[Bug 2116245] [NEW] grub2-mkconfig fails in Curtin on RHEL Secure Boot images

Yinghui 2116245 at bugs.launchpad.net
Wed Jul 9 09:45:14 UTC 2025 

Public bug reported:

Curtin executes grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg as part
of its UEFI bootloader setup. However, newer versions of grub2-tools in
RHEL (grub2-tools-2.06-104.el9_6) intentionally prevent this action to
protect the signed GRUB EFI shim stub. As a result, Curtin deployments
on Red Hat–based systems fail during the curthooks stage.

```
Using grub install command: grub2-install
        find_efi_loader: found /boot/efi/EFI/redhat/shimx64.efi
        Grub install cmds:
        [['efibootmgr', '-v'], ['efibootmgr', '--create', '--write-signature', '--label', 'redhat', '--disk', '/dev/sda', '--part', '1', '--loader', '/EFI/redhat/shimx64.efi'], ['grub2-mkconfig', '-o', '/boot/efi/EFI/redhat/grub.cfg'], ['efibootmgr', '-v']]
        Running command ['mount', '--bind', '/dev', '/tmp/tmpv92scyb6/target/dev'] with allowed return codes [0] (capture=False)
        Running command ['mount', '--bind', '/proc', '/tmp/tmpv92scyb6/target/proc'] with allowed return codes [0] (capture=False)
        Running command ['mount', '--bind', '/run', '/tmp/tmpv92scyb6/target/run'] with allowed return codes [0] (capture=False)
        Running command ['mount', '--bind', '/sys', '/tmp/tmpv92scyb6/target/sys'] with allowed return codes [0] (capture=False)
        Running command ['mount', '--bind', '/sys/firmware/efi/efivars', '/tmp/tmpv92scyb6/target/sys/firmware/efi/efivars'] with allowed return codes [0] (capture=False)
        Running command ['unshare', '--fork', '--pid', '--', 'chroot', '/tmp/tmpv92scyb6/target', 'efibootmgr', '-v'] with allowed return codes [0] (capture=True)
        Running command ['unshare', '--fork', '--pid', '--', 'chroot', '/tmp/tmpv92scyb6/target', 'efibootmgr', '--create', '--write-signature', '--label', 'redhat', '--disk', '/dev/sda', '--part', '1', '--loader', '/EFI/redhat/shimx64.efi'] with allowed return codes [0] (capture=True)
        Running command ['unshare', '--fork', '--pid', '--', 'chroot', '/tmp/tmpv92scyb6/target', 'grub2-mkconfig', '-o', '/boot/efi/EFI/redhat/grub.cfg'] with allowed return codes [0] (capture=True)
        Running command ['udevadm', 'settle'] with allowed return codes [0] (capture=False)
        TIMED subp(['udevadm', 'settle']): 0.005
        Running command ['mount', '--make-private', '/tmp/tmpv92scyb6/target/sys/firmware/efi/efivars'] with allowed return codes [0] (capture=False)
        Running command ['umount', '/tmp/tmpv92scyb6/target/sys/firmware/efi/efivars'] with allowed return codes [0] (capture=False)
        Running command ['mount', '--make-private', '/tmp/tmpv92scyb6/target/sys'] with allowed return codes [0] (capture=False)
        Running command ['umount', '/tmp/tmpv92scyb6/target/sys'] with allowed return codes [0] (capture=False)
        Running command ['mount', '--make-private', '/tmp/tmpv92scyb6/target/run'] with allowed return codes [0] (capture=False)
        Running command ['umount', '/tmp/tmpv92scyb6/target/run'] with allowed return codes [0] (capture=False)
        Running command ['mount', '--make-private', '/tmp/tmpv92scyb6/target/proc'] with allowed return codes [0] (capture=False)
        Running command ['umount', '/tmp/tmpv92scyb6/target/proc'] with allowed return codes [0] (capture=False)
        Running command ['mount', '--make-private', '/tmp/tmpv92scyb6/target/dev'] with allowed return codes [0] (capture=False)
        Running command ['umount', '/tmp/tmpv92scyb6/target/dev'] with allowed return codes [0] (capture=False)
        finish: cmd-install/stage-curthooks/builtin/cmd-curthooks/install-grub: FAIL: installing grub to target devices
        finish: cmd-install/stage-curthooks/builtin/cmd-curthooks/configuring-bootloader: FAIL: configuring target system bootloader
        finish: cmd-install/stage-curthooks/builtin/cmd-curthooks: FAIL: curtin command curthooks
        Traceback (most recent call last):
          File "/curtin/curtin/commands/main.py", line 202, in main
            ret = args.func(args)
                  ^^^^^^^^^^^^^^^
          File "/curtin/curtin/commands/curthooks.py", line 1952, in curthooks
            builtin_curthooks(cfg, target, state)
          File "/curtin/curtin/commands/curthooks.py", line 1917, in builtin_curthooks
            setup_grub(cfg, target, osfamily=osfamily,
          File "/curtin/curtin/commands/curthooks.py", line 823, in setup_grub
            install_grub(instdevs, target, uefi=uefi_bootable, grubcfg=grubcfg)
          File "/curtin/curtin/commands/install_grub.py", line 447, in install_grub
            in_chroot.subp(cmd, env=env, capture=True)
          File "/curtin/curtin/util.py", line 792, in subp
            return subp(*args, **kwargs)
                   ^^^^^^^^^^^^^^^^^^^^^
          File "/curtin/curtin/util.py", line 280, in subp
            return _subp(*args, **kwargs)
                   ^^^^^^^^^^^^^^^^^^^^^^
          File "/curtin/curtin/util.py", line 144, in _subp
            raise ProcessExecutionError(stdout=out, stderr=err,
        curtin.util.ProcessExecutionError: Unexpected error while running command.
        Command: ['unshare', '--fork', '--pid', '--', 'chroot', '/tmp/tmpv92scyb6/target', 'grub2-mkconfig', '-o', '/boot/efi/EFI/redhat/grub.cfg']
        Exit code: 1
        Reason: -
        Stdout: ''
        Stderr: Running `grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg' will overwrite the GRUB wrapper.
                Please run `grub2-mkconfig -o /boot/grub2/grub.cfg' instead to update grub.cfg.
                GRUB configuration file was not updated.
```

** Affects: curtin
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to curtin.
https://bugs.launchpad.net/bugs/2116245

Title:
  grub2-mkconfig fails in Curtin on RHEL Secure Boot images

Status in curtin:
  New

Bug description:
  Curtin executes grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg as
  part of its UEFI bootloader setup. However, newer versions of
  grub2-tools in RHEL (grub2-tools-2.06-104.el9_6) intentionally prevent
  this action to protect the signed GRUB EFI shim stub. As a result,
  Curtin deployments on Red Hat–based systems fail during the curthooks
  stage.

  ```
  Using grub install command: grub2-install
          find_efi_loader: found /boot/efi/EFI/redhat/shimx64.efi
          Grub install cmds:
          [['efibootmgr', '-v'], ['efibootmgr', '--create', '--write-signature', '--label', 'redhat', '--disk', '/dev/sda', '--part', '1', '--loader', '/EFI/redhat/shimx64.efi'], ['grub2-mkconfig', '-o', '/boot/efi/EFI/redhat/grub.cfg'], ['efibootmgr', '-v']]
          Running command ['mount', '--bind', '/dev', '/tmp/tmpv92scyb6/target/dev'] with allowed return codes [0] (capture=False)
          Running command ['mount', '--bind', '/proc', '/tmp/tmpv92scyb6/target/proc'] with allowed return codes [0] (capture=False)
          Running command ['mount', '--bind', '/run', '/tmp/tmpv92scyb6/target/run'] with allowed return codes [0] (capture=False)
          Running command ['mount', '--bind', '/sys', '/tmp/tmpv92scyb6/target/sys'] with allowed return codes [0] (capture=False)
          Running command ['mount', '--bind', '/sys/firmware/efi/efivars', '/tmp/tmpv92scyb6/target/sys/firmware/efi/efivars'] with allowed return codes [0] (capture=False)
          Running command ['unshare', '--fork', '--pid', '--', 'chroot', '/tmp/tmpv92scyb6/target', 'efibootmgr', '-v'] with allowed return codes [0] (capture=True)
          Running command ['unshare', '--fork', '--pid', '--', 'chroot', '/tmp/tmpv92scyb6/target', 'efibootmgr', '--create', '--write-signature', '--label', 'redhat', '--disk', '/dev/sda', '--part', '1', '--loader', '/EFI/redhat/shimx64.efi'] with allowed return codes [0] (capture=True)
          Running command ['unshare', '--fork', '--pid', '--', 'chroot', '/tmp/tmpv92scyb6/target', 'grub2-mkconfig', '-o', '/boot/efi/EFI/redhat/grub.cfg'] with allowed return codes [0] (capture=True)
          Running command ['udevadm', 'settle'] with allowed return codes [0] (capture=False)
          TIMED subp(['udevadm', 'settle']): 0.005
          Running command ['mount', '--make-private', '/tmp/tmpv92scyb6/target/sys/firmware/efi/efivars'] with allowed return codes [0] (capture=False)
          Running command ['umount', '/tmp/tmpv92scyb6/target/sys/firmware/efi/efivars'] with allowed return codes [0] (capture=False)
          Running command ['mount', '--make-private', '/tmp/tmpv92scyb6/target/sys'] with allowed return codes [0] (capture=False)
          Running command ['umount', '/tmp/tmpv92scyb6/target/sys'] with allowed return codes [0] (capture=False)
