NixOS doesn’t boot: symbol grub_is_shim_lock_enabled not found

[MangoIV]

Describe the bug

Hi, my nixos refuses to boot, fails with error: symbol grub_is_shim_lock_enabled not found. NixOS is 23.11…

Steps To Reproduce

https://git.sr.ht/~mangoiv/dotfiles/tree/78c76199650aac59014cc91d6a6c56177c6af52e

Expected behavior

nixos boots

Additional context

Seems like a bug introduced by very recent changes in grub:

https://forum.endeavouros.com/t/latest-grub-bricked-my-system-grub-is-shim-lock-enabled-not-found/42879

I think downgrading grub for the time being might be an okay solution

Notify maintainers

Metadata

n/a - see flake lock for hashes. Should be as recent as 23/07/11

[mneiner]

I have this exact same issue. Also verified problem to
exist on grub 2:2.12rc1-1. Had to roll back to grub 2:2.06.r566 to boot system normally.

Asus X200ca Notebook
Arch Linux only , no dual boot
Secure Boot disabled
CSM disabled
Booting UEFI
American Megatrends Bios Ver 208

[mneiner]

UPDATE
After installing grub 2:2.12rc1-1, I ran the grub-install command with the --disable-shim-lock option and rebuilt grub config.

It worked.

I don't secure boot, not sure why that option is necessary with the new grub, it's never been before.

[vidbina]

Same issue here. How do I downgrade GRUB?

Update 2023-07-22

I tried to set

  boot.loader.grub = {
    extraGrubInstallArgs = [
      "--disable-shim-lock"
    ];
  };

but I still ended up with the symbol not found issue.

I then checked if I could set the version of pkgs.grub2 but was too lazy to figure out how to override the grub2 correctly (especially when I noticed the pkgs.grub2 and pkgs.pkgsi686Linux.grub2 refs in NixOS/nixpkgs modules/system/boot/loader/grub/grub.nix and wasn't sure what the idiomatic way is to ensure that my override would apply across all known spaces without having to override multiple times. Probably trivial to fix for some, but I'm tired considering the following:

🤦🏿‍♂️ Noticed that my nixpkgs was tracking github:NixOS/nixpkgs/master instead of a more stable github:NixOS/nixpkgs/nixos-23.05 so I was asking for bleeding edge trouble. I downgraded to 23.05 which set GRUB2 back to 2.06. Problem solved for now!

💡 For the future it would be helpful to have an idiomatic and user-friendly (easy) way to set the version of grub2 more granularly. Like a boot.loader.grub.pkg option.

[mneiner]

While booted normally I did the following:

Used EFIBOOTMGR to remove the one boot entry I had for my existing installation.
Then did pacman -Rs grub to remove grub from my system
Then removed both /boot/EFI and /boot/grub directories (used sudo rm -r )
Then reinstalled latest grub using pacman -S grub
Then performed normal grub-install and grub config commands per distro instructions.

I am now able to boot into my machine using the most recent grub with no issues.

Prior to this, I had three grubx64.efi files in my EFI directory on my ESP. Each one had a different path within /boot/EFI

This was due to me erroneously faltering around and choosing different paths during various grub-install commands, after routine grub updates. This was going on since last December when my system was built.
.
It finally caught up to me.

I now only have one grubx64.efi file in my EFI folder .

It's path is /boot/EFI/GRUB/grubx64.efi.

[vidbina]

@mneiner, wouldn't your workaround break your system again the next time you run nixos-rebuild switch as it writes to your /boot directory while adding an entry for the latest generation to the bootloader menu?

Didn't even think about imperatively running the commands you listed. In fact, I didn't in my wildest imagination expect something like pacman -Rs grub to be runnable on a NixOS system. Are you perhaps using nix as a package manager on an Arch system or am I just ignorant about the possibilities these days?

[UPDATE]: 🤦🏿‍♂️ I did a poor job of reading the thread and just noticed you're on Arch indeed, so ignore my question above. In your setup, you never run nixos-rebuild switch (I'm just trying to understand the typical nix flow for you)?

