UEFI GRUB2 enforces NX even with a non-NX shim

Status changed to 'Confirmed' because the bug affects multiple users.

Hi,
as requested in the comments in https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/2078307 I enabled secure boot: Even when enabled Windows wont still boot from GRUB and stills says "cannot load image".

Even worse: With secure boot enabled GRUB starts in 640x480 mode and gdm3 also ends up in 640x480, after logging in into Ubuntu the screen stays black. Without secure boot the system runs fine. Thats really odd.

That sounds even more interesting, can you try set debug=peimage with SB enabled as well?

The current shim you have installed should be telling GRUB to not enforce NX, and that was tested to work with SB enabled at least, so I am bit perplexed what's going on here.

I think the graphics problem is likely your video driver not being SB signed.

Text updated/corrected.
Hello, I probably have a similar or the same problem.

ad GPU vs EFI
If I turn on UEFI boot, the screen is reduced from fullscreen on monitor to a window on the monitor in BIOS and Grub. But I don't mind. This is probably how it works with the GPU, GOP driver and BIOS.

Furthermore, I have the correct or the same resolution as normal.

I tried the variant with a secure boot ON.

Clean reset.
Windows with debug peimage:
booting a command list

loader/efi/peimage.c:210:peimage NX policy violation
error: cannot load image.

press any key to continue...

If I try to boot the Linux kernel from Grub right after the Windows boot fails, I get a message:
booting a command list
error: first load a kernel

or
loader/efi/peimage.c:829:peimage:
error: cannot load multiple images

If I reboot again and try to boot from Grub Ubuntu, it works of course.

I wrote something about my case here. It's just messy.

https://www.reddit.com/r/Ubuntu/comments/1fz1t4z/grub_212_in_oracular_is_unable_to_boot_windows/

It looks like something is stopping GRUB from recognizing the MokPolicy variable exported by shim on these machines, and in turn it decides to enforce NX despite shim telling it not to.

Here is the GRUB debug output with sb on.

I've also found a machine I own that reproduces this... Looking into the root cause currently

I can confirm this behavior. I'm on an ASUS B450 I AORUS PRO WIFI.

According to inxi I'm on F63b (I know, I know...but it has been rock stable)

Please let me know how I can help (logfiles, screenshots).

Sorry for my unprofessional appearance - I'm fairly new to this.

I believe that I am also seeing this bug. I upgraded to 24.10 and spent a bunch of time troubleshooting with no success, and eventually downgraded back to 24.04. I'm currently going back to 24.10, and can produce log files or other information if it would be helpful.

Impacted hardware is a ~2018-vintage Thinkpad X1 with EFI and secure boot.

I am also fairly new to bug reports so please let me know if I can provide useful info. Thanks!

Hi Ryan,

Thanks for confirming.

I now believe this affects every UEFI machine dual booting Windows 10 and Ubuntu 24.10:

  1. You can boot into Ubuntu from GRUB if you don't unsuccessfully attempt to boot Windows first
  2. Windows will fail to boot from GRUB (as a workaround you can boot it from the firmware boot menu)
  3. After an unsuccessful attempt to load Windows, nothing will boot from GRUB until restarting GRUB

The fix is prepared, and it will be released as soon as processes allow.

Mate

Hello Mate, or anyone else affected,

Accepted grub2-unsigned into oracular-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-unsigned/2.12-5ubuntu5.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-oracular to verification-done-oracular. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-oracular. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mate, or anyone else affected,

Accepted grub2-signed into oracular-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2-signed/1.209.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-oracular to verification-done-oracular. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-oracular. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Mate, or anyone else affected,

Accepted grub2 into oracular-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/grub2/2.12-5ubuntu5.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-oracular to verification-done-oracular. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-oracular. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello,

the latest packages from oracular-proposed fix the issue for me. Test plan steps 1.-8. pass.

Package details:

* grub-efi-amd64, 2.12-5ubuntu5.1
* grub-efi-amd64-bin, 2.12-5ubuntu5.1
* grub-efi-amd64-signed, 1.209.1+2.12-5ubuntu5.1
* grub-efi-amd64-unsigned, 2.12-5ubuntu5.1

Used for testing: ASUS PRIME Z690-A UEFI BIOS with the following Secure Boot settings.

* OS Type: Windows UEFI Mode
* Secure Boot Mode: Standard

Hello,
all steps succesfully done but in step 7 im succesfully booting Windows.

'update-grub' not needed in step 6?

My updated packages:
grub-common  grub-efi-amd64-bin  grub-efi-amd64-signed  grub-efi-amd64-unsigned  grub-pc  grub-pc-bin  grub2-common

Used for testing: mobo 2012 (BIOS 2013)

OS Type: Windows 10 UEFI Mode
Secure Boot Mode: Enabled

Hey folks,

I installed the same sets of packages as Tobias, and the bug also appears to be fixed for me. Test plan steps 1-8 ran as expected and passed.

Package details:

Package: grub-efi-amd64
Architecture: amd64
Version: 2.12-5ubuntu5.1

Package: grub-efi-amd64-bin
Architecture: amd64
Version: 2.12-5ubuntu5.1

Package: grub-efi-amd64-signed
Architecture: amd64
Version: 1.209+2.12-5ubuntu5.1

Package: grub-efi-amd64-unsigned
Architecture: amd64
Version: 2.12-5ubuntu5.1

Used for testing: Lenovo Thinkpad X1C (6th Gen)

OS Type: Windows 10 UEFI Mode
Secure Boot Mode: Enabled

Thanks!

@ubuntu-sru Verified in a clean Windows 10 + Oracular dual boot VM, but also see previous verifications on real hw above.

All autopkgtests for the newly accepted grub2-unsigned (2.12-5ubuntu5.1) for oracular have finished running.
The following regressions have been reported in tests triggered by the package:

ubuntu-boot-test/4 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/oracular/update_excuses.html#grub2-unsigned

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

This bug was fixed in the package grub2-unsigned - 2.12-5ubuntu5.1

---------------
grub2-unsigned (2.12-5ubuntu5.1) oracular; urgency=medium

  * riscv: use time register in grub_efi_get_time_ms() (LP: #2076651)
  * Defer NX policy enforcement to shim (LP: #2084104)
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Mate Kukri <email address hidden> Fri, 11 Oct 2024 10:03:49 +0100

This bug was fixed in the package grub2-signed - 1.209.1

---------------
grub2-signed (1.209.1) oracular; urgency=medium

  * Rebuild against grub2 2.12-5ubuntu5.1 (LP: #2076651) (LP: #2084104)

 -- Mate Kukri <email address hidden> Fri, 11 Oct 2024 11:30:58 +0100

This bug was fixed in the package grub2 - 2.12-5ubuntu5.1

---------------
grub2 (2.12-5ubuntu5.1) oracular; urgency=medium

  * riscv: use time register in grub_efi_get_time_ms() (LP: #2076651)
  * Defer NX policy enforcement to shim (LP: #2084104)

 -- Mate Kukri <email address hidden> Fri, 11 Oct 2024 10:03:49 +0100

How can I install the bugfix now as I have to boot into Windows again for my work.
Any help would be appreciated.

@bjmi See comment #13 for how to test a proposed package.

It will also be available as a regular update in Oracular once the SRU team has approved its migration to oracular-updates.

If you don't want to install the proposed package, you should also be able to boot Windows from your firmware boot menu in the meantime.

easy way
direct boot from UEFI menu
example:
efibootmgr -c -L "Windows 10" -l '\EFI\Microsoft\boot\bootmgfw.efi'

hard way
a) apt install -t oracular-proposed grub-common  grub-efi-amd64-bin  grub-efi-amd64-signed  grub-efi-amd64-unsigned  grub-pc  grub-pc-bin  grub2-common

b)or full update all packages from proposed.

and back way from A:
apt install grub-common=2.12-5ubuntu5 grub-efi-amd64-bin=2.12-5ubuntu5 grub-efi-amd64-signed=1.209+2.12-5ubuntu5 grub-efi-amd64-unsigned=2.12-5ubuntu5 grub-pc=2.12-5ubuntu5 grub-pc-bin=2.12-5ubuntu5 grub2-common=2.12-5ubuntu5

The fix worked for me (on an Asus B650E-E mainboard), after enabling proposed updates I updated the packages using

sudo apt install -t oracular-proposed grub-common grub-efi-amd64-bin grub-efi-amd64-signed grub-efi-amd64-unsigned grub2-common

1. In the "Software & Updates" app, enable "Pre-released updates (oracular-proposed) in the "Developer Options" tab.

2. On the command line, run:
sudo apt install -t oracular-proposed grub-common grub-efi-amd64-bin grub-efi-amd64-signed grub-efi-amd64-unsigned grub2-common

That worked perfectly for me!

The fix using the oracular-proposed packages worked for me too! I'm using a Thinkpad E570, dual boot with Windows 10.
Thanks a lot for for your work on this!

The packages on oracular-proposed worked for me as well!
Thanks for solving this problem

Yes. It fixed it for me, too.

Thank you a lot for taking care of this. You guys are making the world a better place for all of us :)

Thanks for the solution. It worked perfect for me!

After upgrading my ThinkPad x260 to Ubuntu 24.10, I was no longer able to boot older kernels. (I need to do that because the latest kernel where suspend/resume works is 6.5.) With the fix from oracular-proposed, I can boot older kernels again.

The verification of the Stable Release Update for grub2 has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package grub2 - 2.12-5ubuntu5.1

---------------
grub2 (2.12-5ubuntu5.1) oracular; urgency=medium

  * riscv: use time register in grub_efi_get_time_ms() (LP: #2076651)
  * Defer NX policy enforcement to shim (LP: #2084104)

 -- Mate Kukri <email address hidden> Fri, 11 Oct 2024 10:03:49 +0100

This bug was fixed in the package grub2-unsigned - 2.12-5ubuntu5.1

---------------
grub2-unsigned (2.12-5ubuntu5.1) oracular; urgency=medium

  * riscv: use time register in grub_efi_get_time_ms() (LP: #2076651)
  * Defer NX policy enforcement to shim (LP: #2084104)
  * Source package generated from src:grub2 using make -f ./debian/rules
    generate-grub2-unsigned

 -- Mate Kukri <email address hidden> Fri, 11 Oct 2024 10:03:49 +0100

Hi, I have version 2.12-5ubuntu5.1 but that still do not detect Windows located on separate SSD (Linux is on NVME)
I did os-prober and update-grub(2)
Grub console doesn't even show on startup of PC - it directly boots to Ubuntu

If Windows wasn't present at Ubuntu installation time, you need to manually enable os-prober in /etc/default/grub and then run update-grub.

Either way this bug isn't about that.

Ubuntu 24.10 (Oracular Oriole) has reached end of life, so this bug will not be fixed for that specific release.