problem with grub2-efi and multiboot

Hello, the situation is like this: my laptop came with windows 8.1 preloaded, and I managed to install debian wheezy and dual boot with this tutorial https://youtu.be/DLlOd-a2wG0 after that I installed opensuse 13.2 with grub2-efi as bootloader and secure boot deactivated, the installation was successful and in grub menu I’m able to boot on windows and opensuse, however when I try to boot debian i get the next message:

error: kernel too old.
error: you need to load the kernel first.

press any key to continue...

and well I don’t really know what I could do to boot on debian again, any suggestion would be helpful.

this is my fdisk -l where sda7 is the partition for debian and sda9 for opensuse, both ext4

Device         Start       End   Sectors   Size Type
/dev/sda1       2048   2099199   2097152     1G Windows recovery environment
/dev/sda2    2099200   2303999    204800   100M EFI System
/dev/sda3    2304000   2566143    262144   128M Microsoft reserved
/dev/sda4    2566144 820193416 817627273 389.9G Microsoft basic data
/dev/sda5  959821824 976773119  16951296   8.1G Windows recovery environment
/dev/sda6  862138368 862140415      2048     1M BIOS boot
/dev/sda7  862140416 955764735  93624320  44.7G Microsoft basic data
/dev/sda8  955764736 959821823   4057088     2G Linux swap
/dev/sda9  820195328 862138367  41943040    20G Microsoft basic data


You will need to turn off secure-boot in order to boot Debian. Or perhaps generate your own signing key, add that to MokManager and sign the Debian kernel yourself.

Possibly, your kernel lacks an efi-stub. in which case turning off secure-boot is the only thing that will work.

yes secure boot is deactivated in BIOS and also on yast, I research a little and it seems like signing it myself is the only solution, however my experience with Linux is like 5% so I don’t really know how to do that, could you give me a link to some videos or webpages where I can see the process to follow??

I’ll suggest this page:
openSUSE:UEFI

There’s a section “Booting a custom kernel” which describes how to sign your kernel. However I wonder about that message “kernel too old”. It might mean that the kernel was built without options needed for signing.

Note that I have not tried to sign a kernel myself. When I have run into the same problem, I have just turned off secure-boot in the BIOS.

Did you install Debian while secure boot was on?? if so maybe it expects secure boot thus fails though it should not mater but I don’t know how Debian handles secure boot???.

Also how are you selecting the OS vi the grub menu or the EFI BIOS boot menu?

I’ll take a look to that site, thanks!
yes it’s kind of weird, might be a problem that when I installed opensuse I didn’t turned off secure boot from yast (it was already inactive on BIOS) until I booted suse by the first time??

it was off, also Debian installation was done with BIOS in legacy/CSM mode.
without opensuse installed the selection between Debian and windows was with grub2, when I installed opensuse I installed grub2-efi on the EFI partition and that is the menu I get when I turn on the PC, if I change from grub2-efi to grub2 on yast could it be helpful?? I had some problems using grub with Debian since os-prob didn’t recognize windows and every time I updated grub I have to manually type the windows entry on grub

Mixing EFI and MBR booting can be a problem. It is best to use the same boot method for all OS’s MBR and EFI booting are significantly different

Is this 64-bit Debian or 32-bit Debian?

I installed Mint 17 in legacy/CSM mode. I boot it in UEFI mode without problems, as long as I have turned off secure-boot. But it is 64-bit Mint.

I have assumed that I can boot a 32-bit kernel, as long as secure-boot is turned off. But I might be mistaken. I have never tried that.

Try editing “/boot/grub2/grub.cfg”. There’s a warning to not edit that, but ignore that warning as a test.

Find the line(s) that boot Debian. They may be hard to read, but they probably say something like:


linuxefi /path/to/kernel "various options" initrdefi /path/to/initrd

Change that “linuxefi” to “linux” and the “initrdefi” to “initrd” and see if it boots. I’m guessing that it will.

it is 64 but wow! thanks man! you saved my life, I’m writing this from Debian right now I just changed that exactly and it booted without problems :good:

seriously thanks a lot! that saved me a lot of troubles

Good.

That change to “grub.cfg” will disappear at some time in the future. I put my changes in “/etc/grub.d/40_custom” so that they will persist when “grub.cfg” is regenerated. What I actually use is a “configfile” command that runs the “grub.cfg” generated by Mint.

If you intend leaving secure-boot disabled in the BIOS, then there’s another alternative. Edit “/etc/default/grub” and look for the line:


GRUB_USE_LINUXEFI=true

Change that “true” to “false”. Then your grub.cfg should be generated with “linux” rather than “linuxefi” commands in future.

yeah when I had to manually change that in grub.cfg I was expecting the change was not gonna be perpetual, like the problem I had before with Debian, but since I don’t have experience with scripts I suppose the 2nd option is my best choice, however changing that parameter to “false” wouldn’t create some conflicts when booting opensuse or windows??, since, I suppose, they boot in full uefi, so to speak, not like Debian

No, it won’t be a problem for booting Windows. It will only be a problem for booting opensuse if you turn “secure-boot” on again in the BIOS. Otherwise, it will all be fine. You will still be booting with UEFI rather than CSM.

Technically, grub2-efi will load the kernel and call it at its standard entry point instead of at its efi entry point, and signature checking will be turned off. But that still works. The kernel itself does not depend on either CSM or UEFI. The preliminary part of booting that does depend on CSM or UEFI is all handled by grub. Standard grub2 uses CSM, while grub2-efi uses UEFI calls to the firmware.

well since I installed Debian I didn’t turn on secure boot again so I think it will remain like that, so thank you really much I have learned a lot from this experience and it has been pretty informative for me :slight_smile:

A final note: I have not had any problem booting with “linuxefi” and “initrdefi”, even for kernels where I cannot check the signature – as long as I leave secure-boot turned off. So I think your experience shows that Debian compiled its kernels without whatever is needed for EFI booting. You probably would not have been able to sign their kernel with your own key.