when the boot process is not working we have to rescue the system.   since many of the partitions are encrypted and I have secureboot and multiboot it is complicated.  Here are some notes to make it faster

WARNING

UEFI has a fallback boot hardcoded at /EFI/BOOT/BOOTX64.EFI.  Modify it only if you know what you are doing

Windows

I had to use ventoy with the windows installer iso.  No other method would properly boot the windows installer so that it could see the hard drive.

MOK (shim)

Most linux distros use the shim model to enable secure boot.  In this model the shim is signed by Microsoft so that secure boot works and the shim takes care of booting whatever linux kernel the user wants.  To boot securely the kernel images are signed with machine owner keys that are enrolled into the MOK database ON THE machine.  Ideally, you generate one key and keep it safe.   Multiple keys may be generated but it can only hold so many.  

Generally, there is a GRUB shim installed with distros .

UKI

Unsigned

When directly booting a linux kernel from UEFI  (no grub or other bootloader) we have to register the UKI.   If the images are not signed secure boot will not work.  With secure boot off these entries should work.

DEV=/dev/nvme0n1

PART=6

IMG="\EFI\Linux\linux-unsigned.efi"

efibootmgr -c -d $DEV -p $PART -L "My Unsigned Linux Boot" -l "$IMG"

IMG="\EFI\Linux\linux-unsigned-old.efi"

efibootmgr -c -d $DEV -p $PART -L "My Backup Unsigned Linux Boot" -l "$IMG"

Signed

Secure boot requires images signed with keys that have been enrolled in UEFI..  

DEV=/dev/nvme0n1

PART=6

IMG="\EFI\Linux\linux-signed.efi"

efibootmgr -c -d $DEV -p $PART -L "My Linux Boot" -l "$IMG"

IMG="\EFI\Linux\linux-signed-old.efi"

efibootmgr -c -d $DEV -p $PART -L "My Bakup Linux Boot" -l "$IMG"

LUKS

Identify  LUKS partition that is not working.  It will likely become the only one working since ubuntu assumes it will be the only ubuntu based distro installed by default.   use lsblk to see the partitions

lsblk -o UUID,NAME,PARTLABEL,LABEL,SIZE,FSTYPE | grep -v loop

Set that device in a variable by using the UUID associated with it.  Use variables and decrypt the partition.   I use a particular naming standard for my opened devices

ID=abcdefg123-xyz.....

DEV=/dev/disk/by-uuid/$ID

cryptsetup luksOpen $DEV luks-$ID

Now that the device is open we can mount it for rescue

mkdir /mnt/luks-$ID

mount /dev/mapper/luks-$ID /mnt/luks-$ID

cd /mnt/luks-$ID

mount --bind /sys sys

mount --bind /dev dev

mount --bind /proc proc

chroot into the environment and run the rescue

chroot /mnt/luks-$ID

mount -a

if boot is not mounted find the partition and mount it manually.  assume partition 8 is our boot part

mount /dev/nvme0n1p8 boot

now check for the efi partition. mount it if it is missing.  assume it is #6 for this example

mount /dev/nvme0n1p6 /boot/efi/

GRUB

ok.  time for grub fixing

grub-install --target=x86_64-efi --efi-directory=/boot/efi --bootloader-id=grub

update-grub

now unmount everything and reboot

umount /boot/efi

umount /boot

exit

cd ..

umount /mnt/luks-$ID/proc

umount /mnt/luks-$ID/dev

umount /mnt/luks-$ID/sys

umount /mnt/luks-$ID

cryptsetup luksClose /dev/mapper/luks-$ID

reboot

refind

Install

The first install of refind adds it to the UEFI system.  If it gets trashed it may be re-installed.  This can be done from your current system or from live USB.  If it is trashed the live usb will put it back.  this asks about updating the efi drive (and nvram?)  say yes

sudo apt install refind

Not signed

On first installing refind it is not signed by the current user.  If it is using shims it won't boot with secure boot.   In any case we may need to turn off secure boot to get it to boot.

Signed try 1 (Failed?)

If needing to sign refind after re-installing use your MOK that have been enrolled.  this will overwrite the current refind boot image that is installed by default.  Secure boot may need to be off to get to this point but ideally it works once this is done.

sudo sbsign --key /root/secureboot/keys/MOK.key \

    --cert /root/secureboot/keys/MOK.pem \

    --output /boot/efi/EFI/refind/refind_x64.efi \

    /boot/efi/EFI/refind/refind_x64.efi

the certificate needs to be in pem format?

after I did that refind disappeared so I'll start over

signed try 2

refind will sign with my own keys if I copy them to /etc/refind.d/keys

ln -sf /root/secureboot/keys/MOK.key /etc/refind.d/keys/refind_local.key

ln -sf /root/secureboot/keys/MOK.pem /etc/refind.d/keys/refind_local.crt

refind-install --localkeys

it still doesn't work.   after signing refind disappears....