#1108123 Trixie installation on virtual machine (not tested on physical) don't boot. It remain stucked in GRUB

Package:
debian-installer
Source:
debian-installer
Description:
Debian Installer documentation
Submitter:
Alex. I. TRIPCEA
Date:
2025-09-03 13:27:01 UTC
Severity:
normal
#1108123#5
Date:
2025-06-20 21:17:35 UTC
From:
To:
On a Debian 12 bookworm physical machine, I installed Trixie, from
debian-trixie-DI-rc1-amd64-netinst.iso image, on a KVM virtual machine with
the following settings:
  2 vCPU
  4GiB RAM
The rest of the settings are default values in KVM on debian 12.
Disk configuration:
  ESP partition 128MiB
  /boot 1GiB - JFS
  /root 12GiB - JFS
  swap 8GiB
  /var, /tmp, /opt, /home, /srv - distinct partitions with JFS.
Installation completed successfully.
After reboot, the machine has stop at GRUB prompt. I tried to verify access
to partitions and the result for command
  ls (hd0, 2)
which is the /boot partition, is
  partition hd0,2: no known filesystem detected - Partition start at 1024
KiB - Total size 130048 KiB
Repeating installation with /boot partition as XFS or EXT* worked like a
charm.

All the best,
Alex Tripcea

#1108123#10
Date:
2025-06-20 22:09:54 UTC
From:
To:
Is UEFI secure boot enabled ? JFS and other unsafe filesystems are
disabled under lockdown (when secure boot is disabled) in GRUB since
version 2.12-6.

#1108123#15
Date:
2025-06-20 22:16:49 UTC
From:
To:
Le 21/06/2025 à 00:09, Pascal Hambourg a écrit :

Oops, I meant when secure boot is enabled of course.

#1108123#20
Date:
2025-06-20 22:30:58 UTC
From:
To:
All the settings of virtual machine (except vCPU and RAM) have the default
values of the KVM package as you can see below:

 <domain type="kvm">
  <name>testdesk</name>
  <uuid>786c44e6-03b5-4f7e-b41c-6bb8a58bc608</uuid>
  <metadata>
    <libosinfo:libosinfo xmlns:libosinfo="
http://libosinfo.org/xmlns/libvirt/domain/1.0">
      <libosinfo:os id="http://debian.org/debian/testing"/>
    </libosinfo:libosinfo>
  </metadata>
  <memory unit="KiB">4194304</memory>
  <currentMemory unit="KiB">4194304</currentMemory>
  <vcpu placement="static">2</vcpu>
  <os firmware="efi">
    <type arch="x86_64" machine="pc-q35-7.2">hvm</type>
    <boot dev="hd"/>
  </os>
  <features>
    <acpi/>
    <apic/>
    <vmport state="off"/>
  </features>
  <cpu mode="host-passthrough" check="none" migratable="on"/>
  <clock offset="utc">
    <timer name="rtc" tickpolicy="catchup"/>
    <timer name="pit" tickpolicy="delay"/>
    <timer name="hpet" present="no"/>
  </clock>
  <on_poweroff>destroy</on_poweroff>
  <on_reboot>restart</on_reboot>
  <on_crash>destroy</on_crash>
  <pm>
    <suspend-to-mem enabled="no"/>
    <suspend-to-disk enabled="no"/>
  </pm>
  <devices>
    <emulator>/usr/bin/qemu-system-x86_64</emulator>
    <disk type="file" device="disk">
      <driver name="qemu" type="qcow2"/>
      <source file="/home/alext/VMs/testdesk.qcow2"/>
      <target dev="vda" bus="virtio"/>
      <address type="pci" domain="0x0000" bus="0x04" slot="0x00"
function="0x0"/>
    </disk>
    <controller type="usb" index="0" model="qemu-xhci" ports="15">
      <address type="pci" domain="0x0000" bus="0x02" slot="0x00"
function="0x0"/>
    </controller>
    <controller type="pci" index="0" model="pcie-root"/>
    <controller type="pci" index="1" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="1" port="0x10"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02"
function="0x0" multifunction="on"/>
    </controller>
    <controller type="pci" index="2" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="2" port="0x11"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02"
function="0x1"/>
    </controller>
    <controller type="pci" index="3" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="3" port="0x12"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02"
function="0x2"/>
    </controller>
    <controller type="pci" index="4" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="4" port="0x13"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02"
function="0x3"/>
    </controller>
    <controller type="pci" index="5" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="5" port="0x14"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02"
function="0x4"/>
    </controller>
    <controller type="pci" index="6" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="6" port="0x15"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02"
function="0x5"/>
    </controller>
    <controller type="pci" index="7" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="7" port="0x16"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02"
function="0x6"/>
    </controller>
    <controller type="pci" index="8" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="8" port="0x17"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x02"
function="0x7"/>
    </controller>
    <controller type="pci" index="9" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="9" port="0x18"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x03"
function="0x0" multifunction="on"/>
    </controller>
    <controller type="pci" index="10" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="10" port="0x19"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x03"
function="0x1"/>
    </controller>
    <controller type="pci" index="11" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="11" port="0x1a"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x03"
function="0x2"/>
    </controller>
    <controller type="pci" index="12" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="12" port="0x1b"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x03"
function="0x3"/>
    </controller>
    <controller type="pci" index="13" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="13" port="0x1c"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x03"
function="0x4"/>
    </controller>
    <controller type="pci" index="14" model="pcie-root-port">
      <model name="pcie-root-port"/>
      <target chassis="14" port="0x1d"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x03"
function="0x5"/>
    </controller>
    <controller type="sata" index="0">
      <address type="pci" domain="0x0000" bus="0x00" slot="0x1f"
function="0x2"/>
    </controller>
    <controller type="virtio-serial" index="0">
      <address type="pci" domain="0x0000" bus="0x03" slot="0x00"
function="0x0"/>
    </controller>
    <interface type="bridge">
      <mac address="52:54:00:04:0b:34"/>
      <source bridge="vbr0"/>
      <model type="virtio"/>
      <address type="pci" domain="0x0000" bus="0x01" slot="0x00"
function="0x0"/>
    </interface>
    <serial type="pty">
      <target type="isa-serial" port="0">
        <model name="isa-serial"/>
      </target>
    </serial>
    <console type="pty">
      <target type="serial" port="0"/>
    </console>
    <channel type="unix">
      <target type="virtio" name="org.qemu.guest_agent.0"/>
      <address type="virtio-serial" controller="0" bus="0" port="1"/>
    </channel>
    <channel type="spicevmc">
      <target type="virtio" name="com.redhat.spice.0"/>
      <address type="virtio-serial" controller="0" bus="0" port="2"/>
    </channel>
    <input type="tablet" bus="usb">
      <address type="usb" bus="0" port="1"/>
    </input>
    <input type="mouse" bus="ps2"/>
    <input type="keyboard" bus="ps2"/>
    <tpm model="tpm-crb">
      <backend type="emulator" version="2.0"/>
    </tpm>
    <graphics type="spice" autoport="yes">
      <listen type="address"/>
      <image compression="off"/>
    </graphics>
    <sound model="ich9">
      <address type="pci" domain="0x0000" bus="0x00" slot="0x1b"
function="0x0"/>
    </sound>
    <audio id="1" type="spice"/>
    <video>
      <model type="virtio" heads="1" primary="yes"/>
      <address type="pci" domain="0x0000" bus="0x00" slot="0x01"
function="0x0"/>
    </video>
    <redirdev bus="usb" type="spicevmc">
      <address type="usb" bus="0" port="2"/>
    </redirdev>
    <redirdev bus="usb" type="spicevmc">
      <address type="usb" bus="0" port="3"/>
    </redirdev>
    <memballoon model="virtio">
      <address type="pci" domain="0x0000" bus="0x06" slot="0x00"
function="0x0"/>
    </memballoon>
    <rng model="virtio">
      <backend model="random">/dev/urandom</backend>
      <address type="pci" domain="0x0000" bus="0x07" slot="0x00"
function="0x0"/>
    </rng>
  </devices>
</domain>

#1108123#25
Date:
2025-06-20 22:56:21 UTC
From:
To:
That does not say if secure boot is enabled.
You can check at the GRUB prompt if the command "set" shows
"shim_lock=y", or in a root shell with "mokutil --sb-state".

#1108123#30
Date:
2025-06-21 15:29:42 UTC
From:
To:
I looked at the libvirt configuration. In the <os> tag, there is no sub
tag for <loader> or <nvram>, which suggests that the VM is booted via
BIOS instead of UEFI.

With kind regards,
Roland Clobus

#1108123#35
Date:
2025-06-21 16:42:05 UTC
From:
To:
firmware="efi"> and d-i partman would not allow to create an ESP when
booted in BIOS mode.

I tested trixie GRUB + JFS in bookworm virt-manager (QEMU/KVM):
- BIOS: ok
- EFI with secure boot off: ok
- EFI with secure boot on: ko

#1108123#40
Date:
2025-06-21 23:24:23 UTC
From:
To:
If I choose firmware UEFI x86_64: /usr/share/OVMF/OVMF_CODE_4M.secboot.fd
at installation, then after installation, the system boot without problems.
if, instead, I leave the default value - UEFI - then after instalation the
system remains at grub prompt.
No other differences between the two installations using
debian-trixie-DI-rc1-amd64-netinst.iso.

#1108123#45
Date:
2025-06-22 06:48:30 UTC
From:
To:
Did you check secure boot status with both setups ?
You can just boot the installation ISO, press "c" at GRUB menu to enter
GRUB prompt, run the command "set" and check if "shim_lock=y" is present
in the output.

According to /usr/share/doc/ovmf/README.Debian, OVMF_CODE_4M.secboot.fd
supports secure boot but has it disabled by default, without any keys.
OVMF_CODE_4M.ms.fd has secure boot enabled with Microsoft keys by default.

#1108123#50
Date:
2025-06-22 07:22:41 UTC
From:
To:
Yes, "shim_lock=y" is present, whatever the installation tested.
What is intriguing for me is that fact that after installing from bookworm
netinst media, same setting as with Trixie rc1 - firmware UEFI, the machine
boot ok

#1108123#55
Date:
2025-06-22 07:54:07 UTC
From:
To:
Do you mean that with OVMF_CODE_4M.secboot.fd, "shim_lock=y" is present
in GRUB environment variables (=secure boot is enabled) and yet trixie
can boot with /boot on JFS (=GRUB supports JFS) ? This should not be
possible.

The change which disables JFS support in GRUB when secure boot is
enabled was introduced in trixie, so bookworm is not affected.

#1108123#60
Date:
2025-06-22 15:21:00 UTC
From:
To:
I've re-tested the configurations I've been spoken about. I attached some
data about the machines and grub.

1. Using firmware UEFI. After reboot the machine stopped at grub prompt.
    "shim_lock=y" setting not present
2. Using firmware UEFI x86_64 /usr/share/OVMF/OVMF_CODE_4M.secboot.fd.
After reboot the machine started ok.
    "shim_lock=y" present.

Thank you for your patience

#1108123#65
Date:
2025-09-02 17:57:18 UTC
From:
To:
Installing Trixie on a Lenovo ThinkBook with all partitions Formated JFS
won't boot.
In re-installing with /boot partition as xfs2 boot without problems.
Please don't ignore the info.

All the best,
Alex Tripcea

#1108123#70
Date:
2025-09-03 10:14:20 UTC
From:
To:
are disabled when UEFI secure boot is enabled in GRUB since version
2.12-6 (in Trixie).

Should this bug be reassigned to src:grub2 ? It would probably be closed
with tag "wontfix", as this is the expected behaviour.

Or should it be reassigned to partman-jfs ? Partman could issue a
warning + confirmation dialog if the user chooses /boot on JFS.

Or should it be reassigned to grub-installer ? grub-installer could
issue a warning or error if /boot is on JFS. But it would be too late to
change the filesystem type.

Note: on UEFI platforms which support secure boot, expert install allows
the user to install systemd-boot instead of GRUB. Unlike GRUB,
systemd-boot does not read /boot at boot time so it is not affected by
/boot filesystem type. [1]

[1] At least not in the traditional /boot layout. systemd-boot can use
an "extended boot loader" partition mounted on /boot but this partition
uses a FAT filesystem and is not supported by Trixie kernel packages AFAIK.

#1108123#75
Date:
2025-09-03 13:01:53 UTC
From:
To:
from the installer before the trixie release, but left it too
late. I will remove partman-jfs shortly, so it won't be in forky.