UEFI: some tips and tricks

• Original message on GoLUG mailing list

Date: Mon, 7 Jul 2025 22:57:20 -0700
From: Kyle Terrien <kyle at terren.us>
To: golug at golug.org
Subject: Coming to terms with UEFI: some tips and tricks
Message-ID: <aGyzPBsyxiO753Xp@didacus>
Organization: Terrenus

It has been 15 years since the PC industry has forced UEFI upon us,
and we are now entering the so-called “plateau of productivity”.

What is UEFI?  It is the Unified Extensible Firmware Interface, and it
is basically a pre-boot OS baked into the motherboard.

You can read all the details you need to know at [1], but the basic
summary is that while certain conventions are provided and expected
nowadays, the standard is still vague enough to not declare every
single convention a /de jure/ standard.  Even the filesystem format of
the EFI System Partition (ESP, usually mounted on /boot/efi) is not
set in stone.  Usually it’s FAT32, but on Apple computers, it’s
proprietary HFS.

Anyway, here are the tips and tricks, with the conventions implemented
by most motherboards today.  Check out efibootmgr(8) [2].

> kyle@didacus:~$ efibootmgr -v
> BootCurrent: 0000
> Timeout: 1 seconds
> BootOrder: 0000,0003,0002
> Boot0000* debian	HD(1,GPT,979eec48-0eff-4ba8-a3a8-57d1fcbdd96b,0x800,0x100000)/File(\EFI\DEBIAN\SHIMX64.EFI)
> Boot0002* UEFI: Built-in EFI Shell	VenMedia(5023b95c-db26-429b-a648-bd47664c8012)..BO
> Boot0003* debian	HD(1,GPT,979eec48-0eff-4ba8-a3a8-57d1fcbdd96b,0x800,0x100000)/File(\EFI\DEBIAN\GRUBX64.EFI)..BO

The secret of UEFI is that your bootloader is a file---an EFI
executable.  The listing above is from my Intel NUC running Debian 12.
Grub is GRUBX64.EFI, and SHIMX64.EFI is a signed shim that execs
GRUBX64.EFI (used for secure boot).

You can use efibootmgr to add entries (-c), remove entries (-B), and
modify your boot order (-o).

Also, you can temporarily override your boot order (for only the next
boot).  For example in the listing above,

> # efibootmgr -n 2
> # reboot

Will reboot into the built-in EFI shell, which is a CLI specific to
UEFI, even though on the surface the shell behaves similar to DOS.
Some commands like ‘edit’ and ‘type’ work just like on DOS.  You can
even play Doom [3].  However, instead of the ‘more’ command, you must
use the /b option of a command to page output.

EFI shell is useful for upgrading BIOS and firmware.  (Most firmware
is handled by fwupdmgr under GNU/Linux.  However, if you need to
update firmware manually, usually the vendor supplies an EFI
executable as an update option.)  Also, for adjusting the boot order
in EFI shell, try bcfg.

Under the hood, efibootmgr sets variables stored in the motherboard’s
NVRAM (accessible under /sys/firmware/efi/efivars in Linux), and the
motherboard BIOS acts accordingly according to the specification.

(Note that NVRAM nowadays is usually real flash storage.  In older
IBM-like PCs, you had CMOS memory, which needed to be refreshed with a
battery.)

Also, from GNU/Linux, you can reboot directly into system setup once:

> # systemctl reboot --firmware-setup

These commands are super useful when troubleshooting hardware issues.
All of these tasks were impossible or nonstandard in a traditional MBR
BIOS configuration.

If your motherboard doesn’t have a built-in EFI shell (which is a
crime against users, imo), then you can drop an EFI shell executable
under /boot/efi and use efibootmgr to add a boot entry.  I suggest
downloading and extracting the EFI shell executable from a pre-built
Debian package [4].  There is no dynamic linking in the EFI
environment, so this trick works regardless of distro.

Lastly, there is secure boot, which is usable on GNU/Linux out of the
box (in most cases).  When secure boot is enabled, the EFI BIOS checks
signatures on EFI executables (i.e. your bootloader), and then Linux
checks signatures on any kernel module it loads.  To fully utilize
secure boot, you should setup a Machine Owner Key (MOK) to sign your
bootloader and kernel modules [5] (beyond the scope of this mail).  I
don’t have it enabled on my NUC, but my work laptop does has secure
boot enabled in “enforce” mode.  I use dksm to build and sign the
NVIDIA drivers on my work laptop, and everything more or less “just
works.”  Secure boot is merely another layer of security, and there is
no shame in not using it.

Hope this was helpful, or at least educational.

--Kyle


[1]: https://www.happyassassin.net/posts/2014/01/25/uefi-boot-how-does-that-actually-work-then/
[2]: https://linux.die.net/man/8/efibootmgr
[3]: https://hackaday.com/2022/06/12/doom-in-your-bios-more-likely-than-you-think/
[4]: https://packages.debian.org/search?mode=path&suite=sid&section=all&arch=any&searchon=names&keywords=efi-shell
[5]: https://wiki.debian.org/SecureBoot#MOK_-_Machine_Owner_Key

-- 
[*] Kyle Terrien
    Terrenus => from the Earth, to the Cloud
    https://terren.us/

Dilexisti justitiam, et odisti iniquitatem.  -- Psalmus 44:8