I would definitely be nervous about directly fiddling around in the /boot/ directory, so I only dared to point GRUB2 towards the folder but I didn't have the guts to actually change or delete anything in that folder that wasn't a plaintext file that I could trivially modify again later on. 😅

[re-ynd]

I had the same issue when I upgraded my flake a couple of weeks ago. Today I decided to upgrade again, by

1. changing boot.loader.grub.efiInstallAsRemovable = true; (which is false by default I suppose), and boot.efi.canTouchEfiVariables = false;.
   2,. Then I removed everything under /boot with sudo rm -rv /boot/* (make a copy of /boot if you are worried). The /boot will be generated again after switching (the next command)
2. Run sudo nixos-rebuild switch --flake .#my-laptop.

After rebooting everything worked fine. I undid my changes to config (from step 1 above). Now, I am not sure if this issue has already been fixed by grub/Nix or if my config changes fixed the issue, either way I have a working system now.

[rardiol]

From what I gathered from the comments this has something to do with a version mismatch when re-installing grub? But why doesn't nixos-rebuild boot --install-bootloader fix the issue then?

Bug closed as invalid: https://savannah.gnu.org/bugs/index.php?64406

[Vonfry]

I meet this issue recently as well. re-ynd's method, enabling efiInstallAsRemovable, is worked for me. IMO, is this a grub bug right?

[shd101wyy]

@re-ynd ‘s solution worked for me. Thanks a lot!

[n8henrie]

Just upgraded my RPi 4 to 23.11 and ended up with a non-bootable system with this error. Prior NixOS generations don't help obviously.

I sure end up with a non-bootable NixOS system a lot more frequently than I would have expected.

[n8henrie]

Booted into a 23.11 recovery image, nixos-enter, enabled efiInstallAsRemovable, sudo nixos-rebuild --install-bootloader switch without errors -- the grub error above is gone and I see part of stage 1, but then I get a blank HDMI screen and a system that never comes up.

May just be a Pi4 or ZFS issue I guess.

Sigh.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/pi4-broken-on-23-11-uefi-zfs-root/36375/1

[n8henrie]

Taking the same steps as above but backing up then blowing away /boot prior to nixos-install --install-bootloader got me back to a booting system. Curiously, I forgot to re-populate the EFI partition with stuff from https://github.com/pftf/RPi4, so it would only boot with the rescue ISO also plugged in (but booted to the correct root somehow?) and this left a file named ubootefi.var in the otherwise empty EFI partition, which I've not seen before.

After it was booting, I repopulated the EFI files (from the backup -- so no changes), switched back to canTouchEfiVariables, and re-ran rebuild + --install-bootloader, and several reboots are now going smooth -- I'm live on 23.11.

Thanks to some solid input in this thread, I think I'll give a shot to systemd-boot going forward.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/pi4-broken-on-23-11-uefi-zfs-root/36375/5

[berdario]

I've also been affected by this, when upgrading from 23.05 to 23.11. This is on a Thinkpad t440s, not a RPi.

IIRC, I installed Nixos on this machine via NIXOS_LUSTRATE several years ago, which is why I had an already existing dual boot setup with Grub and a separate /boot

The boot specific configuration in my /etc/nixos/configuration.nix included:

  boot.loader.efi.canTouchEfiVariables = false;

  boot.loader.grub.efiInstallAsRemovable = true;
  boot.loader.efi.efiSysMountPoint = "/boot/efi";

  boot.loader.grub.device = "nodev";
  boot.loader.grub.efiSupport            = true;

(and a boot.loader.grub.extraEntries for the Windows dual boot).

Since it seems that gummiboot/systemd-boot is arguably simpler, and sometimes recommended. I followed n8henrie's steps in the Discourse thread, to switch away from Grub, I deleted all of the above configuration, and changed fileSystems."/boot/efi" = to fileSystems."/boot" = in hardware-configuration.nix

Now everything seems to work as expected. I also took the opportunity to clean up a bunch of cruft in the ESP, the efi boot entries and also the whole of the old /boot partition (now that support for XBOOTLDR landed recently, I'll consider using it with systemd-boot after I'll upgrade to 24.05, but for now I have enough space)

[MartinRamm]

I ran into this problem when upgrading from 23.05 to 24.05 on a Thinkpad P14S Gen 2.

Solved by booting from a live disk and following the instructions of re-ynd's comment. I tried skipping step 2 (emptying /boot), but it turns out this is required.

I struggled with the correct mount commands and correct parameters to nixos-enter, this worked for me: https://gist.github.com/MartinRamm/bb5e60885bb7f0bfc2ce07d1c527fba9