You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This was originally posted at linux-surface/linux-surface#1162 with reports that after upgrading the UEFI firmware to 394.651.768.0 it no longer able to boot any Linux system.
I recently upgraded to a (maybe) slightly newer firmware 394.779.368.0 and the issue still somewhat present. I used rEFInd + shim with locally generated keys (via rEFInd's --localkeys option).
Since PreLoader doesn't work with keys, you'll need to enrol the hashes of refind and any kernel images
What doesn't work
Booting directly to rEFInd with Secure Boot enabled. The binaries are silently rejected and it automatically boots to Windows instead.
This is normal behaviour when you're trying to execute unsigned EFI binaries
Booting via shim (Boot0006) with or without Secure Boot. Stuck at Microsoft logo
I should also mention that Ventoy worked perfectly even with shim + Secure Boot, so could be something with combination of refind + shim + firmware 394.779.368.0 wreaking havoc on things. Since booting directly to refind works, I don't have any reason to believe the issue is with refind.
Environment
Shim version: 15.6 (from AUR which in turn uses the Fedora binaries)
rEFInd version: 0.14.0.2
Hardware model: Surface Book 2 13"
Kernel version: 6.5.6-arch2-1-surface
Distribution: Arch Linux
The text was updated successfully, but these errors were encountered:
If the only change you did was upgrading your BIOS, then most likely it also updated the SecureBoot database files.
In that update they must have blacklisted the hashes/signatures that worked prior to your BIOS upgrade...
I suspect that this firmware update enabled NX at boot time. There are a couple of pieces of work underway to fully enable NX at boot time for Linux distros.
I don't know what, if any, fallback compatibility the firmware may implement, if it does, its behavior may change from boot to boot.
This was originally posted at linux-surface/linux-surface#1162 with reports that after upgrading the UEFI firmware to 394.651.768.0 it no longer able to boot any Linux system.
I recently upgraded to a (maybe) slightly newer firmware 394.779.368.0 and the issue still somewhat present. I used rEFInd + shim with locally generated keys (via rEFInd's
--localkeys
option).My
efibootmgr -v
output:What works
Boot0004
orBoot0005
of above output) with Secure Boot disabledBoot0008
) to replace shimWhat doesn't work
Boot0006
) with or without Secure Boot. Stuck at Microsoft logoI should also mention that Ventoy worked perfectly even with shim + Secure Boot, so could be something with combination of refind + shim + firmware 394.779.368.0 wreaking havoc on things. Since booting directly to refind works, I don't have any reason to believe the issue is with refind.
Environment
The text was updated successfully, but these errors were encountered: