#1108123 Trixie installation on virtual machine (not tested on physical) don't boot. It remain stucked in GRUB #1108123
- Package:
- debian-installer
- Source:
- debian-installer
- Description:
- Debian Installer documentation
- Submitter:
- Alex. I. TRIPCEA
- Date:
- 2025-09-03 13:27:01 UTC
- Severity:
- normal
On a Debian 12 bookworm physical machine, I installed Trixie, from debian-trixie-DI-rc1-amd64-netinst.iso image, on a KVM virtual machine with the following settings: 2 vCPU 4GiB RAM The rest of the settings are default values in KVM on debian 12. Disk configuration: ESP partition 128MiB /boot 1GiB - JFS /root 12GiB - JFS swap 8GiB /var, /tmp, /opt, /home, /srv - distinct partitions with JFS. Installation completed successfully. After reboot, the machine has stop at GRUB prompt. I tried to verify access to partitions and the result for command ls (hd0, 2) which is the /boot partition, is partition hd0,2: no known filesystem detected - Partition start at 1024 KiB - Total size 130048 KiB Repeating installation with /boot partition as XFS or EXT* worked like a charm. All the best, Alex Tripcea
Is UEFI secure boot enabled ? JFS and other unsafe filesystems are disabled under lockdown (when secure boot is disabled) in GRUB since version 2.12-6.
Le 21/06/2025 à 00:09, Pascal Hambourg a écrit : Oops, I meant when secure boot is enabled of course.
All the settings of virtual machine (except vCPU and RAM) have the default
values of the KVM package as you can see below:
<domain type="kvm">
<name>testdesk</name>
<uuid>786c44e6-03b5-4f7e-b41c-6bb8a58bc608</uuid>
<metadata>
<libosinfo:libosinfo xmlns:libosinfo="
http://libosinfo.org/xmlns/libvirt/domain/1.0">
<libosinfo:os id="http://debian.org/debian/testing"/>
</libosinfo:libosinfo>
</metadata>
<memory unit="KiB">4194304</memory>
<currentMemory unit="KiB">4194304</currentMemory>
<vcpu placement="static">2</vcpu>
<os firmware="efi">
<type arch="x86_64" machine="pc-q35-7.2">hvm</type>
<boot dev="hd"/>
</os>
<features>
<acpi/>
<apic/>
<vmport state="off"/>
</features>
<cpu mode="host-passthrough" check="none" migratable="on"/>
<clock offset="utc">
<timer name="rtc" tickpolicy="catchup"/>
<timer name="pit" tickpolicy="delay"/>
<timer name="hpet" present="no"/>
</clock>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<pm>
<suspend-to-mem enabled="no"/>
<suspend-to-disk enabled="no"/>
</pm>
<devices>
<emulator>/usr/bin/qemu-system-x86_64</emulator>
<disk type="file" device="disk">
<driver name="qemu" type="qcow2"/>
<source file="/home/alext/VMs/testdesk.qcow2"/>
<target dev="vda" bus="virtio"/>
<address type="pci" domain="0x0000" bus="0x04" slot="0x00"
function="0x0"/>
</disk>
<controller type="usb" index="0" model="qemu-xhci" ports="15">
<address type="pci" domain="0x0000" bus="0x02" slot="0x00"
function="0x0"/>
</controller>
<controller type="pci" index="0" model="pcie-root"/>
<controller type="pci" index="1" model="pcie-root-port">
<model name="pcie-root-port"/>
<target chassis="1" port="0x10"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x02"
function="0x0" multifunction="on"/>
</controller>
<controller type="pci" index="2" model="pcie-root-port">
<model name="pcie-root-port"/>
<target chassis="2" port="0x11"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x02"
function="0x1"/>
</controller>
<controller type="pci" index="3" model="pcie-root-port">
<model name="pcie-root-port"/>
<target chassis="3" port="0x12"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x02"
function="0x2"/>
</controller>
<controller type="pci" index="4" model="pcie-root-port">
<model name="pcie-root-port"/>
<target chassis="4" port="0x13"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x02"
function="0x3"/>
</controller>
<controller type="pci" index="5" model="pcie-root-port">
<model name="pcie-root-port"/>
<target chassis="5" port="0x14"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x02"
function="0x4"/>
</controller>
<controller type="pci" index="6" model="pcie-root-port">
<model name="pcie-root-port"/>
<target chassis="6" port="0x15"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x02"
function="0x5"/>
</controller>
<controller type="pci" index="7" model="pcie-root-port">
<model name="pcie-root-port"/>
<target chassis="7" port="0x16"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x02"
function="0x6"/>
</controller>
<controller type="pci" index="8" model="pcie-root-port">
<model name="pcie-root-port"/>
<target chassis="8" port="0x17"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x02"
function="0x7"/>
</controller>
<controller type="pci" index="9" model="pcie-root-port">
<model name="pcie-root-port"/>
<target chassis="9" port="0x18"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x03"
function="0x0" multifunction="on"/>
</controller>
<controller type="pci" index="10" model="pcie-root-port">
<model name="pcie-root-port"/>
<target chassis="10" port="0x19"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x03"
function="0x1"/>
</controller>
<controller type="pci" index="11" model="pcie-root-port">
<model name="pcie-root-port"/>
<target chassis="11" port="0x1a"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x03"
function="0x2"/>
</controller>
<controller type="pci" index="12" model="pcie-root-port">
<model name="pcie-root-port"/>
<target chassis="12" port="0x1b"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x03"
function="0x3"/>
</controller>
<controller type="pci" index="13" model="pcie-root-port">
<model name="pcie-root-port"/>
<target chassis="13" port="0x1c"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x03"
function="0x4"/>
</controller>
<controller type="pci" index="14" model="pcie-root-port">
<model name="pcie-root-port"/>
<target chassis="14" port="0x1d"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x03"
function="0x5"/>
</controller>
<controller type="sata" index="0">
<address type="pci" domain="0x0000" bus="0x00" slot="0x1f"
function="0x2"/>
</controller>
<controller type="virtio-serial" index="0">
<address type="pci" domain="0x0000" bus="0x03" slot="0x00"
function="0x0"/>
</controller>
<interface type="bridge">
<mac address="52:54:00:04:0b:34"/>
<source bridge="vbr0"/>
<model type="virtio"/>
<address type="pci" domain="0x0000" bus="0x01" slot="0x00"
function="0x0"/>
</interface>
<serial type="pty">
<target type="isa-serial" port="0">
<model name="isa-serial"/>
</target>
</serial>
<console type="pty">
<target type="serial" port="0"/>
</console>
<channel type="unix">
<target type="virtio" name="org.qemu.guest_agent.0"/>
<address type="virtio-serial" controller="0" bus="0" port="1"/>
</channel>
<channel type="spicevmc">
<target type="virtio" name="com.redhat.spice.0"/>
<address type="virtio-serial" controller="0" bus="0" port="2"/>
</channel>
<input type="tablet" bus="usb">
<address type="usb" bus="0" port="1"/>
</input>
<input type="mouse" bus="ps2"/>
<input type="keyboard" bus="ps2"/>
<tpm model="tpm-crb">
<backend type="emulator" version="2.0"/>
</tpm>
<graphics type="spice" autoport="yes">
<listen type="address"/>
<image compression="off"/>
</graphics>
<sound model="ich9">
<address type="pci" domain="0x0000" bus="0x00" slot="0x1b"
function="0x0"/>
</sound>
<audio id="1" type="spice"/>
<video>
<model type="virtio" heads="1" primary="yes"/>
<address type="pci" domain="0x0000" bus="0x00" slot="0x01"
function="0x0"/>
</video>
<redirdev bus="usb" type="spicevmc">
<address type="usb" bus="0" port="2"/>
</redirdev>
<redirdev bus="usb" type="spicevmc">
<address type="usb" bus="0" port="3"/>
</redirdev>
<memballoon model="virtio">
<address type="pci" domain="0x0000" bus="0x06" slot="0x00"
function="0x0"/>
</memballoon>
<rng model="virtio">
<backend model="random">/dev/urandom</backend>
<address type="pci" domain="0x0000" bus="0x07" slot="0x00"
function="0x0"/>
</rng>
</devices>
</domain>
That does not say if secure boot is enabled. You can check at the GRUB prompt if the command "set" shows "shim_lock=y", or in a root shell with "mokutil --sb-state".
I looked at the libvirt configuration. In the <os> tag, there is no sub tag for <loader> or <nvram>, which suggests that the VM is booted via BIOS instead of UEFI. With kind regards, Roland Clobus
firmware="efi"> and d-i partman would not allow to create an ESP when booted in BIOS mode. I tested trixie GRUB + JFS in bookworm virt-manager (QEMU/KVM): - BIOS: ok - EFI with secure boot off: ok - EFI with secure boot on: ko
If I choose firmware UEFI x86_64: /usr/share/OVMF/OVMF_CODE_4M.secboot.fd at installation, then after installation, the system boot without problems. if, instead, I leave the default value - UEFI - then after instalation the system remains at grub prompt. No other differences between the two installations using debian-trixie-DI-rc1-amd64-netinst.iso.
Did you check secure boot status with both setups ? You can just boot the installation ISO, press "c" at GRUB menu to enter GRUB prompt, run the command "set" and check if "shim_lock=y" is present in the output. According to /usr/share/doc/ovmf/README.Debian, OVMF_CODE_4M.secboot.fd supports secure boot but has it disabled by default, without any keys. OVMF_CODE_4M.ms.fd has secure boot enabled with Microsoft keys by default.
Yes, "shim_lock=y" is present, whatever the installation tested. What is intriguing for me is that fact that after installing from bookworm netinst media, same setting as with Trixie rc1 - firmware UEFI, the machine boot ok
Do you mean that with OVMF_CODE_4M.secboot.fd, "shim_lock=y" is present in GRUB environment variables (=secure boot is enabled) and yet trixie can boot with /boot on JFS (=GRUB supports JFS) ? This should not be possible. The change which disables JFS support in GRUB when secure boot is enabled was introduced in trixie, so bookworm is not affected.
I've re-tested the configurations I've been spoken about. I attached some
data about the machines and grub.
1. Using firmware UEFI. After reboot the machine stopped at grub prompt.
"shim_lock=y" setting not present
2. Using firmware UEFI x86_64 /usr/share/OVMF/OVMF_CODE_4M.secboot.fd.
After reboot the machine started ok.
"shim_lock=y" present.
Thank you for your patience
Installing Trixie on a Lenovo ThinkBook with all partitions Formated JFS won't boot. In re-installing with /boot partition as xfs2 boot without problems. Please don't ignore the info. All the best, Alex Tripcea
are disabled when UEFI secure boot is enabled in GRUB since version 2.12-6 (in Trixie). Should this bug be reassigned to src:grub2 ? It would probably be closed with tag "wontfix", as this is the expected behaviour. Or should it be reassigned to partman-jfs ? Partman could issue a warning + confirmation dialog if the user chooses /boot on JFS. Or should it be reassigned to grub-installer ? grub-installer could issue a warning or error if /boot is on JFS. But it would be too late to change the filesystem type. Note: on UEFI platforms which support secure boot, expert install allows the user to install systemd-boot instead of GRUB. Unlike GRUB, systemd-boot does not read /boot at boot time so it is not affected by /boot filesystem type. [1] [1] At least not in the traditional /boot layout. systemd-boot can use an "extended boot loader" partition mounted on /boot but this partition uses a FAT filesystem and is not supported by Trixie kernel packages AFAIK.
from the installer before the trixie release, but left it too late. I will remove partman-jfs shortly, so it won't be in forky.