What are the EFI files in /boot/efi/EFI/Boot for?

,

I have a bootx64.efi file in /boot/efi/EFI/Boot dated Mar 18 2024 that is not owned by any rpm package. I have not updated by BIOS since I bought my device, a Beelink 6600H.

Beelink just sent me a new BIOS and the bootx64.efi file is much smaller and dated Nov 27, 2016.

So I am examining my EFI partition and there are also a bunch of EFI files with the same timestamp in /boot/efi/EFI/fedora. “shimx64.efi” is the EFI file of choice in this directory according to the efibootmgr command. So:

What fedora process installed these files in …/Boot? I don’t remember but I think Mar 18 might have been the date I upgraded from Fedora 38 to Fedora 39.

I have a dual boot system so there is a bunch of stuff in /boot/efi/EFI/Microsoft as well. 'rpm -q --whatprovides" shows /boot/efi/EFI/fedora as being owned by grub2-common. In addition, this: Reddit - Dive into anything concludes that the files in /boot/efi/EFI/Boot are for booting USB drives etc that may not have their own EFI Partition.

Based on this it appears that the bootx64.efi file sent with the BIOS update will be used to boot the USB device I will make if I upgrade the Beelink BIOS, and the one in /boot/efi/EFI/Boot is used to boot other non-fedora, non-Microsoft devices. Is this correct?

'rpm -q --whatprovides" shows /boot/efi/EFI/fedora as being owned by grub2-common.

You will FIND all the efi files are first installed into somewhere in /usr
then they are copied into the right place in /boot/efi/EFI.

It seem bootx64.efi is a Microsoft file.

these are files for booting the GRUB bootloader from the UEFI. Some are also required for secureboot.

i dont know what does what, but /boot/efi/EFI/fedora/shimx64.efi is used to boot Fedora on intel or amd using secureboot

1 Like

/boot/efi/EFI/BOOT/BOOTX64.EFI seems to be an exact copy of /boot/efi/EFI/fedora/shimx64.efi

# sha256sum BOOT/BOOTX64.EFI 
4773d74d87c2371a25883b59a3b6d98d157de46933676706d215015b1130f2d1  BOOT/BOOTX64.EFI

# sha256sum fedora/shimx64.efi 
4773d74d87c2371a25883b59a3b6d98d157de46933676706d215015b1130f2d1  fedora/shimx64.efi

I believe it is placed there when fedora is installed.

This is from my daily driver that has NEVER seen any form of microsoft software.

1 Like

Thanks for pointing this out, it’s the same on my system: “/boot/efi/EFI/BOOT/BOOTX64.EFI seems to be an exact copy of /boot/efi/EFI/fedora/shimx64.efi”. Safe to say the files are installed by Fedora. They’re not linked, so the grub post-installation script probably copies the file over to …/Boot when it updates.

I need to read up on UEFI and secure boot as well. I’m fairly confident that messing with the boot partition is the most likely route for a bad actor to compromise my system. One achilles heel is Beelink’s informal BIOS upgrade procedure. Rather than post BIOS patches online you email their support and they email you back a one-time link to a file on “url.bee-link.cn”. They used to email a zip file of the patch, which is even worse. Although I am fairly confident Beelink’s devices are clean as-shipped, I am not patching my BIOS because there is currently nothing wrong with it. But this definitely shows how easy it might be to compromise lots of systems with malicious bootable external media.

I have secure boot enabled, and it’s workng in Fedora (I get a kernel lockdown success message in dmesg and I can’t boot my memtest86+ USB device.) in Fedora. Beelink did preinstall keys in the BIOS along with their preinstalled Windows 11. I am fairly confident about their Windows 11 as well, there does not appear to be any bloatware, and for now I am assuming Defender would flag any bogus non-Windows junk in the OS.

It is installed by the package shim-x64-15.8-3.x86_64. It is the default boot loader if you select the disk device in the uefi boot menu.
It works together with /boot/efi/EFI/BOOT/fbx64.efi to find the grub loader and install the boot entry into the uefi boot menu using the /boot/efi/EFI/fedora/BOOTX64.CSV file.

Other OS will probably install its own version of /boot/efi/EFI/BOOT/BOOTX64.EFI, so on a Micorsoft system it will be the WIndows loader instead of the shim. Also, if you install sd-boot. then BOOTX64.EFI will be a copy of the sd-boot loader.

2 Likes