What is the difference between grubx64 and shimx64?
Typically, EFI/ubuntu/grubx64.efi
on the EFI System Partition (ESP) is the GRUB binary, and EFI/ubuntu/shimx64.efi
is the binary for shim. The latter is a relatively simple program that provides a way to boot on a computer with Secure Boot active. On such a computer, an unsigned version of GRUB won't launch, and signing GRUB with Microsoft's keys is impossible, so shim bridges the gap and adds its own security tools that parallel those of Secure Boot. In practice, shim registers itself with the firmware and then launches a program called grubx64.efi
in the directory from which it was launched, so on a computer without Secure Boot (such as a Mac), launching shimx64.efi
is just like launching grubx64.efi
. On a computer with Secure Boot active, launching shimx64.efi
should result in GRUB starting up, whereas launching grubx64.efi
directly probably won't work.
Note that there's some ambiguity possible. In particular, if you want to use a boot manager or boot loader other than GRUB in a Secure Boot environment with shim, you must call that program grubx64.efi
, even though it's not GRUB. Thus, if you were to install rEFInd on a Secure Boot-enabled computer, grubx64.efi
could be the rEFInd binary. This binary would probably not reside in EFI/ubuntu
, though; both it and a shim binary would probably go in EFI/refind
. Also, as you've got a Mac (which doesn't support Secure Boot), there's no need to install rEFInd in this way; it makes much more sense to install rEFInd as EFI/refind/refind_x64.efi
(its default location and name).
Note that the rEFInd documentation includes a whole page on Secure Boot. Chances are you won't benefit from reading it, user190735, since you're using a Mac. I mention it only in case some other reader comes along who's trying to use rEFInd in conjunction with Secure Boot.
Related videos on Youtube
user190735
Updated on September 18, 2022Comments
-
user190735 over 1 year
I'm new to Linux. I loaded Ubuntu on my Mac and I'm booting it with rEFInd. I see two choices:
EFI\ubuntu\grubx64.efi
EFI\ubuntu\shimx64.efi
They both boot into Ubuntu.
What's the difference between the two and which one should I use? Did I do something wrong that made both show up?
-
mojo706 over 10 yearshello, shimx64.efi is the secure boot option
-
Eliah Kagan over 10 years@mojo706 I recommend posting a (maybe only slightly) expanded version of that as an answer.
-
Yaroslav Nikitenko over 6 yearsOn Fedora Core there is also a third file
shimx64-fedora.efi
:)
-
mx7 over 10 yearsNice application , add this link too wiki.ubuntu.com/SecurityTeam/SecureBoot
-
Mâtt Frëëman about 9 yearsDid MS sign shimx64.efi then?
-
Rod Smith about 9 yearsYes, Microsoft signed
shimx64.efi
-- at least, the version that Ubuntu installs on Secure Boot computers. (There are also unsigned Shim binaries available; or you can install your own Secure Boot keys and signshimx64.efi
yourself to take full control of your computer's Secure Boot process. -
vulcan raven about 3 yearsFedora and Ubuntu have different approaches after secure boot is succeeded (during the runtime). In former, the shim also passes on flag to the kernel to indicate that it was loaded with secure boot, and during the runtime, kernel validates all device drivers. In latter, this runtime validation by kernel is not performed.
-
Rod Smith about 3 years@vulcanraven, that used to be true, but Ubuntu's been verifying kernel modules for some time now. (I don't recall when this change was made, but it's a time measured in years.) I've had to sign the modules used by VirtualBox (which installs out-of-tree kernel modules) on Ubuntu to get VirtualBox to work for quite a while now. (My script for doing so is timestamped May of 2017.)
-
Hugh Perkins over 2 yearsso that I can find this later: if you dont have shimx64, and you want it, doing
sudo apt-get install shim-signed
will magically result in it appearing in the EFI/ubuntu folder, and show up insudo efibootmgr -v
:)