Boot loader problem on EFI system

After upgrading to Fedora 40 I am having problems to boot the linux system. I am on a x86_64 machine with EFI secure boot enabled. Newly installed kernels end up in /boot/efi/<machine-id>/<kernel-version> along with their corresponding initrd files. The grub loader entries are installed to /boot/efi/loader/<machine-id>-<kernel-version>.conf and correctly refer to the aforementioned kernel/initrd files. So far, so well. I then execute grub2-mkconfig -o /boot/grub2/grub.cfg to update the boot loader configuration, and reboot.

The boot process then stops at the grub> prompt. From there I can use the linux and initrd commands to manually load the kernel and initrd files, and then issue the boot command. This boots the kernel, but it stops in the initrd because it fails to mount the root file system. Again, I do this manually, mounting it on /sysroot, an exit the initrd shell. This finally starts the system.

Because the first stop is at the grub prompt, I conclude that the early EFI/shim bootstrap stages have been successful, and that grub is somehow unable to access its configuration. But so far I haven’t been able work out why this is. Nor have I found a way to debug this problem.

Any hints, anyone?

Remove /boot/efi/<machine-id> and its contents and then run

sudo kernel-install add-all

I did as advised. This populated /boot with kernel and initrd files, and also created entries in /boot/loader/entries that look correct. I then executed grub2-mkconfig again and rebooted - and ended up at the grub> prompt again.

Can you post the command?

Also isn’t Secure boot supposed to be /boot/efi/EFI/machine-id/grub.cfg

There are two grub.cfg files:

[root@sarkovy ~]# find /boot -type f -name grub.cfg
/boot/grub2/grub.cfg
/boot/efi/EFI/fedora/grub.cfg

The latter is just a stub redirecting to the first one:

[root@sarkovy ~]# cat /boot/efi/EFI/fedora/grub.cfg
search --no-floppy --root-dev-only --fs-uuid --set=dev 5681f737-5b42-4470-b103-5d88624bc29d
set prefix=($dev)/grub2
export $prefix
configfile $prefix/grub.cfg

The grub2-mkconfig command is grub2-mkconfig -o /boot/grub2/grub.cfg.

No.
There are 2 grub.cfg files.
The pointer located at /boot/efi/EFI/fedora/grub.cfg is used to redirect grub (when booting with uefi) to the actual file at /boot/grub2/grub.cfg.

Secure boot has nothing to do with the location of the grub.cfg file.

You may be thinking of someone using sdboot, but that seems to not be the case here since grub would not be used when using sdboot.

sudo grub2-editenv - create
sudo dracut -f --regenerate-all

This somewhat improved the situation. While the bootstrap process still stops at the grub> prompt, I can now use the configfile command to manually load grub.cfg, which then brings up a boot menu containing all installed kernels. After selecting one of them, I get an error message saying no server found, but after hitting the return key the boot process continues, and the system starts as expected.

I also noticed that the output of kernel-install inspect still seems to be incorrect. It refers to /boot/efi/<machine-id>, which no longer exists:

[root@sarkovy ~]# kernel-install inspect
Machine ID: 45ef22de22ac4adbaf32ef187b2697b8
Kernel Image Type: pe
Layout: other
Boot Root: /boot/efi
Entry Token Type: machine-id
Entry Token: 45ef22de22ac4adbaf32ef187b2697b8
Entry Directory: /boot/efi/45ef22de22ac4adbaf32ef187b2697b8/6.8.8-300.fc40.x86_64
Kernel Version: 6.8.8-300.fc40.x86_64
Kernel: /usr/lib/modules/6.8.8-300.fc40.x86_64/vmlinuz
Initrds: (unset)
Initrd Generator: (unset)
UKI Generator: (unset)
Plugins: /usr/lib/kernel/install.d/10-devicetree.install
/usr/lib/kernel/install.d/20-grub.install
/usr/lib/kernel/install.d/50-depmod.install
/usr/lib/kernel/install.d/50-dracut.install
/usr/lib/kernel/install.d/51-dracut-rescue.install
/usr/lib/kernel/install.d/60-kdump.install
/usr/lib/kernel/install.d/90-loaderentry.install
/usr/lib/kernel/install.d/90-uki-copy.install
/usr/lib/kernel/install.d/92-crashkernel.install
/usr/lib/kernel/install.d/95-kernel-hooks.install
/usr/lib/kernel/install.d/99-grub-mkconfig.install
Plugin Environment: LC_COLLATE=C.UTF-8
KERNEL_INSTALL_VERBOSE=0
KERNEL_INSTALL_IMAGE_TYPE=pe
KERNEL_INSTALL_MACHINE_ID=45ef22de22ac4adbaf32ef187b2697b8
KERNEL_INSTALL_ENTRY_TOKEN=45ef22de22ac4adbaf32ef187b2697b8
KERNEL_INSTALL_BOOT_ROOT=/boot/efi
KERNEL_INSTALL_LAYOUT=other
KERNEL_INSTALL_INITRD_GENERATOR=
KERNEL_INSTALL_UKI_GENERATOR=
KERNEL_INSTALL_STAGING_AREA=/tmp/kernel-install.staging.XXXXXX
Plugin Arguments: add|remove
6.8.8-300.fc40.x86_64
/boot/efi/45ef22de22ac4adbaf32ef187b2697b8/6.8.8-300.fc40.x86_64
/usr/lib/modules/6.8.8-300.fc40.x86_64/vmlinuz
[INITRD…]

Let’s check the output:

sudo grub2-editenv - list; lsblk -o +FSTYPE,UUID
grep -v -e "^#" -e "^$" /etc/{fstab,default/grub,kernel/cmdline}

[root@sarkovy ~]# grub2-editenv - list
save_default=true
boot_success=1
saved_entry=45ef22de22ac4adbaf32ef187b2697b8-6.8.8-300.fc40.x86_64
[root@sarkovy ~]# lsblk -o +FSTYPE,UUID
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS FSTYPE UUID
sda 8:0 0 931,5G 0 disk btrfs 87aedf83-c280-4fe0-8417-30b65363d16d
sdb 8:16 0 931,5G 0 disk
├─sdb1 8:17 0 512M 0 part /boot/efi vfat 9C97-AAEC
└─sdb2 8:18 0 931G 0 part /export/home btrfs f827adea-4448-493c-9ae9-3154458bc814
/var
/home
/
sdc 8:32 0 931,5G 0 disk
├─sdc1 8:33 0 8M 0 part [SWAP] swap f9b3291b-1e1f-4384-ae84-664078a1127b
├─sdc2 8:34 0 931G 0 part btrfs f827adea-4448-493c-9ae9-3154458bc814
└─sdc3 8:35 0 504M 0 part /boot ext4 5681f737-5b42-4470-b103-5d88624bc29d
sdd 8:48 0 465,8G 0 disk /export/media btrfs 87aedf83-c280-4fe0-8417-30b65363d16d
/workspace
sde 8:64 0 465,8G 0 disk btrfs 87aedf83-c280-4fe0-8417-30b65363d16d
sdf 8:80 0 465,8G 0 disk
└─sdf1 8:81 0 465,8G 0 part crypto_LUKS ecc53bb9-af52-4a3a-b8cc-bf88f30ff756
sr0 11:0 1 1024M 0 rom
[root@sarkovy ~]# grep -v -e “^#” -e “^$” /etc/{fstab,default/grub,kernel/cmdline}
/etc/fstab:LABEL=SysStorage / btrfs defaults,subvol=root,nodiscard 0 0
/etc/fstab:LABEL=BOOT /boot ext4 defaults 1 1
/etc/fstab:LABEL=SysStorage /home btrfs defaults,nodev,subvol=home,nodiscard 0 0
/etc/fstab:LABEL=SysStorage /var btrfs defaults,nodev,subvol=var,nodiscard 0 0
/etc/fstab:LABEL=HdStorage /workspace btrfs defaults,nodev 0 0
/etc/fstab:LABEL=EFISYS /boot/efi vfat defaults,nodev,dmask=0022,fmask=0133 1 1
/etc/fstab:LABEL=Swap swap swap defaults 0 0
/etc/fstab:/workspace/minidlna/data /export/media none bind,ro,nodev,noexec,nosuid,nouser,auto 0 0
/etc/fstab:/home /export/home none bind,rw,nodev,nosuid,nouser,auto 0 0
/etc/default/grub:GRUB_TIMEOUT=5
/etc/default/grub:GRUB_DISTRIBUTOR=“$(sed ‘s, release .*$,g’ /etc/system-release)”
/etc/default/grub:GRUB_SAVEDEFAULT=true
/etc/default/grub:GRUB_DEFAULT=saved
/etc/default/grub:GRUB_CMDLINE_LINUX=“rd.md=0 rd.dm=0 rd.luks=0 rd.shell=1 vconsole.keymap=de rhgb quiet”
/etc/default/grub:GRUB_DISABLE_RECOVERY=“false”
/etc/default/grub:GRUB_THEME=“/boot/grub2/themes/system/theme.txt”
/etc/default/grub:GRUB_ENABLE_BLSCFG=true
/etc/kernel/cmdline:root=/dev/disk/by-label/SysStorage rootflags=subvol=root rd.md=0 rd.dm=0 rd.luks=0 vconsole.keymap=de rhgb quiet

That is no problem as long as you have KERNEL_INSTALL_LAYOUT=other.

It could be that the contents of /boot/efi/EFI/fedora/grub.cfg is not correct.
The UUID in that file should match the UUID of the /boot file system as shown when running lsblk -f.

In this respect /boot/efi/EFI/fedora/grub.cfg is correct, it contains the UUID of the file system mounted at /boot.

I am a bit confused about this KERNEL_INSTALL_LAYOUT stuff. My understanding is that BLS means that configuration entries are stored in individual configuration fragments in /boot/loader/entries, as opposed to inlining them in grub.cfg itself. So, isn’t the configuration I have (with /boot/loader/entries) a BLS configuration?

In this context, KERNEL_INSTALL_LAYOUT=bls means systemd-boot instead of grub2. That also implies that the kernel and initrd will be stored in the ESP instead of the boot file system.

Actually, the error message displayed is error: ../../grub-core/net/net.c:1394:no server is specified.. This seems to indicate that grub attempts to access a network resource, which IMO it is not supposed to do.

Found the solution here.