ----
 
+If the output contains a line that looks similar to the following, GRUB is
+used in UEFI mode with Secure Boot enabled.
+
+----
+Boot0005* proxmox	[...] File(\EFI\proxmox\shimx64.efi)
+----
+
 If the output contains a line similar to the following, `systemd-boot` is used.
 
 ----
-- 
2.47.3





^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH docs] bootloaders: add secure boot shim example
  2026-07-02  8:57 [PATCH docs] bootloaders: add secure boot shim example Maximiliano Sandoval
@ 2026-07-02  9:11 ` Stoiko Ivanov
  2026-07-02  9:14   ` Maximiliano Sandoval
  0 siblings, 1 reply; 5+ messages in thread
From: Stoiko Ivanov @ 2026-07-02  9:11 UTC (permalink / raw)
  To: Maximiliano Sandoval; +Cc: pve-devel

Thanks for addressing this so quickly!

On Thu,  2 Jul 2026 10:57:41 +0200
Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:

> On a system that was migrated from systemd-boot to grub2 with secure
> boot, the entry grubx64.efi would be missing and the systemd-bootx64.efi
> entry would be present. If the shimx64.efi entry is not mentioned, then
> the docs would incorrectly imply that the system uses systemd-boot as a
> bootloader.
> 
> We add the shimx64.efi entry to the docs to fill this gap.
> 
> Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
> ---
> 
> Notes:
>     On my machine:
>     
>     $ efibootmgr -v
>     Boot0000* Linux Boot Manager
>     HD(2,GPT,[..])/File(\EFI\systemd\systemd-bootx64.efi) [..]
>     [..]
>     Boot0002* proxmox
>     HD(2,GPT,[..])/File(\EFI\proxmox\shimx64.efi) [..]
> 
>  system-booting.adoc | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/system-booting.adoc b/system-booting.adoc
> index da87697..c3de158 100644
> --- a/system-booting.adoc
> +++ b/system-booting.adoc
> @@ -209,6 +209,13 @@ used in UEFI mode.
>  Boot0005* proxmox	[...] File(\EFI\proxmox\grubx64.efi)
>  ----
>  
> +If the output contains a line that looks similar to the following, GRUB is
> +used in UEFI mode with Secure Boot enabled.
I'd rather phrase that as:
If the active boot entry points to `\EFI\proxmox\shimx64.efi`, then secure
boot is enabled. 
(It's not set in stone that grub is the only boot-loader that can be
loaded from a signed shim - at some point in the future we might have
systemd-boot in that list as well, and prefer that for new installs)

alternatively we will need to rework the docs then anyways - so it's just
a suggestion - what do you think?

> +
> +----
> +Boot0005* proxmox	[...] File(\EFI\proxmox\shimx64.efi)
> +----
> +
>  If the output contains a line similar to the following, `systemd-boot` is used.
>  
>  ----





^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH docs] bootloaders: add secure boot shim example
  2026-07-02  9:11 ` Stoiko Ivanov
@ 2026-07-02  9:14   ` Maximiliano Sandoval
  2026-07-02  9:16     ` Stoiko Ivanov
  0 siblings, 1 reply; 5+ messages in thread
From: Maximiliano Sandoval @ 2026-07-02  9:14 UTC (permalink / raw)
  To: Stoiko Ivanov; +Cc: pve-devel

Stoiko Ivanov <s.ivanov@proxmox.com> writes:

> Thanks for addressing this so quickly!
>
> On Thu,  2 Jul 2026 10:57:41 +0200
> Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:
>
>> On a system that was migrated from systemd-boot to grub2 with secure
>> boot, the entry grubx64.efi would be missing and the systemd-bootx64.efi
>> entry would be present. If the shimx64.efi entry is not mentioned, then
>> the docs would incorrectly imply that the system uses systemd-boot as a
>> bootloader.
>> 
>> We add the shimx64.efi entry to the docs to fill this gap.
>> 
>> Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
>> Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
>> ---
>> [..]
>>
> I'd rather phrase that as:
> If the active boot entry points to `\EFI\proxmox\shimx64.efi`, then secure
> boot is enabled. 
> (It's not set in stone that grub is the only boot-loader that can be
> loaded from a signed shim - at some point in the future we might have
> systemd-boot in that list as well, and prefer that for new installs)
>
> alternatively we will need to rework the docs then anyways - so it's just
> a suggestion - what do you think?

Sounds good to me however, we do not explain which entry is the "active
boot entry". Do I assume correctly it should be the one listed in
'BootCurrent'?


