Proxmox Virtual Environment 8.1 and Secure Boot

by

Proxmox Virtual Environment 8.1 is out, it now allows the host system to do proper secure boot. "That's great!" I thought, logged into the management UI of my PVE host, upgraded a node from 8.0 to 8.1, the VMs and containers all seemed to be working fine as usual.

According to the release notes, an existing PVE installation can be easily switched to secure boot. I followed the documentation, which states I need the following packages installed to enable secure boot:

  • shim-signed (shim bootloader signed by Microsoft)
  • shim-helpers-amd64-signed (fallback bootloader and MOKManager, signed by Proxmox)
  • grub-efi-amd64-signed (Grub EFI bootloader, signed by Proxmox)
  • proxmox-kernel-6.X.Y-Z-pve-signed (Kernel image, signed by Proxmox)

So I ran apt install to get the first three installed, it seemed some of the packages were already installed, but I didn't pay much attention to see which ones as there were no error messages. As for the proxmox-kernel-6.X.Y-Z-pve-signed, there was already a proxmox-kernel-6.5.11-4-pve-signed installed. (My PVE node is not on systemd-boot so that section in the documentation doesn't apply.)

Then I restarted the host machine, entered BIOS setup, and turned on the Secure Boot setting. Guess what, it didn't work. UEFI boot complains about disallowed signature. Okay... disabled secure boot to get back into the PVE, ran efibootmgr -v and saw this:

BootCurrent: 0000
Timeout: 1 seconds
BootOrder: 0000,0001
Boot0000* proxmox    HD(2,GPT,ec7dcdc8-450e-4b1e-be89-f024fb9a25eb,0x800,0x200000)/File(\EFI\proxmox\grubx64.efi)
Boot0001  UEFI OS    HD(2,GPT,ec7dcdc8-450e-4b1e-be89-f024fb9a25eb,0x800,0x200000)/File(\EFI\BOOT\BOOTX64.EFI)..BO

That explains why it didn't work - grubx64.efi is still the bootloader. It should be the Microsoft signed shimx64.efi.

Hmmm... I decided before trying anything complicated, just re-install the listed packages.

apt remove shim-signed shim-helpers-amd64-signed grub-efi-amd64-signed

And then:

apt install shim-signed shim-helpers-amd64-signed grub-efi-amd64-signed

This time I took notice of the output and saw these:

Setting up grub-efi-amd64-signed (1+2.06+13+pmx1) ...
Setting up shim-helpers-amd64-signed (1+15.7+1+pmx1) ...
Installing for x86_64-efi platform.
Setting up shim-signed:amd64 (1.39+pmx1+15.7-1+pmx1) ...
Installing for x86_64-efi platform.

That's a good sign, but need to verify before try enabling secure boot again:

efibootmgr -v

The output:

BootCurrent: 0000
Timeout: 1 seconds
BootOrder: 0000,0001
Boot0000* proxmox    HD(2,GPT,ec7dcdc8-450e-4b1e-be89-f024fb9a25eb,0x800,0x200000)/File(\EFI\proxmox\shimx64.efi)
Boot0001  UEFI OS    HD(2,GPT,ec7dcdc8-450e-4b1e-be89-f024fb9a25eb,0x800,0x200000)/File(\EFI\BOOT\BOOTX64.EFI)..BO

Good, now shimx64.efi is there, Reboot, set Secure Boot to Enable, OS Type to Others (default is Windows 10), Mode to Standard, save and exit. Voila! Secure boot is working on this PVE 8.1 node.

In summary, if you try to enable secure boot for your PVE 8.1 host, make sure shimx64.efi is the bootloader, If it is not, try re-installing the three packages above. Good luck!

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.