[SOLVED] Nuked UEFI, got Linux Boot Manager back, need Ventoy to boot

chastell · 2024-10-28 04:07:36

[SOLUTION] It was Secure Boot all along.

Hi, long-time Linux user, first-time systemd-boot user here.

What I did

I have a ThinkPad X1 Extreme 2nd Gen, installed Arch earlier this month, like it very much and wiped UEFI from BIOS to get rid of that lingering Manjaro entry (I know, I know).

Booted from the ISO image, mounted root, chrooted, mounted /boot, ran `bootctl install`.

What’s wrong

I can see the Linux Boot Manager entry in the BIOS’s boot menu, but choosing it makes the screen flick and return to the boot menu.

What works

I can boot Ventoy, use F4 to Search and boot BOOTX64.EFI, that does get me to the systemd-boot’s screen which the default Arch Linux (linux), Arch Linux (linux-lts), etc. entries, and that boots properly.

Question

How can I debug why the Linux Boot Manager UEFI entry does not work, so that I can boot without Ventoy again?

State

The below is after finding the BOOTX64.EFI via Ventoy; booting ISO and chrooting shows a red dot next to Boot loader sets ESP information.

❯ bootctl
System:
      Firmware: UEFI 2.60 (Lenovo 0.4131)
 Firmware Arch: x64
   Secure Boot: enabled (user)
  TPM2 Support: yes
  Measured UKI: no
  Boot into FW: supported

Current Boot Loader:
      Product: systemd-boot 256.7-1-arch
     Features: ✓ Boot counting
               ✓ Menu timeout control
               ✓ One-shot menu timeout control
               ✓ Default entry control
               ✓ One-shot entry control
               ✓ Support for XBOOTLDR partition
               ✓ Support for passing random seed to OS
               ✓ Load drop-in drivers
               ✓ Support Type #1 sort-key field
               ✓ Support @saved pseudo-entry
               ✓ Support Type #1 devicetree field
               ✓ Enroll SecureBoot keys
               ✓ Retain SHIM protocols
               ✓ Menu can be disabled
               ✓ Boot loader sets ESP information
          ESP: /dev/disk/by-partuuid/2d96b6dd-eaa8-407c-ae8c-2cb9166c809e
         File: └─/efi/boot/bootx64.efi

Random Seed:
 System Token: set
       Exists: yes

Available Boot Loaders on ESP:
          ESP: /boot (/dev/disk/by-partuuid/2d96b6dd-eaa8-407c-ae8c-2cb9166c809e)
         File: ├─/EFI/systemd/systemd-bootx64.efi (systemd-boot 256.7-1-arch)
               └─/EFI/BOOT/BOOTX64.EFI (systemd-boot 256.7-1-arch)

Boot Loaders Listed in EFI Variables:
        Title: Linux Boot Manager
           ID: 0x0000
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/2d96b6dd-eaa8-407c-ae8c-2cb9166c809e
         File: └─/EFI/systemd/systemd-bootx64.efi

Boot Loader Entries:
        $BOOT: /boot (/dev/disk/by-partuuid/2d96b6dd-eaa8-407c-ae8c-2cb9166c809e)
        token: arch

Default Boot Loader Entry:
         type: Boot Loader Specification Type #1 (.conf)
        title: Arch Linux (linux)
           id: 2024-10-19_20-17-23_linux.conf
       source: /boot//loader/entries/2024-10-19_20-17-23_linux.conf
        linux: /boot//vmlinuz-linux
       initrd: /boot//initramfs-linux.img
      options: root=PARTUUID=06b4aad8-39d9-4dca-9673-de7e32d6b4f4 zswap.enabled=0 rw rootfstype=ext4

❯ bootctl list
         type: Boot Loader Specification Type #1 (.conf)
        title: Arch Linux (linux) (default)
           id: 2024-10-19_20-17-23_linux.conf
       source: /boot//loader/entries/2024-10-19_20-17-23_linux.conf
        linux: /boot//vmlinuz-linux
       initrd: /boot//initramfs-linux.img
      options: root=PARTUUID=06b4aad8-39d9-4dca-9673-de7e32d6b4f4 zswap.enabled=0 rw rootfstype=ext4

         type: Boot Loader Specification Type #1 (.conf)
        title: Arch Linux (linux-lts) (selected)
           id: 2024-10-19_20-17-23_linux-lts.conf
       source: /boot//loader/entries/2024-10-19_20-17-23_linux-lts.conf
        linux: /boot//vmlinuz-linux-lts
       initrd: /boot//initramfs-linux-lts.img
      options: root=PARTUUID=06b4aad8-39d9-4dca-9673-de7e32d6b4f4 zswap.enabled=0 rw rootfstype=ext4

         type: Boot Loader Specification Type #1 (.conf)
        title: Arch Linux (linux-lts-fallback)
           id: 2024-10-19_20-17-23_linux-lts-fallback.conf
       source: /boot//loader/entries/2024-10-19_20-17-23_linux-lts-fallback.conf
        linux: /boot//vmlinuz-linux-lts
       initrd: /boot//initramfs-linux-lts-fallback.img
      options: root=PARTUUID=06b4aad8-39d9-4dca-9673-de7e32d6b4f4 zswap.enabled=0 rw rootfstype=ext4

         type: Boot Loader Specification Type #1 (.conf)
        title: Arch Linux (linux-fallback)
           id: 2024-10-19_20-17-23_linux-fallback.conf
       source: /boot//loader/entries/2024-10-19_20-17-23_linux-fallback.conf
        linux: /boot//vmlinuz-linux
       initrd: /boot//initramfs-linux-fallback.img
      options: root=PARTUUID=06b4aad8-39d9-4dca-9673-de7e32d6b4f4 zswap.enabled=0 rw rootfstype=ext4

         type: Automatic
        title: Reboot Into Firmware Interface
           id: auto-reboot-to-firmware-setup
       source: /sys/firmware/efi/efivars/LoaderEntries-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f

❯ lsblk
NAME               MAJ:MIN RM  SIZE RO TYPE  MOUNTPOINTS
sda                  8:0    1 28.9G  0 disk
├─sda1               8:1    1 28.8G  0 part  /run/media/chastell/Ventoy
└─sda2               8:2    1   32M  0 part
zram0              253:0    0    4G  0 disk  [SWAP]
nvme0n1            259:0    0  1.8T  0 disk
├─nvme0n1p1        259:1    0    1G  0 part  /boot
├─nvme0n1p2        259:2    0   50G  0 part  /
└─nvme0n1p3        259:3    0  1.8T  0 part
  └─ainstnvme0n1p3 254:0    0  1.8T  0 crypt /home

❯ sudo fdisk -l /dev/nvme0n1
Disk /dev/nvme0n1: 1.82 TiB, 2000398934016 bytes, 3907029168 sectors
Disk model: Samsung SSD 970 EVO Plus 2TB
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 857EA8B3-A478-4E70-BA2E-61FC63E04B23

Device             Start        End    Sectors  Size Type
/dev/nvme0n1p1      2048    2099199    2097152    1G EFI System
/dev/nvme0n1p2   2099200  106956799  104857600   50G Linux root (x86-64)
/dev/nvme0n1p3 106956800 3907027119 3800070320  1.8T Linux filesystem

❯ blkid
/dev/nvme0n1p3: UUID="c6fec2e4-0ba9-4906-a14e-1c3e62ef41ef" TYPE="crypto_LUKS" PARTUUID="b857b6b8-3b03-47bb-9789-a176d1e7c356"
/dev/nvme0n1p1: UUID="3A96-90C4" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="2d96b6dd-eaa8-407c-ae8c-2cb9166c809e"
/dev/nvme0n1p2: UUID="3acf9bd0-2270-493d-90cf-5da0a52476b5" BLOCK_SIZE="4096" TYPE="ext4" PARTUUID="06b4aad8-39d9-4dca-9673-de7e32d6b4f4"

❯ tree /boot
/boot
├── EFI
│   ├── BOOT
│   │   └── BOOTX64.EFI
│   ├── Linux
│   └── systemd
│       └── systemd-bootx64.efi
├── initramfs-linux-fallback.img
├── initramfs-linux.img
├── initramfs-linux-lts-fallback.img
├── initramfs-linux-lts.img
├── intel-ucode.img
├── loader
│   ├── entries
│   │   ├── 2024-10-19_20-17-23_linux.conf
│   │   ├── 2024-10-19_20-17-23_linux-fallback.conf
│   │   ├── 2024-10-19_20-17-23_linux-lts.conf
│   │   └── 2024-10-19_20-17-23_linux-lts-fallback.conf
│   ├── entries.srel
│   ├── loader.conf
│   └── random-seed
├── vmlinuz-linux
└── vmlinuz-linux-lts

❯ bat --style header /boot/loader/loader.conf /boot/loader/entries/*
File: /boot/loader/loader.conf
timeout 3
#console-mode keep

File: /boot/loader/entries/2024-10-19_20-17-23_linux-fallback.conf
# Created by: archinstall
# Created on: 2024-10-19_20-17-23
title   Arch Linux (linux-fallback)
linux   /vmlinuz-linux
initrd  /initramfs-linux-fallback.img
options root=PARTUUID=06b4aad8-39d9-4dca-9673-de7e32d6b4f4 zswap.enabled=0 rw rootfstype=ext4

File: /boot/loader/entries/2024-10-19_20-17-23_linux-lts-fallback.conf
# Created by: archinstall
# Created on: 2024-10-19_20-17-23
title   Arch Linux (linux-lts-fallback)
linux   /vmlinuz-linux-lts
initrd  /initramfs-linux-lts-fallback.img
options root=PARTUUID=06b4aad8-39d9-4dca-9673-de7e32d6b4f4 zswap.enabled=0 rw rootfstype=ext4

File: /boot/loader/entries/2024-10-19_20-17-23_linux-lts.conf
# Created by: archinstall
# Created on: 2024-10-19_20-17-23
title   Arch Linux (linux-lts)
linux   /vmlinuz-linux-lts
initrd  /initramfs-linux-lts.img
options root=PARTUUID=06b4aad8-39d9-4dca-9673-de7e32d6b4f4 zswap.enabled=0 rw rootfstype=ext4

File: /boot/loader/entries/2024-10-19_20-17-23_linux.conf
# Created by: archinstall
# Created on: 2024-10-19_20-17-23
title   Arch Linux (linux)
linux   /vmlinuz-linux
initrd  /initramfs-linux.img
options root=PARTUUID=06b4aad8-39d9-4dca-9673-de7e32d6b4f4 zswap.enabled=0 rw rootfstype=ext4

Last edited by chastell (2024-10-30 08:49:22)

cryptearth · 2024-10-28 14:42:05

chastell wrote:

What I did
wiped UEFI from BIOS to get rid of that lingering Manjaro entry

you did what?
as your boot entry looks good when in doubt remove it and see if the fallback path works (you can use efibootmgr to do this)

chastell · 2024-10-29 05:15:53

cryptearth wrote:

chastell wrote:
What I did
wiped UEFI from BIOS to get rid of that lingering Manjaro entry
you did what?

I reset the boot order to default in BIOS, which got rid of the custom UEFI entries (like Manjaro or Linux Boot Manager).

cryptearth wrote:

as your boot entry looks good when in doubt remove it and see if the fallback path works (you can use efibootmgr to do this)

Hmmm, I don’t understand, sorry. What would be the fallback path?

When I boot the only things I can try are Linux Boot Manager (which loops back to the menu when chosen) and Ventoy (if I have the USB plugged in, which works and then can find the local efi file and boot).

❯ efibootmgr --unicode
BootCurrent: 001F
Timeout: 0 seconds
BootOrder: 0000,0010,0011,0012,0013,0014,0015,0019,001A,001B,001C,001D,001E,001F,0020,0021,0022,0023,0024
Boot0000* Linux Boot Manager	HD(1,GPT,2d96b6dd-eaa8-407c-ae8c-2cb9166c809e,0x800,0x200000)/\EFI\systemd\systemd-bootx64.efi
Boot0010  Setup	FvFile(721c8b66-426c-4e86-8e99-3457c46ab0b9)
Boot0011  Boot Menu	FvFile(126a762d-5758-4fca-8531-201a7f57f850)
Boot0012  Diagnostic Splash Screen	FvFile(a7d8d9a6-6ab0-4aeb-ad9d-163e59a7a380)
Boot0013  Lenovo Diagnostics	FvFile(3f7e615b-0d45-4f80-88dc-26b234958560)
Boot0014  Regulatory Information	FvFile(478c92a0-2622-42b7-a65d-5894169e4d24)
Boot0015  ThinkShield secure wipe	FvFile(3593a0d5-bd52-43a0-808e-cbff5ece2477)
Boot0016  Startup Interrupt Menu	FvFile(f46ee6f4-4785-43a3-923d-7f786c3c8479)
Boot0017  Rescue and Recovery	FvFile(665d3f60-ad3e-4cad-8e26-db46eee9f1b5)
Boot0018  MEBx Hot Key	FvFile(ac6fd56a-3d41-4efd-a1b9-870293811a28)
Boot0019* USB CD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,86701296aa5a7848b66cd49dd3ba6a55)
Boot001A* USB FDD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,6ff015a28830b543a8b8641009461e49)
Boot001B* NVMe0	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,001c199932d94c4eae9aa0b6e98eb8a400)
Boot001C* NVMe1	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,001c199932d94c4eae9aa0b6e98eb8a401)
Boot001D* ATA HDD0	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f601)
Boot001E* ATA HDD1	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f602)
Boot001F* USB HDD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,33e821aaaf33bc4789bd419f88c50803)
Boot0020* PXE BOOT	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,78a84aaf2b2afc4ea79cf5cc8f3d3803)
Boot0021* HTTPS BOOT	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,ad38ccbbf7edf04d959cf42aa74d3650)/Uri()
Boot0022* LENOVO CLOUD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,ad38ccbbf7edf04d959cf42aa74d3650)/Uri(https://download.lenovo.com/pccbbs/cdeploy/efi/boot.efi)
Boot0023  Other CD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,aea2090adfde214e8b3a5e471856a35406)
Boot0024  Other HDD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f606)
Boot0025* IDER BOOT CDROM	PciRoot(0x0)/Pci(0x14,0x0)/USB(15,1)
Boot0026* IDER BOOT Floppy	PciRoot(0x0)/Pci(0x14,0x0)/USB(15,0)
Boot0027* ATA HDD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f6)
Boot0028* ATAPI CD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,aea2090adfde214e8b3a5e471856a354)

cryptearth · 2024-10-29 13:04:08

the fallback path is <ESP>/EFI/BOOT/BOOTX64.EFI - just as on the ventoy thumbdrive
we had a recent thread where a acer laptop had some issue with systemd-boot - which OP was able to solve by deleting its boot entry

efibootmgr -b 0 -B

to clear systemd-boot - then the bios should pick up the fallback at EFI/BOOT/BOOTX64.EFI and boot anyway

what sounds off is that even you can diretly select the boot entry it kicks you back to uefi - which hints to some error of systemd-boot - could be the copy in fallback could have the same issue
I don't know which bootloader ventoy uses - but it's likely grub - so you could try if you can boot your system using grub instead of systemd-boot
the problem here seems a bad implementation of the uefi - likely designed and tested with windows only - and it just breaks because of the systemd-boot entry
btw - do you have secure boot disabled? how about CSM?

chastell · 2024-10-30 08:48:20

cryptearth wrote:

even you can diretly select the boot entry it kicks you back to uefi - which hints to some error of systemd-boot - could be the copy in fallback could have the same issue

Yup, they were identical files.

cryptearth wrote:

I don't know which bootloader ventoy uses - but it's likely grub - so you could try if you can boot your system using grub instead of systemd-boot

Too ambitious to go back to GRUB, I’m even sticking with Wayland for the time being.

cryptearth wrote:

btw - do you have secure boot disabled?

Oh. My. God. I swear I had it disabled, but apparently I reset all of BIOS to the defaults, not just UEFI.

Apologies for wasting your time but extremely grateful for pointing me to the solution!

cryptearth · 2024-10-30 12:01:46

hm, strange - this somewhat confirms my idea that the uefi was tested with windows only - as usually when the verification fails there should be a message instead of just kicking you back
but on the other side: it's common for secureboot get re-enabled when bios defaults get loaded
anyway - glad to hear you were able to fix it

kermit63 · 2024-10-31 07:23:33

I'm from a country where thunderstorms / lightning / power fluctuations are common. In one such occurrence, my UEFI settings got reset to defaults, including secure boot, so it may not be due to something you explicitly did. Heck, even my router was reset.

Arch Linux

#1 2024-10-28 04:07:36