-- 
Maximiliano




^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH docs] bootloaders: add secure boot shim example
  2026-07-02  9:14   ` Maximiliano Sandoval
@ 2026-07-02  9:16     ` Stoiko Ivanov
  2026-07-02  9:36       ` superseded: " Maximiliano Sandoval
  0 siblings, 1 reply; 5+ messages in thread
From: Stoiko Ivanov @ 2026-07-02  9:16 UTC (permalink / raw)
  To: Maximiliano Sandoval; +Cc: pve-devel

On Thu, 02 Jul 2026 11:14:43 +0200
Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:

> Stoiko Ivanov <s.ivanov@proxmox.com> writes:
> 
> > Thanks for addressing this so quickly!
> >
> > On Thu,  2 Jul 2026 10:57:41 +0200
> > Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:
> >  
> >> On a system that was migrated from systemd-boot to grub2 with secure
> >> boot, the entry grubx64.efi would be missing and the systemd-bootx64.efi
> >> entry would be present. If the shimx64.efi entry is not mentioned, then
> >> the docs would incorrectly imply that the system uses systemd-boot as a
> >> bootloader.
> >> 
> >> We add the shimx64.efi entry to the docs to fill this gap.
> >> 
> >> Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> >> Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
> >> ---
> >> [..]
> >>  
> > I'd rather phrase that as:
> > If the active boot entry points to `\EFI\proxmox\shimx64.efi`, then secure
> > boot is enabled. 
> > (It's not set in stone that grub is the only boot-loader that can be
> > loaded from a signed shim - at some point in the future we might have
> > systemd-boot in that list as well, and prefer that for new installs)
> >
> > alternatively we will need to rework the docs then anyways - so it's just
> > a suggestion - what do you think?  
> 
> Sounds good to me however, we do not explain which entry is the "active
> boot entry". Do I assume correctly it should be the one listed in
> 'BootCurrent'?
afaik - yes





^ permalink raw reply	[flat|nested] 5+ messages in thread

* superseded: [PATCH docs] bootloaders: add secure boot shim example
  2026-07-02  9:16     ` Stoiko Ivanov
@ 2026-07-02  9:36       ` Maximiliano Sandoval
  0 siblings, 0 replies; 5+ messages in thread
From: Maximiliano Sandoval @ 2026-07-02  9:36 UTC (permalink / raw)
  To: Stoiko Ivanov; +Cc: pve-devel

Stoiko Ivanov <s.ivanov@proxmox.com> writes:

> On Thu, 02 Jul 2026 11:14:43 +0200
> Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:
>
>> Stoiko Ivanov <s.ivanov@proxmox.com> writes:
>> 
>> > Thanks for addressing this so quickly!
>> >
>> > On Thu,  2 Jul 2026 10:57:41 +0200
>> > Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:
>> >  
>> >> On a system that was migrated from systemd-boot to grub2 with secure
>> >> boot, the entry grubx64.efi would be missing and the systemd-bootx64.efi
>> >> entry would be present. If the shimx64.efi entry is not mentioned, then
>> >> the docs would incorrectly imply that the system uses systemd-boot as a
>> >> bootloader.
>> >> 
>> >> We add the shimx64.efi entry to the docs to fill this gap.
>> >> 
>> >> Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
>> >> Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
>> >> ---
>> >> [..]
>> >>  
>> > I'd rather phrase that as:
>> > If the active boot entry points to `\EFI\proxmox\shimx64.efi`, then secure
>> > boot is enabled. 
>> > (It's not set in stone that grub is the only boot-loader that can be
>> > loaded from a signed shim - at some point in the future we might have
>> > systemd-boot in that list as well, and prefer that for new installs)
>> >
>> > alternatively we will need to rework the docs then anyways - so it's just
>> > a suggestion - what do you think?  
>> 
>> Sounds good to me however, we do not explain which entry is the "active
>> boot entry". Do I assume correctly it should be the one listed in
>> 'BootCurrent'?
> afaik - yes

It is probably clear enough in v2. I will not mention the BootCurrent
for now since the documentation claims twice that "if the following boot
entry exists then surely you are booting into it" already. This would
require a bigger rewrite anyways.

Superseded-by: https://lore.proxmox.com/all/20260702093215.84124-1-m.sandoval@proxmox.com/T/#u

-- 
Maximiliano




^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-07-02  9:36 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-02  8:57 [PATCH docs] bootloaders: add secure boot shim example Maximiliano Sandoval
2026-07-02  9:11 ` Stoiko Ivanov
2026-07-02  9:14   ` Maximiliano Sandoval
2026-07-02  9:16     ` Stoiko Ivanov
2026-07-02  9:36       ` superseded: " Maximiliano Sandoval

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal