From: Maximiliano Sandoval <m.sandoval@proxmox.com>
To: Stoiko Ivanov <s.ivanov@proxmox.com>
Cc: pve-devel@lists.proxmox.com
Subject: superseded: [PATCH docs] bootloaders: add secure boot shim example
Date: Thu, 02 Jul 2026 11:36:25 +0200 [thread overview]
Message-ID: <s8ocxx57mxy.fsf@toolbox> (raw)
In-Reply-To: <20260702111617.5e25fc5d@rosa.proxmox.com> (Stoiko Ivanov's message of "Thu, 2 Jul 2026 11:16:17 +0200")
Stoiko Ivanov <s.ivanov@proxmox.com> writes:
> On Thu, 02 Jul 2026 11:14:43 +0200
> Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:
>
>> Stoiko Ivanov <s.ivanov@proxmox.com> writes:
>>
>> > Thanks for addressing this so quickly!
>> >
>> > On Thu, 2 Jul 2026 10:57:41 +0200
>> > Maximiliano Sandoval <m.sandoval@proxmox.com> wrote:
>> >
>> >> On a system that was migrated from systemd-boot to grub2 with secure
>> >> boot, the entry grubx64.efi would be missing and the systemd-bootx64.efi
>> >> entry would be present. If the shimx64.efi entry is not mentioned, then
>> >> the docs would incorrectly imply that the system uses systemd-boot as a
>> >> bootloader.
>> >>
>> >> We add the shimx64.efi entry to the docs to fill this gap.
>> >>
>> >> Suggested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
>> >> Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
>> >> ---
>> >> [..]
>> >>
>> > I'd rather phrase that as:
>> > If the active boot entry points to `\EFI\proxmox\shimx64.efi`, then secure
>> > boot is enabled.
>> > (It's not set in stone that grub is the only boot-loader that can be
>> > loaded from a signed shim - at some point in the future we might have
>> > systemd-boot in that list as well, and prefer that for new installs)
>> >
>> > alternatively we will need to rework the docs then anyways - so it's just
>> > a suggestion - what do you think?
>>
>> Sounds good to me however, we do not explain which entry is the "active
>> boot entry". Do I assume correctly it should be the one listed in
>> 'BootCurrent'?
> afaik - yes
It is probably clear enough in v2. I will not mention the BootCurrent
for now since the documentation claims twice that "if the following boot
entry exists then surely you are booting into it" already. This would
require a bigger rewrite anyways.
Superseded-by: https://lore.proxmox.com/all/20260702093215.84124-1-m.sandoval@proxmox.com/T/#u
--
Maximiliano
prev parent reply other threads:[~2026-07-02 9:36 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-02 8:57 [PATCH docs] bootloaders: add secure boot shim example Maximiliano Sandoval
2026-07-02 9:11 ` Stoiko Ivanov
2026-07-02 9:14 ` Maximiliano Sandoval
2026-07-02 9:16 ` Stoiko Ivanov
2026-07-02 9:36 ` Maximiliano Sandoval [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=s8ocxx57mxy.fsf@toolbox \
--to=m.sandoval@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
--cc=s.ivanov@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox