51

I'm new to Linux. I loaded Ubuntu on my Mac and I'm booting it with rEFInd. I see two choices:

  1. EFI\ubuntu\grubx64.efi
  2. EFI\ubuntu\shimx64.efi

They both boot into Ubuntu.

What's the difference between the two and which one should I use? Did I do something wrong that made both show up?

Pro Backup
  • 3,210
  • 3
  • 25
  • 33
user190735
  • 513
  • 1
  • 5
  • 4

1 Answers1

70

Typically, EFI/ubuntu/grubx64.efi on the EFI System Partition (ESP) is the GRUB binary, and EFI/ubuntu/shimx64.efi is the binary for shim. The latter is a relatively simple program that provides a way to boot on a computer with Secure Boot active. On such a computer, an unsigned version of GRUB won't launch, and signing GRUB with Microsoft's keys is impossible, so shim bridges the gap and adds its own security tools that parallel those of Secure Boot. In practice, shim registers itself with the firmware and then launches a program called grubx64.efi in the directory from which it was launched, so on a computer without Secure Boot (such as a Mac), launching shimx64.efi is just like launching grubx64.efi. On a computer with Secure Boot active, launching shimx64.efi should result in GRUB starting up, whereas launching grubx64.efi directly probably won't work.

Note that there's some ambiguity possible. In particular, if you want to use a boot manager or boot loader other than GRUB in a Secure Boot environment with shim, you must call that program grubx64.efi, even though it's not GRUB. Thus, if you were to install rEFInd on a Secure Boot-enabled computer, grubx64.efi could be the rEFInd binary. This binary would probably not reside in EFI/ubuntu, though; both it and a shim binary would probably go in EFI/refind. Also, as you've got a Mac (which doesn't support Secure Boot), there's no need to install rEFInd in this way; it makes much more sense to install rEFInd as EFI/refind/refind_x64.efi (its default location and name).

Note that the rEFInd documentation includes a whole page on Secure Boot. Chances are you won't benefit from reading it, user190735, since you're using a Mac. I mention it only in case some other reader comes along who's trying to use rEFInd in conjunction with Secure Boot.

Rod Smith
  • 44,284
  • 7
  • 63
  • 105
  • 1
    Nice application , add this link too https://wiki.ubuntu.com/SecurityTeam/SecureBoot – Raja G Sep 07 '13 at 00:25
  • 6
    Did MS sign shimx64.efi then? – Mâtt Frëëman Mar 08 '15 at 08:28
  • 11
    Yes, Microsoft signed shimx64.efi -- at least, the version that Ubuntu installs on Secure Boot computers. (There are also unsigned Shim binaries available; or you can install your own Secure Boot keys and sign shimx64.efi yourself to take full control of your computer's Secure Boot process. – Rod Smith Mar 08 '15 at 15:04
  • Fedora and Ubuntu have different approaches after secure boot is succeeded (during the runtime). In former, the shim also passes on flag to the kernel to indicate that it was loaded with secure boot, and during the runtime, kernel validates all device drivers. In latter, this runtime validation by kernel is not performed. – vulcan raven Mar 03 '21 at 18:30
  • 1
    @vulcanraven, that used to be true, but Ubuntu's been verifying kernel modules for some time now. (I don't recall when this change was made, but it's a time measured in years.) I've had to sign the modules used by VirtualBox (which installs out-of-tree kernel modules) on Ubuntu to get VirtualBox to work for quite a while now. (My script for doing so is timestamped May of 2017.) – Rod Smith Mar 05 '21 at 00:39
  • so that I can find this later: if you dont have shimx64, and you want it, doing sudo apt-get install shim-signed will magically result in it appearing in the EFI/ubuntu folder, and show up in sudo efibootmgr -v :) – Hugh Perkins Jan 10 '22 at 00:29
  • @RodSmith Maybe that's the reason why installing media codecs on Ubuntu requires adding a MOK to shim: because media codecs probably use kernel modules that Ubuntu validates. – awvalenti Mar 02 '24 at 11:18