Bug#1033913: partman-auto-lvm: Broken "Guided - use entire disk and set up LVM" in UEFI mode
Package: partman-auto-lvm
Version: 87
Severity: serious
Justification: Maintainer says so
TL;DR: Answering “Yes” to the “Force UEFI installation?” makes sure the
installer pulls the right bootloader packages, despite misreading the
situation.
I've discovered this while testing D-I Bookworm RC 1 but also confirmed
it already existed in D-I Bookworm Alpha 2, and I'm therefore filing it
against the version found in the previous release (and deciding not to
block the Bookworm RC 1 release on it).
----
For baremetal tests on laptops requiring various firmware packages, I've
been using guided partitioning since forever, with one of these:
- Guided - use entire disk
- Guided - use entire disk and set up encrypted LVM
The former is used most of the time since it's slightly faster (fewer
prompts), while the latter is only used once in a while, to make sure a
“real” laptop-oriented install works fine (since every laptop should be
encrypted in my opinion).
Since I had just tested “Guided - use entire disk” in a virtual machine,
I decided to pick this instead when switching to the first laptop
(Asus Vivobook S14/S15 but that's very likely not a factor):
- Guided - use entire disk and set up LVM
And… *WOW!*
The first surprise is this prompt:
Force UEFI installation?
This machine's firmware has started the installer in UEFI mode but
it looks like there may be existing operating systems already
installed using "BIOS compatibility mode". If you continue to
install Debian in UEFI mode, it might be difficult to reboot the
machine into any BIOS-mode operating systems later.
If you wish to install in UEFI mode and don't care about keeping the
ability to boot one of the existing systems, you have the option to
force that here. If you wish to keep the option to boot an existing
operating system, you should choose NOT to force UEFI installation
here.
which defaults to No.
That's very surprising since the only operating system prior to the
installation was a Debian system, which was getting entirely erased (due
to using the full disk), and was installed in UEFI mode anyway.
I went for the default choice, since we expect the installer to make
smart suggestions, and unsuspecting users shouldn't have to know better.
That means we end up with installing grub-pc instead of grub-efi-amd64
and shim, being prompted where to install GRUB, and of course when it's
time to reboot, the UEFI firmware rightfully refuses to boot anything
since there's absolutely no signature whatsoever, which isn't a great
idea under Secure Boot:
Secure Boot Violation
Invalid signature detected. Check Secure Boot Policy in Setup.
Some additional info:
- As mentioned in TL;DR, this can be worked around by answering Yes to
“Force UEFI installation?”.
- It doesn't seem to be dependent on possible traces of an existing
system prior to the installation: Debian installed on the entire disk
or with encrypted LVM on the entire disk doesn't seem to make a
difference. Starting with a wiped disk (writing ~ 2 GB worth of
zeros at the beginning of the disk) doesn't make a difference either.
- It very much looks like the intermediary states are slightly
different when setting up LVM and when setting up encrypted LVM, and
the LVM case case leads to some confusion in partman-efi's
/lib/partman/init.d/50efi (which logs to /var/log/partman rather than
to /var/log/syslog): “Found 0 ESPs, 3 non-ESPs”.
- I'm filing this issue against partman-auto-lvm though, for
discoverability purposes.
Cheers,
--
Cyril Brulebois (kibi@debian.org) <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant
Reply to: