fix: remove Secure Boot shim chain — causes EFI boot failure on most hardware

The shim (shimx64.efi.signed) was being installed as BOOTX64.EFI but it
tries to load a second-stage binary with a garbled name, causing
"Failed to open \EFI\BOOT\" errors on machines with Secure Boot disabled.

Fix: use grub-install --removable directly (unsigned GRUB as BOOTX64.EFI).
This works on all UEFI hardware. Users with Secure Boot must disable it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

image-recipe/build-auto-installer-iso.sh

@@ -1464,59 +1464,22 @@ else
     fi
 fi
 
-# Secure Boot chain: set up shim+signed-grub alongside unsigned GRUB for maximum compatibility
-# Boot chain: BOOTX64.EFI (shim) → grubx64.efi (signed GRUB) → grub.cfg → kernel
-# Non-Secure-Boot: falls through shim to grubx64.efi which finds grub.cfg
-echo "   Setting up Secure Boot chain..."
-if [ "$ARCH" = "x86_64" ]; then
-    SHIM_SRC="/mnt/target/usr/lib/shim/shimx64.efi.signed"
-    GRUB_SIGNED_SRC="/mnt/target/usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed"
-    EFI_BOOT_BINARY="BOOTX64.EFI"
-    GRUB_EFI_BINARY="grubx64.efi"
-    SHIM_EFI_BINARY="shimx64.efi"
-else
-    SHIM_SRC="/mnt/target/usr/lib/shim/shimaa64.efi.signed"
-    GRUB_SIGNED_SRC="/mnt/target/usr/lib/grub/arm64-efi-signed/grubaa64.efi.signed"
-    EFI_BOOT_BINARY="BOOTAA64.EFI"
-    GRUB_EFI_BINARY="grubaa64.efi"
-    SHIM_EFI_BINARY="shimaa64.efi"
-fi
+# EFI boot: grub-install --removable already placed unsigned GRUB at /EFI/BOOT/BOOTX64.EFI
+# This works on all machines without Secure Boot. For Secure Boot, users must disable it.
+# The shim chain was causing "Failed to open \EFI\BOOT\" errors with garbled filenames
+# on machines where Secure Boot is disabled — the shim tries to verify signatures and fails.
+echo "   Verifying EFI boot files..."
 EFI_BOOT_DIR="/mnt/target/boot/efi/EFI/BOOT"
-EFI_ARCHY_DIR="/mnt/target/boot/efi/EFI/archipelago"
-if [ -f "$SHIM_SRC" ] && [ -f "$GRUB_SIGNED_SRC" ]; then
-    # Fallback path (/EFI/BOOT/) — what UEFI firmware checks when no boot entry exists
-    mkdir -p "$EFI_BOOT_DIR"
-    # Save the unsigned GRUB that grub-install created (works without Secure Boot)
-    if [ -f "$EFI_BOOT_DIR/$EFI_BOOT_BINARY" ]; then
-        cp "$EFI_BOOT_DIR/$EFI_BOOT_BINARY" "$EFI_BOOT_DIR/grub_unsigned.efi"
-    fi
-    # Shim becomes the primary boot binary
-    cp "$SHIM_SRC" "$EFI_BOOT_DIR/$EFI_BOOT_BINARY"
-    # Signed GRUB must be next to shim (shim loads it by name)
-    cp "$GRUB_SIGNED_SRC" "$EFI_BOOT_DIR/$GRUB_EFI_BINARY"
-    # GRUB needs to find its config — create a minimal grub.cfg that chains to the real one
-    cat > "$EFI_BOOT_DIR/grub.cfg" <<'GRUBCFG'
-search.fs_uuid ${GRUB_ROOT_UUID} root
-set prefix=($root)'/boot/grub'
-configfile $prefix/grub.cfg
-GRUBCFG
-    # Replace placeholder with actual root UUID
-    ROOT_UUID=$(blkid -s UUID -o value "$ROOT_PART")
-    sed -i "s/\${GRUB_ROOT_UUID}/$ROOT_UUID/" "$EFI_BOOT_DIR/grub.cfg"
-
-    # Named entry path (/EFI/archipelago/) — for efibootmgr-registered entries
-    mkdir -p "$EFI_ARCHY_DIR"
-    cp "$SHIM_SRC" "$EFI_ARCHY_DIR/$SHIM_EFI_BINARY"
-    cp "$GRUB_SIGNED_SRC" "$EFI_ARCHY_DIR/$GRUB_EFI_BINARY"
-    cp "$EFI_BOOT_DIR/grub.cfg" "$EFI_ARCHY_DIR/grub.cfg"
-
-    echo "   ✅ Secure Boot chain installed (shim + signed GRUB + grub.cfg)"
-    echo "   EFI contents:"
+if [ "$ARCH" = "x86_64" ]; then
+    EFI_BOOT_BINARY="BOOTX64.EFI"
+else
+    EFI_BOOT_BINARY="BOOTAA64.EFI"
+fi
+if [ -f "$EFI_BOOT_DIR/$EFI_BOOT_BINARY" ]; then
+    echo "   ✅ UEFI boot binary present: $EFI_BOOT_DIR/$EFI_BOOT_BINARY"
     ls -la "$EFI_BOOT_DIR/"
 else
-    echo "   ⚠️  Signed shim/GRUB not found — Secure Boot machines must disable Secure Boot"
-    [ ! -f "$SHIM_SRC" ] && echo "      Missing: $(basename $SHIM_SRC)"
-    [ ! -f "$GRUB_SIGNED_SRC" ] && echo "      Missing: $(basename $GRUB_SIGNED_SRC)"
+    echo "   ❌ Missing $EFI_BOOT_DIR/$EFI_BOOT_BINARY — boot will fail!"
 fi
 
 # Legacy BIOS boot: only install if the installer booted in Legacy BIOS mode