public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* [PATCH docs] bootloaders: add secure boot shim example
@ 2026-07-02  8:57 Maximiliano Sandoval
  2026-07-02  9:11 ` Stoiko Ivanov
  0 siblings, 1 reply; 5+ messages in thread
From: Maximiliano Sandoval @ 2026-07-02  8:57 UTC (permalink / raw)
  To: pve-devel

On a system that was migrated from systemd-boot to grub2 with secure
boot, the entry grubx64.efi would be missing and the systemd-bootx64.efi
entry would be present. If the shimx64.efi entry is not mentioned, then
the docs would incorrectly imply that the system uses systemd-boot as a
bootloader.

We add the shimx64.efi entry to the docs to fill this gap.

Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---

Notes:
    On my machine:
    
    $ efibootmgr -v
    Boot0000* Linux Boot Manager
    HD(2,GPT,[..])/File(\EFI\systemd\systemd-bootx64.efi) [..]
    [..]
    Boot0002* proxmox
    HD(2,GPT,[..])/File(\EFI\proxmox\shimx64.efi) [..]

 system-booting.adoc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/system-booting.adoc b/system-booting.adoc
index da87697..c3de158 100644
--- a/system-booting.adoc
+++ b/system-booting.adoc
@@ -209,6 +209,13 @@ used in UEFI mode.
 Boot0005* proxmox	[...] File(\EFI\proxmox\grubx64.efi)
 ----
 
+If the output contains a line that looks similar to the following, GRUB is
+used in UEFI mode with Secure Boot enabled.
+
+----
+Boot0005* proxmox	[...] File(\EFI\proxmox\shimx64.efi)
+----
+
 If the output contains a line similar to the following, `systemd-boot` is used.
 
 ----
-- 
2.47.3





^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH docs] bootloaders: add secure boot shim example
  2026-07-02  8:57 [PATCH docs] bootloaders: add secure boot shim example Maximiliano Sandoval
@ 2026-07-02  9:11 ` Stoiko Ivanov
  2026-07-02  9:14   ` Maximiliano Sandoval
  0 siblings, 1 reply; 5+ messages in thread
From: Stoiko Ivanov @ 2026-07-02  9:11 UTC (permalink / raw)
  To: Maximiliano Sandoval; +Cc: pve-devel

Thanks for addressing this so quickly!

On Thu,  2 Jul 2026 10:57:41 +0200
Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:

> On a system that was migrated from systemd-boot to grub2 with secure
> boot, the entry grubx64.efi would be missing and the systemd-bootx64.efi
> entry would be present. If the shimx64.efi entry is not mentioned, then
> the docs would incorrectly imply that the system uses systemd-boot as a
> bootloader.
> 
> We add the shimx64.efi entry to the docs to fill this gap.
> 
> Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
> ---
> 
> Notes:
>     On my machine:
>     
>     $ efibootmgr -v
>     Boot0000* Linux Boot Manager
>     HD(2,GPT,[..])/File(\EFI\systemd\systemd-bootx64.efi) [..]
>     [..]
>     Boot0002* proxmox
>     HD(2,GPT,[..])/File(\EFI\proxmox\shimx64.efi) [..]
> 
>  system-booting.adoc | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/system-booting.adoc b/system-booting.adoc
> index da87697..c3de158 100644
> --- a/system-booting.adoc
> +++ b/system-booting.adoc
> @@ -209,6 +209,13 @@ used in UEFI mode.
>  Boot0005* proxmox	[...] File(\EFI\proxmox\grubx64.efi)
>  ----
>  
> +If the output contains a line that looks similar to the following, GRUB is
> +used in UEFI mode with Secure Boot enabled.
I'd rather phrase that as:
If the active boot entry points to `\EFI\proxmox\shimx64.efi`, then secure
boot is enabled. 
(It's not set in stone that grub is the only boot-loader that can be
loaded from a signed shim - at some point in the future we might have
systemd-boot in that list as well, and prefer that for new installs)

alternatively we will need to rework the docs then anyways - so it's just
a suggestion - what do you think?

> +
> +----
> +Boot0005* proxmox	[...] File(\EFI\proxmox\shimx64.efi)
> +----
> +
>  If the output contains a line similar to the following, `systemd-boot` is used.
>  
>  ----





^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH docs] bootloaders: add secure boot shim example
  2026-07-02  9:11 ` Stoiko Ivanov
@ 2026-07-02  9:14   ` Maximiliano Sandoval
  2026-07-02  9:16     ` Stoiko Ivanov
  0 siblings, 1 reply; 5+ messages in thread
From: Maximiliano Sandoval @ 2026-07-02  9:14 UTC (permalink / raw)
  To: Stoiko Ivanov; +Cc: pve-devel

Stoiko Ivanov <s.ivanov@proxmox.com> writes:

> Thanks for addressing this so quickly!
>
> On Thu,  2 Jul 2026 10:57:41 +0200
> Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:
>
>> On a system that was migrated from systemd-boot to grub2 with secure
>> boot, the entry grubx64.efi would be missing and the systemd-bootx64.efi
>> entry would be present. If the shimx64.efi entry is not mentioned, then
>> the docs would incorrectly imply that the system uses systemd-boot as a
>> bootloader.
>> 
>> We add the shimx64.efi entry to the docs to fill this gap.
>> 
>> Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
>> Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
>> ---
>> [..]
>>
> I'd rather phrase that as:
> If the active boot entry points to `\EFI\proxmox\shimx64.efi`, then secure
> boot is enabled. 
> (It's not set in stone that grub is the only boot-loader that can be
> loaded from a signed shim - at some point in the future we might have
> systemd-boot in that list as well, and prefer that for new installs)
>
> alternatively we will need to rework the docs then anyways - so it's just
> a suggestion - what do you think?

Sounds good to me however, we do not explain which entry is the "active
boot entry". Do I assume correctly it should be the one listed in
'BootCurrent'?


-- 
Maximiliano




^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH docs] bootloaders: add secure boot shim example
  2026-07-02  9:14   ` Maximiliano Sandoval
@ 2026-07-02  9:16     ` Stoiko Ivanov
  2026-07-02  9:36       ` superseded: " Maximiliano Sandoval
  0 siblings, 1 reply; 5+ messages in thread
From: Stoiko Ivanov @ 2026-07-02  9:16 UTC (permalink / raw)
  To: Maximiliano Sandoval; +Cc: pve-devel

On Thu, 02 Jul 2026 11:14:43 +0200
Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:

> Stoiko Ivanov <s.ivanov@proxmox.com> writes:
> 
> > Thanks for addressing this so quickly!
> >
> > On Thu,  2 Jul 2026 10:57:41 +0200
> > Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:
> >  
> >> On a system that was migrated from systemd-boot to grub2 with secure
> >> boot, the entry grubx64.efi would be missing and the systemd-bootx64.efi
> >> entry would be present. If the shimx64.efi entry is not mentioned, then
> >> the docs would incorrectly imply that the system uses systemd-boot as a
> >> bootloader.
> >> 
> >> We add the shimx64.efi entry to the docs to fill this gap.
> >> 
> >> Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
> >> Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
> >> ---
> >> [..]
> >>  
> > I'd rather phrase that as:
> > If the active boot entry points to `\EFI\proxmox\shimx64.efi`, then secure
> > boot is enabled. 
> > (It's not set in stone that grub is the only boot-loader that can be
> > loaded from a signed shim - at some point in the future we might have
> > systemd-boot in that list as well, and prefer that for new installs)
> >
> > alternatively we will need to rework the docs then anyways - so it's just
> > a suggestion - what do you think?  
> 
> Sounds good to me however, we do not explain which entry is the "active
> boot entry". Do I assume correctly it should be the one listed in
> 'BootCurrent'?
afaik - yes





^ permalink raw reply	[flat|nested] 5+ messages in thread

* superseded: [PATCH docs] bootloaders: add secure boot shim example
  2026-07-02  9:16     ` Stoiko Ivanov
@ 2026-07-02  9:36       ` Maximiliano Sandoval
  0 siblings, 0 replies; 5+ messages in thread
From: Maximiliano Sandoval @ 2026-07-02  9:36 UTC (permalink / raw)
  To: Stoiko Ivanov; +Cc: pve-devel

Stoiko Ivanov <s.ivanov@proxmox.com> writes:

> On Thu, 02 Jul 2026 11:14:43 +0200
> Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:
>
>> Stoiko Ivanov <s.ivanov@proxmox.com> writes:
>> 
>> > Thanks for addressing this so quickly!
>> >
>> > On Thu,  2 Jul 2026 10:57:41 +0200
>> > Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:
>> >  
>> >> On a system that was migrated from systemd-boot to grub2 with secure
>> >> boot, the entry grubx64.efi would be missing and the systemd-bootx64.efi
>> >> entry would be present. If the shimx64.efi entry is not mentioned, then
>> >> the docs would incorrectly imply that the system uses systemd-boot as a
>> >> bootloader.
>> >> 
>> >> We add the shimx64.efi entry to the docs to fill this gap.
>> >> 
>> >> Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
>> >> Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
>> >> ---
>> >> [..]
>> >>  
>> > I'd rather phrase that as:
>> > If the active boot entry points to `\EFI\proxmox\shimx64.efi`, then secure
>> > boot is enabled. 
>> > (It's not set in stone that grub is the only boot-loader that can be
>> > loaded from a signed shim - at some point in the future we might have
>> > systemd-boot in that list as well, and prefer that for new installs)
>> >
>> > alternatively we will need to rework the docs then anyways - so it's just
>> > a suggestion - what do you think?  
>> 
>> Sounds good to me however, we do not explain which entry is the "active
>> boot entry". Do I assume correctly it should be the one listed in
>> 'BootCurrent'?
> afaik - yes

It is probably clear enough in v2. I will not mention the BootCurrent
for now since the documentation claims twice that "if the following boot
entry exists then surely you are booting into it" already. This would
require a bigger rewrite anyways.

Superseded-by: https://lore.proxmox.com/all/20260702093215.84124-1-m.sandoval@proxmox.com/T/#u

-- 
Maximiliano




^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-07-02  9:36 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-02  8:57 [PATCH docs] bootloaders: add secure boot shim example Maximiliano Sandoval
2026-07-02  9:11 ` Stoiko Ivanov
2026-07-02  9:14   ` Maximiliano Sandoval
2026-07-02  9:16     ` Stoiko Ivanov
2026-07-02  9:36       ` superseded: " Maximiliano Sandoval

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal