* [PATCH docs] bootloaders: add secure boot shim example
@ 2026-07-02 8:57 Maximiliano Sandoval
2026-07-02 9:11 ` Stoiko Ivanov
0 siblings, 1 reply; 5+ messages in thread
From: Maximiliano Sandoval @ 2026-07-02 8:57 UTC (permalink / raw)
To: pve-devel
On a system that was migrated from systemd-boot to grub2 with secure
boot, the entry grubx64.efi would be missing and the systemd-bootx64.efi
entry would be present. If the shimx64.efi entry is not mentioned, then
the docs would incorrectly imply that the system uses systemd-boot as a
bootloader.
We add the shimx64.efi entry to the docs to fill this gap.
Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
Notes:
On my machine:
$ efibootmgr -v
Boot0000* Linux Boot Manager
HD(2,GPT,[..])/File(\EFI\systemd\systemd-bootx64.efi) [..]
[..]
Boot0002* proxmox
HD(2,GPT,[..])/File(\EFI\proxmox\shimx64.efi) [..]
system-booting.adoc | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/system-booting.adoc b/system-booting.adoc
index da87697..c3de158 100644
--- a/system-booting.adoc
+++ b/system-booting.adoc
@@ -209,6 +209,13 @@ used in UEFI mode.
Boot0005* proxmox [...] File(\EFI\proxmox\grubx64.efi)
----
+If the output contains a line that looks similar to the following, GRUB is
+used in UEFI mode with Secure Boot enabled.
+
+----
+Boot0005* proxmox [...] File(\EFI\proxmox\shimx64.efi)
+----
+
If the output contains a line similar to the following, `systemd-boot` is used.
----
--
2.47.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH docs] bootloaders: add secure boot shim example
2026-07-02 8:57 [PATCH docs] bootloaders: add secure boot shim example Maximiliano Sandoval
@ 2026-07-02 9:11 ` Stoiko Ivanov
2026-07-02 9:14 ` Maximiliano Sandoval
0 siblings, 1 reply; 5+ messages in thread
From: Stoiko Ivanov @ 2026-07-02 9:11 UTC (permalink / raw)
To: Maximiliano Sandoval; +Cc: pve-devel
Thanks for addressing this so quickly!
On Thu, 2 Jul 2026 10:57:41 +0200
Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:
> On a system that was migrated from systemd-boot to grub2 with secure
> boot, the entry grubx64.efi would be missing and the systemd-bootx64.efi
> entry would be present. If the shimx64.efi entry is not mentioned, then
> the docs would incorrectly imply that the system uses systemd-boot as a
> bootloader.
>
> We add the shimx64.efi entry to the docs to fill this gap.
>
> Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
> ---
>
> Notes:
> On my machine:
>
> $ efibootmgr -v
> Boot0000* Linux Boot Manager
> HD(2,GPT,[..])/File(\EFI\systemd\systemd-bootx64.efi) [..]
> [..]
> Boot0002* proxmox
> HD(2,GPT,[..])/File(\EFI\proxmox\shimx64.efi) [..]
>
> system-booting.adoc | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/system-booting.adoc b/system-booting.adoc
> index da87697..c3de158 100644
> --- a/system-booting.adoc
> +++ b/system-booting.adoc
> @@ -209,6 +209,13 @@ used in UEFI mode.
> Boot0005* proxmox [...] File(\EFI\proxmox\grubx64.efi)
> ----
>
> +If the output contains a line that looks similar to the following, GRUB is
> +used in UEFI mode with Secure Boot enabled.
I'd rather phrase that as:
If the active boot entry points to `\EFI\proxmox\shimx64.efi`, then secure
boot is enabled.
(It's not set in stone that grub is the only boot-loader that can be
loaded from a signed shim - at some point in the future we might have
systemd-boot in that list as well, and prefer that for new installs)
alternatively we will need to rework the docs then anyways - so it's just
a suggestion - what do you think?
> +
> +----
> +Boot0005* proxmox [...] File(\EFI\proxmox\shimx64.efi)
> +----
> +
> If the output contains a line similar to the following, `systemd-boot` is used.
>
> ----
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH docs] bootloaders: add secure boot shim example
2026-07-02 9:11 ` Stoiko Ivanov
@ 2026-07-02 9:14 ` Maximiliano Sandoval
2026-07-02 9:16 ` Stoiko Ivanov
0 siblings, 1 reply; 5+ messages in thread
From: Maximiliano Sandoval @ 2026-07-02 9:14 UTC (permalink / raw)
To: Stoiko Ivanov; +Cc: pve-devel
Stoiko Ivanov <s.ivanov@proxmox.com> writes:
> Thanks for addressing this so quickly!
>
> On Thu, 2 Jul 2026 10:57:41 +0200
> Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:
>
>> On a system that was migrated from systemd-boot to grub2 with secure
>> boot, the entry grubx64.efi would be missing and the systemd-bootx64.efi
>> entry would be present. If the shimx64.efi entry is not mentioned, then
>> the docs would incorrectly imply that the system uses systemd-boot as a
>> bootloader.
>>
>> We add the shimx64.efi entry to the docs to fill this gap.
>>
>> Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
>> Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
>> ---
>> [..]
>>
> I'd rather phrase that as:
> If the active boot entry points to `\EFI\proxmox\shimx64.efi`, then secure
> boot is enabled.
> (It's not set in stone that grub is the only boot-loader that can be
> loaded from a signed shim - at some point in the future we might have
> systemd-boot in that list as well, and prefer that for new installs)
>
> alternatively we will need to rework the docs then anyways - so it's just
> a suggestion - what do you think?
Sounds good to me however, we do not explain which entry is the "active
boot entry". Do I assume correctly it should be the one listed in
'BootCurrent'?
--
Maximiliano
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH docs] bootloaders: add secure boot shim example
2026-07-02 9:14 ` Maximiliano Sandoval
@ 2026-07-02 9:16 ` Stoiko Ivanov
2026-07-02 9:36 ` superseded: " Maximiliano Sandoval
0 siblings, 1 reply; 5+ messages in thread
From: Stoiko Ivanov @ 2026-07-02 9:16 UTC (permalink / raw)
To: Maximiliano Sandoval; +Cc: pve-devel
On Thu, 02 Jul 2026 11:14:43 +0200
Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:
> Stoiko Ivanov <s.ivanov@proxmox.com> writes:
>
> > Thanks for addressing this so quickly!
> >
> > On Thu, 2 Jul 2026 10:57:41 +0200
> > Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:
> >
> >> On a system that was migrated from systemd-boot to grub2 with secure
> >> boot, the entry grubx64.efi would be missing and the systemd-bootx64.efi
> >> entry would be present. If the shimx64.efi entry is not mentioned, then
> >> the docs would incorrectly imply that the system uses systemd-boot as a
> >> bootloader.
> >>
> >> We add the shimx64.efi entry to the docs to fill this gap.
> >>
> >> Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> >> Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
> >> ---
> >> [..]
> >>
> > I'd rather phrase that as:
> > If the active boot entry points to `\EFI\proxmox\shimx64.efi`, then secure
> > boot is enabled.
> > (It's not set in stone that grub is the only boot-loader that can be
> > loaded from a signed shim - at some point in the future we might have
> > systemd-boot in that list as well, and prefer that for new installs)
> >
> > alternatively we will need to rework the docs then anyways - so it's just
> > a suggestion - what do you think?
>
> Sounds good to me however, we do not explain which entry is the "active
> boot entry". Do I assume correctly it should be the one listed in
> 'BootCurrent'?
afaik - yes
^ permalink raw reply [flat|nested] 5+ messages in thread
* superseded: [PATCH docs] bootloaders: add secure boot shim example
2026-07-02 9:16 ` Stoiko Ivanov
@ 2026-07-02 9:36 ` Maximiliano Sandoval
0 siblings, 0 replies; 5+ messages in thread
From: Maximiliano Sandoval @ 2026-07-02 9:36 UTC (permalink / raw)
To: Stoiko Ivanov; +Cc: pve-devel
Stoiko Ivanov <s.ivanov@proxmox.com> writes:
> On Thu, 02 Jul 2026 11:14:43 +0200
> Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:
>
>> Stoiko Ivanov <s.ivanov@proxmox.com> writes:
>>
>> > Thanks for addressing this so quickly!
>> >
>> > On Thu, 2 Jul 2026 10:57:41 +0200
>> > Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:
>> >
>> >> On a system that was migrated from systemd-boot to grub2 with secure
>> >> boot, the entry grubx64.efi would be missing and the systemd-bootx64.efi
>> >> entry would be present. If the shimx64.efi entry is not mentioned, then
>> >> the docs would incorrectly imply that the system uses systemd-boot as a
>> >> bootloader.
>> >>
>> >> We add the shimx64.efi entry to the docs to fill this gap.
>> >>
>> >> Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
>> >> Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
>> >> ---
>> >> [..]
>> >>
>> > I'd rather phrase that as:
>> > If the active boot entry points to `\EFI\proxmox\shimx64.efi`, then secure
>> > boot is enabled.
>> > (It's not set in stone that grub is the only boot-loader that can be
>> > loaded from a signed shim - at some point in the future we might have
>> > systemd-boot in that list as well, and prefer that for new installs)
>> >
>> > alternatively we will need to rework the docs then anyways - so it's just
>> > a suggestion - what do you think?
>>
>> Sounds good to me however, we do not explain which entry is the "active
>> boot entry". Do I assume correctly it should be the one listed in
>> 'BootCurrent'?
> afaik - yes
It is probably clear enough in v2. I will not mention the BootCurrent
for now since the documentation claims twice that "if the following boot
entry exists then surely you are booting into it" already. This would
require a bigger rewrite anyways.
Superseded-by: https://lore.proxmox.com/all/20260702093215.84124-1-m.sandoval@proxmox.com/T/#u
--
Maximiliano
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-07-02 9:36 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-02 8:57 [PATCH docs] bootloaders: add secure boot shim example Maximiliano Sandoval
2026-07-02 9:11 ` Stoiko Ivanov
2026-07-02 9:14 ` Maximiliano Sandoval
2026-07-02 9:16 ` Stoiko Ivanov
2026-07-02 9:36 ` superseded: " Maximiliano Sandoval
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox