GRUB update - symbol "grub_is_shim_lock_enabled" not found

cappuccino · 2023-07-06 19:14:59

After the update I can't boot anymore. The error I get is:

symbol grub is shim lock enabled not found

Until now I was updating GRUB as follows:

grub-install --target=x86_64-efi --bootloader-id=grub_uefi --efi-directory=/boot/EFI

grub-mkconfig -o /boot/grub/grub.cfg

but the error is still present. How can one fix this? Any help greatly appreciated.

Kernel: 6.2.8-arch-1
GRUB ver.: 2:2.06.r591
BIOS: secure boot disabled

V1del · 2023-07-06 22:38:09

https://bbs.archlinux.org/viewtopic.php?id=286617 ?

cappuccino · 2023-07-06 23:35:19

V1del wrote:

https://bbs.archlinux.org/viewtopic.php?id=286617 ?

Thanks for help.

My problem is different:

1. I don't use secure boot
2. My error is:

symbol grub is shim lock enabled not found

3. My GRUB version is r591 and it doesn't fix my issue

sailor-02 · 2023-07-07 10:45:28

cappuccino wrote:

After the update I can't boot anymore. The error I get is:
symbol grub is shim lock enabled not found

Check Boot order

efibootmgr

i guess you'l see smth like:

BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,0001
Boot0000* HDD0: 21433469DBCA-Micron_2450_MTFDKBA256TFK  PciRoot(0x0)/Pci(0x6,0x0)/Pci(0x0,0x0)/NVMe(0x1,00-A0-75-01-34-69-DB-CA)/HD(1,GPT,c514e90f-e97c-45bf-9946-ebf4737217b6,0x800,0x200000)RC
Boot0001* arch  HD(1,GPT,c514e90f-e97c-45bf-9946-ebf4737217b6,0x800,0x200000)/File(\EFI\arch\grubx64.efi)

maybe without Boot0001.
so, in the case, you'd better do the next:

mv esp/EFI/BOOT/grubx64.efi esp/EFI/BOOT/BOOTX64.EFI

where esp denotes the mountpoint of the EFI system partition aka ESP.

mneiner · 2023-07-08 04:10:26

I had the exact same problem and I never use secure boot.
Have tried all the common solutions that seemed to work for some and not for others.
Downgraded grub and waiting for more to develop.

There is quite a large thread at https://forum.endeavouros.com/t/latest- … /31?page=4

archlinuxforever · 2023-07-09 08:53:44

After search on duckduckgo I found that deactivating Secure Boot solve the problem, but in theory I don't have SB installed (not sure, but I didn't find option to deactivate on BIOS).

[root@MyPC ~]# bootctl status
systemd-boot not installed in ESP.
No default/fallback boot loader installed in ESP.
System:
      Firmware: n/a (n/a)
 Firmware Arch: x64
   Secure Boot: disabled (disabled)
  TPM2 Support: yes
  Boot into FW: supported
...

[root@MyPC ~]# dmesg | grep -i secure
[    0.004227] Secure boot disabled
[    3.976069] Bluetooth: hci0: Secure boot is enabled
[root@MyPC ~]#

So, after more research I found this page to install rEFInd Boot Manager: https://wiki.archlinux.org/title/REFInd

I booted from another drive with Archlinux that boot after full system upgrade (I don't know why), mounted root device from drive that doesn't boot and executed:

[root@MyPC ~]# mount /dev/sda1 /mnt
[root@MyPC ~]# arch-chroot /mnt

Only run this two commands on drive that doesn't boot:

[root@MyPC /]# pacman -S refind
[root@MyPC /]# refind-install

And add line to file /boot/refind_linux.conf with same options that:

$ grep GRUB_CMDLINE_LINUX_DEFAULT= /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3"
$

like

"Boot sda1"              "root=/dev/sda1 rw loglevel=3"

Next boot rEFInd is default bootmanager, and selecting "Boot sda1" worked!

mneiner · 2023-07-11 05:26:59

Thanks for the info, I think I'm going to stick with grub for now.

I see a grub update making it's way through the testing repo.

I'll watch that update once it gets released for use.

I am not worried per se about bricking my system or being locked out.
I have a full disk image I can restore from and also have practiced
chroot to roll back if necessary.

I have never used Secure Boot by the way. It's disabled in my UEFI firmware.

I'm not sure why grub or my system cares at all about Shim signatures when Secure Boot isn't a factor.

I do boot UEFI though with CSM disabled.

solazs · 2023-07-11 17:56:20

mneiner wrote:

Thanks for the info, I think I'm going to stick with grub for now.
I see a grub update making it's way through the testing repo.
I'll watch that update once it gets released for use.
I am not worried per se about bricking my system or being locked out.
I have a full disk image I can restore from and also have practiced
chroot to roll back if necessary.
I have never used Secure Boot by the way. It's disabled in my UEFI firmware.
I'm not sure why grub or my system cares at all about Shim signatures when Secure Boot isn't a factor.
I do boot UEFI though with CSM disabled.

I'm in the same situation on an old HP notebook running my home automation.
Luckily I still had the old grub package, so I could downgrade, it works as a workaround for now.

mneiner · 2023-07-12 02:38:18

Well I gave grub 2:2.12rc1-1 a try and same thing right after the grub menu.

Loading Linux Linux ...
error: symbol 'grub is_shim_lock_enabled' not found.
Loading initial ramdisk
error: symbol 'grub_is_shim_lock_enabled' not found.
Press any key to continue....

Happens on fall back as well

I chrooted and downgraded to grub 2:2.06.r566
Everything works perfect now.

I do not use secure boot, it is disabled.
I do boot UEFI with CSM disabled.
I don't dual boot, Hard Drive is dedicated to Arch only with a dedicated ESP partion.

Also, the ARCHISO USB drive I use to boot live and do roll backs uses grub version grub-2:2.06.r591.
I recently made the USB drive.
Grub version 2:2.06.r591 is when my boot problems discussed above began with my main hard drive installation.

So there is some kind of weird incompatibility with my file system and installation and these recent grub updates.

I think I'll just continue on with r566 and try new updates as they come. If they don't work, I'll keep rolling back and some day in the future
when my ver r566 causes problems, I'll do a complete re installation of arch.

Last edited by mneiner (2023-07-12 04:45:42)

mneiner · 2023-07-13 23:16:04

Bug Report

https://savannah.gnu.org/bugs/?64406

archlinuxforever · 2023-07-16 05:59:56

Today I had the same problem with grub 2:2.12rc1-1 and I prefer my option (like linux and linux-lts. I had a problem booting linux a while ago and I installed linux-lts to try to boot from another kernel if it ever fails linux). So installing rEFInd is the same case: if I have a problem with grub, I just need to change the boot order from UEFI firmware to rEFInd and that's it.

mneiner · 2023-07-16 15:43:24

Thanks for info. I'm gonna keep working on grub vice switching to rEFInd.
And keeping an eye on the two bug reports out there. Maybe they will gain some traction as the grub updates make their way into more Distro's.

NixoS
https://github.com/NixOS/nixpkgs/issues/243026

GNu Grub
https://savannah.gnu.org/bugs/?64406

Jark5455 · 2023-07-20 14:08:56

Maybe try disabling the shim lock in your grub-install command? I believe the option is '--disable-shim-lock'

mneiner · 2023-07-20 14:46:10

--disable-shim-lock

It worked. Thanks for tip.

I'll update the comments I've made on the Bug Reports with the info.

Although it worked, it seems like a work around. But works for me..........

Thanks

Flex · 2023-07-22 13:26:14

Adding the `--disable-shim-lock` flag did not work for me.

This is what I did:
- Boot into live USB
- Mount root to /mnt, home to `/mnt/home`, and efi to `/mnt/efi`
- arch-chroot into /mnt
- `grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --disable-shim-lock`
- `grub-mkconfig -o /boot/grub/grub.cfg`

Downgrading to version 2.06.r566 is a valid workaround right now though.

mneiner · 2023-07-23 04:40:02

It's a devious bug to be sure...........I don't secure boot, nor do others who are impacted...............

What works for some, doesn't for others.

Although adding the --disable-shim-lock option to my install command worked this time, I have little confidence it will work for the next upgrade.

The bug reports are out there, hopefully they get some attention.

mneiner · 2023-07-28 01:13:23

While booted normally I did the following:

Used EFIBOOTMGR to remove the one boot entry I had for my existing installation.
Then did pacman -Rs grub to remove grub
Then removed both /boot/EFI and /boot/grub directories
Then reinstalled grub using pacman -S grub
Then performed normal grub-install and grub config commands per wiki.

I am now able to boot into my machine using the most recent grub with no issues.

Prior to this, I had three grubx64.efi files in my EFI directory on my ESP. Each one had a different path within /boot/EFI

This was due to me erroneously faltering around and choosing different paths during various grub-install commands, after routine grub updates, since last December when my system was built.
.
It finally caught up to me. I now only have one grubx64.efi file in my EFI folder .

It's path is /boot/EFI/GRUB/grubx64.efi.

MAYBL8 · 2023-07-29 23:15:41

What about those of us that dual boot with Windows.
What works for us.
What are the steps to be able to boot to grub when you get the shim error and the system crashes on boot.
I right now am running and not upgrading grub .
My version is :
grub 2:2.06.r499.ge67a551a4-2

Thanks

mneiner · 2023-07-30 01:45:16

I don't know.

The bug report over at GNu Grub https://savannah.gnu.org/bugs/?64406 was closed and marked as Invalid.

I did a complete reset of my grub installation and it solved my problem as discussed above.

I am still scratching my head as to why that solved my problem.

gcd0318 · 2023-07-30 16:00:41

mneiner wrote:

I don't know.
The bug report over at GNu Grub https://savannah.gnu.org/bugs/?64406 was closed and marked as Invalid.
I did a complete reset of my grub installation and it solved my problem as discussed above.
I am still scratching my head as to why that solved my problem.

I got exactly the same error after an upgrade today. So could you please recall what's the key step to fix it?

gcd0318 · 2023-07-30 16:42:17

Flex wrote:

Adding the `--disable-shim-lock` flag did not work for me.
This is what I did:
- Boot into live USB
- Mount root to /mnt, home to `/mnt/home`, and efi to `/mnt/efi`
- arch-chroot into /mnt
- `grub-install --target=x86_64-efi --efi-directory=/efi --bootloader-id=GRUB --disable-shim-lock`
- `grub-mkconfig -o /boot/grub/grub.cfg`
Downgrading to version 2.06.r566 is a valid workaround right now though.

not for me either
and I also cleaned all settings and reinstall grub (latest), but failed again
So I downgrade to earlier version, and everything goes well now
It's surely a bug, I believe

Last edited by gcd0318 (2023-07-30 16:42:48)

mneiner · 2023-08-02 04:55:31

How many grubx64.efi files do you have in the EFI directory of your ESP?

I assume your esp is mounted to /boot in your /etc/fstab

Regardless, based on my conversations with those in Arch and elsewhere, your UEFI may not do well with multiple grubx64.efi files in your EFI directory.

Not sure what you mean by "clean" settings. What command did you use to "clean" the settings?

What I did was a complete removal....not just a pacman removal.....i did the pacman removal command and then deleted the grub and EFI directories in my esp using rm -r.

Then did a brand new grub install.

I was comfortable doing that since I had a known bootable and functional hard drive image I could use to restore if need be. Plus I don't dual boot or secure boot.

gcd0318 · 2023-08-04 14:35:07

mneiner wrote:

How many grubx64.efi files do you have in the EFI directory of your ESP?
I assume your esp is mounted to /boot in your /etc/fstab
Regardless, based on my conversations with those in Arch and elsewhere, your UEFI may not do well with multiple grubx64.efi files in your EFI directory.
Not sure what you mean by "clean" settings. What command did you use to "clean" the settings?
What I did was a complete removal....not just a pacman removal.....i did the pacman removal command and then deleted the grub and EFI directories in my esp using rm -r.
Then did a brand new grub install.
I was comfortable doing that since I had a known bootable and functional hard drive image I could use to restore if need be. Plus I don't dual boot or secure boot.

There is always only one .efi in my boot partition, and I also tried uninstall grub, remove /boot/grub, and then install latest grub, and setup, but this error always there.
Now I'm using an older grub, which is installed from my pacman cache.

Flex · 2023-08-14 14:41:31

mneiner wrote:

How many grubx64.efi files do you have in the EFI directory of your ESP?
I assume your esp is mounted to /boot in your /etc/fstab
Regardless, based on my conversations with those in Arch and elsewhere, your UEFI may not do well with multiple grubx64.efi files in your EFI directory.
Not sure what you mean by "clean" settings. What command did you use to "clean" the settings?
What I did was a complete removal....not just a pacman removal.....i did the pacman removal command and then deleted the grub and EFI directories in my esp using rm -r.
Then did a brand new grub install.
I was comfortable doing that since I had a known bootable and functional hard drive image I could use to restore if need be. Plus I don't dual boot or secure boot.

Only one grubx64.efi in ESP:

 ~ $ tree /efi
/efi
├── EFI
│   ├── BOOT
│   │   └── BOOTX64.EFIt
│   └── GRUB
│       └── grubx64.efi
└── System Volume Information

ESP is mounted to /efi in fstab, not /boot. I have an encrypted boot folder, possibly that is throwing a spanner in the works?

Also look at this from the arch wiki:
https://wiki.archlinux.org/title/GRUB#Shim-lock

Specifically:

Since GRUB version 2.06.r261.g2f4430cc0, loading modules in Secure Boot Mode via insmod is no longer allowed, as this would violate the expectation to not sideload arbitrary code. If the GRUB modules are not embedded in the EFI binary, and GRUB tries to sideload/insmod them, GRUB will fail to boot with the message:
error: prohibited by secure boot policy

Different error message but I'm guessing this is the step that is breaking for us. I don't have time right now but I'll dive into it later to see if I can spot anything relevant to my configuration.

BenSYZ · 2023-09-14 12:40:12

Same problem occurred. (I didn't upgrade my system from June.) Finally I can boot into my system, but I don't know what's the solution. I can tell what I've done:

1. unlock my boot order lock in bios.
2. remove all grub entries related to my arch.
3. reinstall grub package.
4. reinstall grub and regenerate grub config.

Then all went well. As said before I cannot figure out which one is the real solution. But what I can say is that without the first three steps, the fourth step alone is useless. By the way, my esp partition is still mounted at /boot.

Arch Linux

#1 2023-07-06 19:14:59

GRUB update - symbol "grub_is_shim_lock_enabled" not found

#2 2023-07-06 22:38:09

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#3 2023-07-06 23:35:19

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#4 2023-07-07 10:45:28

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#5 2023-07-08 04:10:26

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#6 2023-07-09 08:53:44

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#7 2023-07-11 05:26:59

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#8 2023-07-11 17:56:20

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#9 2023-07-12 02:38:18

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#10 2023-07-13 23:16:04

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#11 2023-07-16 05:59:56

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#12 2023-07-16 15:43:24

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#13 2023-07-20 14:08:56

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#14 2023-07-20 14:46:10

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#15 2023-07-22 13:26:14

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#16 2023-07-23 04:40:02

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#17 2023-07-28 01:13:23

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#18 2023-07-29 23:15:41

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#19 2023-07-30 01:45:16

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#20 2023-07-30 16:00:41

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#21 2023-07-30 16:42:17

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#22 2023-08-02 04:55:31

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#23 2023-08-04 14:35:07

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#24 2023-08-14 14:41:31

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

#25 2023-09-14 12:40:12

Re: GRUB update - symbol "grub_is_shim_lock_enabled" not found

Board footer