On 13/06/2026 at 16:58, Harald Dunkel wrote:
Package: grub-efi-amd64-signed Version: 1+2.12-9+deb13u2
Note that this issue is not directly related with grub-efi-amd64-signed. This package only signs the monolithic images built by grub2 source package an shipped in grub-efi-amd64-unsigned binary package.
Using "grub-install --force-extra-removable" it seems the BOOT entry written to /boot/efi/EFI lacks a grub.cfg file. It doesn't boot. I just get a grub prompt at boot time. Example:
The normal monolithic image grubx64.efi has $prefix hardcoded to /EFI/debian and originally only looked up grub.cfg in this path, so it made no sense to install a copy of grub.cfg in /EFI/BOOT. Currently it searches grub.cfg in the image path ($fw_path), then in $prefix. Executing it from the removable media path /EFI/BOOT works with the default $GRUB_DISTRIBUTOR or --bootloader-id (Debian) because grub.cfg is installed in /EFI/debian, but not with a custom one.
However when grub-install --force-extra-removable is executed without --no-nvram, a copy of fbx64.efi is installed in /EFI/BOOT. When shimx64.efi is invoked as /EFI/BOOT/BOOTX64.EFI, it executes fbx64.efi if present, or grubx64.efi otherwise. fbx64.efi scans /EFI/*/BOOTX64.CSV, re-creates EFI boot entries for each found and chainloads one of them. In your case, it should find /EFI/usbpc/BOOTX64.CSV and chainload /EFI/usbpc/shimx64.efi, so /EFI/BOOT/grubx64.efi should not be executed. This works as expected for me in a QEMU virtual machine.
However grub-install --force-extra-removable --no-nvram does not install fbx64.efi in /EFI/BOOT so IMO it should install a copy of grub.cfg in /EFI/BOOT.
If I generate the regular boot entry using a dedicated boot loader id and the "removable" BOOT entry in 2 steps, then it works as expected: # grub-install --recheck --efi-directory=/boot/efi --no-nvram --removable
Note that --no-nvram is implicit with --removable.
