I've worked through a range of different scenarios in a VM to see exactly where things work or fail. I'm using the copy of bootmgr.efi that came with Windows 10 on a test laptop here, which is *not* tagged as NX-compatible.
Results: test 1 PASS =========== SecureBoot enabled unstable shim-signed version 1.50+16.1-2 binary sha256sum 637d7916c0b0b9cb505612f39e8c47b47894957f15a1e711b22a2ae5bbec286d trixie grub-efi-amd64-signed version 2.12-9+deb13u2 boots Linux OK boots Windows boot manager OK (not NX) test 2 FAIL =========== SecureBoot enabled unstable shim-signed version 1.50+16.1-2 (NX-enabled) binary sha256sum 637d7916c0b0b9cb505612f39e8c47b47894957f15a1e711b22a2ae5bbec286d unstable grub-efi-amd64-signed version 2.14-2 boots Linux OK locks up loading Windows boot manager OK (not NX) test 3 PASS =========== SecureBoot *disabled* unstable shim-signed version 1.50+16.1-2 (NX-enabled) binary sha256sum 637d7916c0b0b9cb505612f39e8c47b47894957f15a1e711b22a2ae5bbec286d unstable grub-efi-amd64-signed version 2.14-2 boots Linux OK boots Windows boot manager OK (not NX) test 4 PASS =========== SecureBoot enabled trixie shim-signed version 1.47+15.8-1 (Not NX-enabled) binary sha256sum 10b44fae69b1e2bb92484095ad0d140a66f8d8bcc960edbc46abb1a68f65fc26 unstable grub-efi-amd64-signed version 2.14-2 boots Linux OK boots Windows boot manager OK (not NX) test 5 FAIL =========== SecureBoot enabled non-NX 16.1 trixie single-signed shim (2011 CA, non-NX) binary sha256sum b988b4ca873376381b2b707ba605a05a07c83251fdac7d88779b0e20d11063c6 unstable grub-efi-amd64-signed version 2.14-2 boots Linux OK locks up loading Windows boot manager OK (not NX) test 6 PASS =========== SecureBoot disbled non-NX 16.1 trixie single-signed shim (2011 CA, non-NX) binary sha256sum b988b4ca873376381b2b707ba605a05a07c83251fdac7d88779b0e20d11063c6 unstable grub-efi-amd64-signed version 2.14-2 boots Linux OK boots Windows boot manager OK (not NX) so, this means: - it's not an NX issue - it's not a dual-signing issue - it's only an issue with SB enabled - it's only an issue with shim 16.1 and grub 2.14 together - any other combination is fine I'm digging in further now. -- Steve McIntyre, Cambridge, UK. [email protected] "When C++ is your hammer, everything looks like a thumb." -- Steven M. Haflich