          Running command ['mount', '--make-private', '/tmp/tmpv92scyb6/target/run'] with allowed return codes [0] (capture=False)
          Running command ['umount', '/tmp/tmpv92scyb6/target/run'] with allowed return codes [0] (capture=False)
          Running command ['mount', '--make-private', '/tmp/tmpv92scyb6/target/proc'] with allowed return codes [0] (capture=False)
          Running command ['umount', '/tmp/tmpv92scyb6/target/proc'] with allowed return codes [0] (capture=False)
          Running command ['mount', '--make-private', '/tmp/tmpv92scyb6/target/dev'] with allowed return codes [0] (capture=False)
          Running command ['umount', '/tmp/tmpv92scyb6/target/dev'] with allowed return codes [0] (capture=False)
          finish: cmd-install/stage-curthooks/builtin/cmd-curthooks/install-grub: FAIL: installing grub to target devices
          finish: cmd-install/stage-curthooks/builtin/cmd-curthooks/configuring-bootloader: FAIL: configuring target system bootloader
          finish: cmd-install/stage-curthooks/builtin/cmd-curthooks: FAIL: curtin command curthooks
          Traceback (most recent call last):
            File "/curtin/curtin/commands/main.py", line 202, in main
              ret = args.func(args)
                    ^^^^^^^^^^^^^^^
            File "/curtin/curtin/commands/curthooks.py", line 1952, in curthooks
              builtin_curthooks(cfg, target, state)
            File "/curtin/curtin/commands/curthooks.py", line 1917, in builtin_curthooks
              setup_grub(cfg, target, osfamily=osfamily,
            File "/curtin/curtin/commands/curthooks.py", line 823, in setup_grub
              install_grub(instdevs, target, uefi=uefi_bootable, grubcfg=grubcfg)
            File "/curtin/curtin/commands/install_grub.py", line 447, in install_grub
              in_chroot.subp(cmd, env=env, capture=True)
            File "/curtin/curtin/util.py", line 792, in subp
              return subp(*args, **kwargs)
                     ^^^^^^^^^^^^^^^^^^^^^
            File "/curtin/curtin/util.py", line 280, in subp
              return _subp(*args, **kwargs)
                     ^^^^^^^^^^^^^^^^^^^^^^
            File "/curtin/curtin/util.py", line 144, in _subp
              raise ProcessExecutionError(stdout=out, stderr=err,
          curtin.util.ProcessExecutionError: Unexpected error while running command.
          Command: ['unshare', '--fork', '--pid', '--', 'chroot', '/tmp/tmpv92scyb6/target', 'grub2-mkconfig', '-o', '/boot/efi/EFI/redhat/grub.cfg']
          Exit code: 1
          Reason: -
          Stdout: ''
          Stderr: Running `grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg' will overwrite the GRUB wrapper.
                  Please run `grub2-mkconfig -o /boot/grub2/grub.cfg' instead to update grub.cfg.
                  GRUB configuration file was not updated.
  ```

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/2116245/+subscriptions

More information about the foundations-bugs mailing list