#StackBounty: #grub2 #uefi #20.04 #bootloader #grub-efi How do I get grub-efi-amd64-signed to not automatically overwrite NVRAM on update

Bounty: 100

I am using refind as my main boot loader. Since it can load kernel images directly, I probably don’t even need GRUB much, but keeping it around just in case feels safer just in case. What’s annoying me however is that certain upgrades (haven’t worked out whether it’s to grub, to the kernel, or both) will trigger a change to my UEFI NVRAM, making GRUB the default boot loader.

I’ve read in various posts that there is an option --no-nvram to the grub installer, which is probably what I want. So my main question here is how do I get that flag passed to the grub installer on upgrades?

Several existing Stack Exchange answers [1, 2, 3] all point to sudo dpkg-reconfigure grub-efi-amd64 as the solution, because it should show me a dialog where I can disable that behavior. Doesn’t work for me on focal, though:

$ sudo dpkg-reconfigure grub-efi-amd64
dpkg-query: package 'grub-efi-amd64' is not installed and no information is available
Use dpkg --info (= dpkg-deb --info) to examine archive files.
/usr/sbin/dpkg-reconfigure: grub-efi-amd64 is not installed

$ dpkg -l *grub*
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                  Version                Architecture Description
un  grub                  <none>                 <none>       (no description available)
un  grub-cloud-amd64      <none>                 <none>       (no description available)
ii  grub-common           2.04-1ubuntu26         amd64        GRand Unified Bootloader (common files)
un  grub-coreboot         <none>                 <none>       (no description available)
un  grub-doc              <none>                 <none>       (no description available)
un  grub-efi              <none>                 <none>       (no description available)
un  grub-efi-amd64        <none>                 <none>       (no description available)
ii  grub-efi-amd64-bin    2.04-1ubuntu26         amd64        GRand Unified Bootloader, version 2 (EFI-AMD64 modules)
ii  grub-efi-amd64-signed 1.142.1+2.04-1ubuntu26 amd64        GRand Unified Bootloader, version 2 (EFI-AMD64 version, signed)
un  grub-efi-arm          <none>                 <none>       (no description available)
un  grub-efi-arm64        <none>                 <none>       (no description available)
un  grub-efi-arm64-signed <none>                 <none>       (no description available)
un  grub-efi-ia32         <none>                 <none>       (no description available)
un  grub-efi-ia64         <none>                 <none>       (no description available)
un  grub-emu              <none>                 <none>       (no description available)
ii  grub-gfxpayload-lists 0.7                    amd64        GRUB gfxpayload blacklist
un  grub-ieee1275         <none>                 <none>       (no description available)
un  grub-legacy           <none>                 <none>       (no description available)
un  grub-legacy-doc       <none>                 <none>       (no description available)
un  grub-linuxbios        <none>                 <none>       (no description available)
ii  grub-pc               2.04-1ubuntu26         amd64        GRand Unified Bootloader, version 2 (PC/BIOS version)
ii  grub-pc-bin           2.04-1ubuntu26         amd64        GRand Unified Bootloader, version 2 (PC/BIOS modules)
un  grub-uboot            <none>                 <none>       (no description available)
un  grub-xen              <none>                 <none>       (no description available)
un  grub-yeeloong         <none>                 <none>       (no description available)
un  grub2                 <none>                 <none>       (no description available)
ii  grub2-common          2.04-1ubuntu26         amd64        GRand Unified Bootloader (common files for version 2)

$ sudo dpkg-reconfigure grub-efi-amd64-signed
Installing grub to /boot/efi.
Installing for x86_64-efi platform.
Installation finished. No error reported.

So my package is named differently, and the most likely candidate just does the thing I don’t want it to do, without asking any questions.

Looking at /var/lib/dpkg/info/grub-efi-amd64-signed.postinst I find it calls /usr/lib/grub/grub-multi-install --target=$target which in turn contains an invocation _UBUNTU_ALTERNATIVE_ESPS="$RET" grub-install --efi-directory=$mntpoint "$@". So the latter could handle additional flags, but the former doesn’t seem to have a hook to provide any.

Is there any reliable way (i.e. likely to work in the next few upgrades as well) to pass --no-nvram there, can I achieve that goal by some other means, or do I have to remove GRUB or accept that it will mess my boot menu every now and then?

Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.