Package: partman-auto-lvm Version: 87 Severity: serious Justification: Maintainer says so
TL;DR: Answering “Yes” to the “Force UEFI installation?” makes sure the installer pulls the right bootloader packages, despite misreading the situation. I've discovered this while testing D-I Bookworm RC 1 but also confirmed it already existed in D-I Bookworm Alpha 2, and I'm therefore filing it against the version found in the previous release (and deciding not to block the Bookworm RC 1 release on it). ---- For baremetal tests on laptops requiring various firmware packages, I've been using guided partitioning since forever, with one of these: - Guided - use entire disk - Guided - use entire disk and set up encrypted LVM The former is used most of the time since it's slightly faster (fewer prompts), while the latter is only used once in a while, to make sure a “real” laptop-oriented install works fine (since every laptop should be encrypted in my opinion). Since I had just tested “Guided - use entire disk” in a virtual machine, I decided to pick this instead when switching to the first laptop (Asus Vivobook S14/S15 but that's very likely not a factor): - Guided - use entire disk and set up LVM And… *WOW!* The first surprise is this prompt: Force UEFI installation? This machine's firmware has started the installer in UEFI mode but it looks like there may be existing operating systems already installed using "BIOS compatibility mode". If you continue to install Debian in UEFI mode, it might be difficult to reboot the machine into any BIOS-mode operating systems later. If you wish to install in UEFI mode and don't care about keeping the ability to boot one of the existing systems, you have the option to force that here. If you wish to keep the option to boot an existing operating system, you should choose NOT to force UEFI installation here. which defaults to No. That's very surprising since the only operating system prior to the installation was a Debian system, which was getting entirely erased (due to using the full disk), and was installed in UEFI mode anyway. I went for the default choice, since we expect the installer to make smart suggestions, and unsuspecting users shouldn't have to know better. That means we end up with installing grub-pc instead of grub-efi-amd64 and shim, being prompted where to install GRUB, and of course when it's time to reboot, the UEFI firmware rightfully refuses to boot anything since there's absolutely no signature whatsoever, which isn't a great idea under Secure Boot: Secure Boot Violation Invalid signature detected. Check Secure Boot Policy in Setup. Some additional info: - As mentioned in TL;DR, this can be worked around by answering Yes to “Force UEFI installation?”. - It doesn't seem to be dependent on possible traces of an existing system prior to the installation: Debian installed on the entire disk or with encrypted LVM on the entire disk doesn't seem to make a difference. Starting with a wiped disk (writing ~ 2 GB worth of zeros at the beginning of the disk) doesn't make a difference either. - It very much looks like the intermediary states are slightly different when setting up LVM and when setting up encrypted LVM, and the LVM case case leads to some confusion in partman-efi's /lib/partman/init.d/50efi (which logs to /var/log/partman rather than to /var/log/syslog): “Found 0 ESPs, 3 non-ESPs”. - I'm filing this issue against partman-auto-lvm though, for discoverability purposes. Cheers, -- Cyril Brulebois (k...@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant