#1135137 upgrade-reports: Bookworm -> Trixie mdadm raid EFI not updated on both disks

Package:
grub-efi-amd64
Source:
grub-efi-amd64
Description:
GRand Unified Bootloader, version 2 (EFI-AMD64 version)
Submitter:
Thorsten Behrens
Date:
2026-05-01 18:25:02 UTC
Severity:
normal
#1135137#5
Date:
2026-04-28 07:16:07 UTC
From:
To:
Dear Maintainer,

   * What led up to the situation?

On a fresh install of Debian 12, on an OVH baremetal machine with mdadm
raid-0, I upgraded to Debian 13. After upgrade, grub in EFI had been
upgraded in one drive, but not the other.

I can reproduce this, and the drive that does get upgraded appears to be
somewhat random.
If the partition that's mounted to /boot/efi misses the upgrade, the system
will fail to boot and end up in BIOS, from where EFI shell can be accessed.

I have a `script` of the upgrade and will attempt to upload it. I did
not see anything jump out of me there.

To investigate, I used `strings` and mounted the second EFI partition to
`/mnt/second-efi`

Before upgrade, both partitions have grub 2.06, as expected:
```
$ strings /boot/efi/EFI/debian/grubx64.efi | grep -i grub | tail -6
        source $prefix/grub.cfg
        source $cmdpath/grub.cfg
normal (memdisk)/grub.cfg
grub,4,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
grub.debian,4,Debian,grub2,2.06-13+deb12u1,https://tracker.debian.org/pkg/grub2
&Debian Secure Boot Signer 2022 - grub20

$ strings /mnt/second-efi/EFI/debian/grubx64.efi | grep -i grub | tail -6
        source $prefix/grub.cfg
        source $cmdpath/grub.cfg
normal (memdisk)/grub.cfg
grub,4,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
grub.debian,4,Debian,grub2,2.06-13+deb12u1,https://tracker.debian.org/pkg/grub2
&Debian Secure Boot Signer 2022 - grub20
```

Now run an upgrade as per release notes, do not yet reboot, and check
again. Only one partition has the upgraded grub 2.12

```
$ strings /boot/efi/EFI/debian/grubx64.efi | grep -i grub | tail -6
grub_diskfilter_read_node
grub,5,Free Software Foundation,grub,2.12,https://www.gnu.org/software/grub/
grub.debian,5,Debian,grub2,2.12-9+deb13u1,https://tracker.debian.org/pkg/grub2
grub.debian13,1,Debian,grub2,2.12-9+deb13u1,https://tracker.debian.org/pkg/grub2
grub.peimage,2,Canonical,grub2,2.12-9+deb13u1,https://salsa.debian.org/grub-team/grub/-/blob/master/debian/patches/secure-boot/efi-use-peimage-shim.patch
&Debian Secure Boot Signer 2022 - grub20

$ strings /mnt/second-efi/EFI/debian/grubx64.efi | grep -i grub | tail -6
        source $prefix/grub.cfg
        source $cmdpath/grub.cfg
normal (memdisk)/grub.cfg
grub,4,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
grub.debian,4,Debian,grub2,2.06-13+deb12u1,https://tracker.debian.org/pkg/grub2
&Debian Secure Boot Signer 2022 - grub20
```

If `/boot/efi` were old, I'd expect `reboot` to fail here

Manually upgrade the old EFI and verify
```
$ sudo grub-install --target=x86_64-efi --efi-directory=/mnt/second-efi --bootloader-id=debian
$ strings /mnt/second-efi/EFI/debian/grubx64.efi | grep -i grub | tail -6
grub_diskfilter_read_node
grub,5,Free Software Foundation,grub,2.12,https://www.gnu.org/software/grub/
grub.debian,5,Debian,grub2,2.12-9+deb13u1,https://tracker.debian.org/pkg/grub2
grub.debian13,1,Debian,grub2,2.12-9+deb13u1,https://tracker.debian.org/pkg/grub2
grub.peimage,2,Canonical,grub2,2.12-9+deb13u1,https://salsa.debian.org/grub-team/grub/-/blob/master/debian/patches/secure-boot/efi-use-peimage-shim.patch
&Debian Secure Boot Signer 2022 - grub20
```

This resolves the issue.

**Desired behavior**

Upgrade via `sudo apt dist-upgrade` upgrades all EFI partitions in an
mdadm raid setup.

#1135137#10
Date:
2026-04-28 08:18:02 UTC
From:
To:
I am unsure which package the issue is in. What determines, during upgrade, where to install Grub EFI? Is it grub? Is it mdadm? Is it the updater itself? Please help steer this bug to the correct place.

Some more context.

I first encountered this issue in June 2025, on a fleet of about 100 servers. After the first few failures, we stopped. I finally got around to tracking the issue down.

I have reproduced the issue on a system with raid0. I do not yet know whether it also occurs with raid1.

The very same, identical, machines were successfully upgraded from Debian 11 to Debian 12. In many cases not just the same hardware class, but the actual machine that went through an 11->12 upgrade.

My reproduction is from a fresh 12 install, to reduce variables.

Kind Regards
Thorsten

#1135137#15
Date:
2026-04-28 08:19:59 UTC
From:
To:
While reproducing the bug, I captured upgrade terminal output with script. I forgot to create a timing file, but you can view it with less -R.

Attempting to attach the typescript file.

#1135137#20
Date:
2026-04-28 09:03:13 UTC
From:
To:
The issue can be recreated on a raid1 system, as well. Script log attached, this time with timing file
#1135137#25
Date:
2026-04-28 11:24:07 UTC
From:
To:
Not the maintainer of any of the relevant packages, but trying to
help this bug forward.

grub's postinst runs grub-install. grub-install determines the
install location. I -think- it just uses /boot/efi, but the grub
maintainers will know better.

mdadm is not involved. There is no "updater" in Debian.

Best,
Chris

#1135137#30
Date:
2026-04-28 11:37:09 UTC
From:
To:
Correct.

Correct.

It's a longstanding hole in grub-efi (sorry!), but there is nothing
special here yet to make a RAIDed ESP work. Thorsten: how did you set
things up, exactly?

#1135137#35
Date:
2026-04-28 12:36:56 UTC
From:
To:
Apologies, I need to learn to Reply All. 2nd try

Thank you for engaging with this!

This is an OVH baremetal, so on my end it's just "install Debian 12 through OVH interface, they provision efibootmgr, mdadm and raid0/1". Which of course is supremely unhelpful to you.

For starters, here's lsblk

lsblk -o NAME,SIZE,TYPE,FSTYPE,LABEL,PARTUUID,UUID,MOUNTPOINTS
NAME          SIZE TYPE  FSTYPE            LABEL          PARTUUID                             UUID                                 MOUNTPOINTS
nvme0n1     476.9G disk
├─nvme0n1p1   511M part  vfat              EFI_SYSPART    ded29cd6-9e09-4b32-8826-7f10660f8690 2B1D-A9FA                            /boot/efi
├─nvme0n1p2     1G part  linux_raid_member md2            fea21b2b-2455-4cb2-a9a0-4c338899c517 79fa0b16-1de0-4dc9-6bad-c8c456d3c8c5
│ └─md2      1022M raid1 ext4              boot                                                543ebee6-5c6e-4a5c-86df-0a595ea9829b /boot
├─nvme0n1p3 474.9G part  linux_raid_member md3            f04002cc-5ce7-4cca-a525-6838fd972987 3de91c82-c54a-2edf-bc42-2128fe62bef8
│ └─md3     474.8G raid1 ext4              root                                                100619c3-ea4b-4fee-aaa3-83fb471723ff /
├─nvme0n1p4   512M part  swap              swap-nvme0n1p4 94db751f-7d6d-426d-aae7-55699675d794 77242712-5e31-480d-a57e-3c7c0f1731fa [SWAP]
└─nvme0n1p5     2M part  iso9660           config-2       f514a1f0-532f-498b-a525-7222224beb6f 2026-04-28-08-41-39-00
nvme1n1     476.9G disk
├─nvme1n1p1   511M part  vfat              EFI_SYSPART    06c9b490-e21f-46ae-8bd8-0344a8d34e37 2B2B-4A82
├─nvme1n1p2     1G part  linux_raid_member md2            9b00687f-9d0c-4121-abae-6bf2a454a85b 79fa0b16-1de0-4dc9-6bad-c8c456d3c8c5
│ └─md2      1022M raid1 ext4              boot                                                543ebee6-5c6e-4a5c-86df-0a595ea9829b /boot
├─nvme1n1p3 474.9G part  linux_raid_member md3            bf8223a6-d908-4343-ad03-8cdecb3420fd 3de91c82-c54a-2edf-bc42-2128fe62bef8
│ └─md3     474.8G raid1 ext4              root                                                100619c3-ea4b-4fee-aaa3-83fb471723ff /
└─nvme1n1p4   512M part  swap              swap-nvme1n1p4 c728d6aa-ee6e-4cf0-9e6b-e41d3b4e2934 2f88d2cc-a612-42c8-9df6-a533abdb3226 [SWAP]

`nvme1n1p1` is the second drive's EFI partition

Here's fstab
```
UUID=100619c3-ea4b-4fee-aaa3-83fb471723ff       /       ext4    defaults        0       1
UUID=543ebee6-5c6e-4a5c-86df-0a595ea9829b       /boot   ext4    defaults        0       0
LABEL=EFI_SYSPART       /boot/efi       vfat    defaults        0       1
UUID=77242712-5e31-480d-a57e-3c7c0f1731fa       swap    swap    defaults        0       0
UUID=2f88d2cc-a612-42c8-9df6-a533abdb3226       swap    swap    defaults        0       0
```

Here's efibootmgr -v
```
BootCurrent: 000C
Timeout: 2 seconds
BootOrder: 000C,000D,0007,000B,0001
Boot0001* UEFI: Built-in EFI Shell      VenMedia(5023b95c-db26-429b-a648-bd47664c8012)0000424f
      dp: 04 03 14 00 5c b9 23 50 26 db 9b 42 a6 48 bd 47 66 4c 80 12 / 7f ff 04 00
    data: 00 00 42 4f
Boot0007* UEFI: PXE IPv4 Intel(R) Ethernet Controller X550      PciRoot(0x0)/Pci(0x1b,0x0)/Pci(0x0,0x0)/MAC(d85ed343de10,1)/IPv4(0.0.0.00.0.0.0,0,0)0000424f
      dp: 02 01 0c 00 d0 41 03 0a 00 00 00 00 / 01 01 06 00 00 1b / 01 01 06 00 00 00 / 03 0b 25 00 d8 5e d3 43 de 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 / 03 0c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 / 7f ff 04 00
    data: 00 00 42 4f
Boot0008  UEFI: PXE IPv4 Intel(R) Ethernet Controller X550      PciRoot(0x0)/Pci(0x1b,0x0)/Pci(0x0,0x1)/MAC(d85ed343de11,1)/IPv4(0.0.0.00.0.0.0,0,0)0000424f
      dp: 02 01 0c 00 d0 41 03 0a 00 00 00 00 / 01 01 06 00 00 1b / 01 01 06 00 01 00 / 03 0b 25 00 d8 5e d3 43 de 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 / 03 0c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 / 7f ff 04 00
    data: 00 00 42 4f
Boot000B* UEFI: PXE IPv4 Intel(R) Ethernet Controller X550      PciRoot(0x0)/Pci(0x1b,0x0)/Pci(0x0,0x1)/MAC(d85ed343de11,1)/IPv4(0.0.0.00.0.0.0,0,0)0000424f
      dp: 02 01 0c 00 d0 41 03 0a 00 00 00 00 / 01 01 06 00 00 1b / 01 01 06 00 01 00 / 03 0b 25 00 d8 5e d3 43 de 11 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 / 03 0c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 / 7f ff 04 00
    data: 00 00 42 4f
Boot000C* debian        HD(1,GPT,06c9b490-e21f-46ae-8bd8-0344a8d34e37,0x800,0xff800)/File(\EFI\debian\shimx64.efi)
      dp: 04 01 2a 00 01 00 00 00 00 08 00 00 00 00 00 00 00 f8 0f 00 00 00 00 00 90 b4 c9 06 1f e2 ae 46 8b d8 03 44 a8 d3 4e 37 02 02 / 04 04 34 00 5c 00 45 00 46 00 49 00 5c 00 64 00 65 00 62 00 69 00 61 00 6e 00 5c 00 73 00 68 00 69 00 6d 00 78 00 36 00 34 00 2e 00 65 00 66 00 69 00 00 00 / 7f ff 04 00
Boot000D* debian        HD(1,GPT,ded29cd6-9e09-4b32-8826-7f10660f8690,0x800,0xff800)/File(\EFI\debian\shimx64.efi) File(.)
      dp: 04 01 2a 00 01 00 00 00 00 08 00 00 00 00 00 00 00 f8 0f 00 00 00 00 00 d6 9c d2 de 09 9e 32 4b 88 26 7f 10 66 0f 86 90 02 02 / 04 04 34 00 5c 00 45 00 46 00 49 00 5c 00 64 00 65 00 62 00 69 00 61 00 6e 00 5c 00 73 00 68 00 69 00 6d 00 78 00 36 00 34 00 2e 00 65 00 66 00 69 00 00 00 / 7f ff 04 00
    data: 00 00 42 4f
```

You can see that both EFI partitions are configured in efibootmgr

Mdadm for good measure, but that likely doesn't matter here

```
sudo mdadm --detail --scan
ARRAY /dev/md/md2 metadata=1.2 UUID=79fa0b16:1de04dc9:6badc8c4:56d3c8c5
ARRAY /dev/md/md3 metadata=1.2 UUID=3de91c82:c54a2edf:bc422128:fe62bef8
```

#1135137#40
Date:
2026-04-28 13:04:40 UTC
From:
To:
Steve and team,

OK I get it now. The plot thickens. That is why it worked 11->12 - the EFI didn't change version. This is the EFI from 11

```
$ strings /mnt/second-efi/EFI/debian/grubx64.efi | grep -i grub | tail -6
        source $prefix/grub.cfg
        source $cmdpath/grub.cfg
normal (memdisk)/grub.cfg
grub,4,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
grub.debian,4,Debian,grub2,2.06-3~deb11u6,https://tracker.debian.org/pkg/grub2
&Debian Secure Boot Signer 2022 - grub20

$ strings /mnt/efi/EFI/debian/grubx64.efi | grep -i grub | tail -6
strings: '/mnt/efi/EFI/debian/grubx64.efi': No such file
debian@ethstaker-mumbai:~$ strings /boot/efi/EFI/debian/grubx64.efi | grep -i grub | tail -6
        source $prefix/grub.cfg
        source $cmdpath/grub.cfg
normal (memdisk)/grub.cfg
grub,4,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
grub.debian,4,Debian,grub2,2.06-3~deb11u6,https://tracker.debian.org/pkg/grub2
&Debian Secure Boot Signer 2022 - grub20
```

Same version as 12. 2.06 in both cases. I'm assuming `2.06-13+deb12u1` and `2.06-3~deb11u6` are binary compatible, that is if the machine boots from EFI `2.06-3~deb11u6` into Debian 12 grub, all is well.

Anecdotally that seems to be true because our 11->12 fleet upgrade went without a hitch in 2023.

With 12->13, the EFI version changes, and just `/boot/efi` gets updated. Then it's up to the vagaries of ... efibootmgr I suppose, whether the updated partition is used or no. In my testing failure is intermittent. The system may or may not reboot on the old EFI, but once it does, the only way back is to go into EFI shell, choose the other fs like say fs1:, and then run shimx64.efi (the upgraded one) from there.

This is not necessarily a bug, it's a (missing) feature. Which bites users going from 12->13 because now EFI version changes.

Can I suggest at a minimum documentation and a warning at https://www.debian.org/releases/trixie/release-notes/upgrading.en.html#possible-issues-during-upgrade and maybe even before then, a warning earlier in the doc to look at the possible issues section and what to do about multi-disk EFI setups.

Completely amazing ofc would be that grub-install or "whatever responsible component" sees all EFI entries in efibootmgr and upgrades / installs into all of them, or has a switch to do so, which gets exercised on grub package update.

Yours
Thorsten

#1135137#45
Date:
2026-04-28 13:51:57 UTC
From:
To:
And, because it's still grub 2.06, I can boot from it

Debian 11->12 upgrade. Confirmed /boot/efi only was updated

```
$ strings /mnt/second-efi/EFI/debian/grubx64.efi | grep -i grub | tail -6
        source $prefix/grub.cfg
        source $cmdpath/grub.cfg
normal (memdisk)/grub.cfg
grub,4,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
grub.debian,4,Debian,grub2,2.06-3~deb11u6,https://tracker.debian.org/pkg/grub2
&Debian Secure Boot Signer 2022 - grub20

$ strings /boot/efi/EFI/debian/grubx64.efi | grep -i grub | tail -6
        source $prefix/grub.cfg
        source $cmdpath/grub.cfg
normal (memdisk)/grub.cfg
grub,4,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/
grub.debian,4,Debian,grub2,2.06-13+deb12u1,https://tracker.debian.org/pkg/grub2
&Debian Secure Boot Signer 2022 - grub20
```

Old:
```
~$ ls -l /mnt/second-efi/EFI/debian/grubx64.efi
-rwxr-xr-x 1 root root 4150720 Apr 28 12:43 /mnt/second-efi/EFI/debian/grubx64.efi
```

New:
```
~$ ls -l /boot/efi/EFI/debian/grubx64.efi
-rwxr-xr-x 1 root root 4199872 Apr 28 13:27 /boot/efi/EFI/debian/grubx64.efi
```

Reboot into BIOS and choose EFI shell, `sudo systemctl reboot --firmware-setup`

FS0: Old, verified by size of grubx64.efi
FS1: New, verified by size of grubx64.efi

FS0:
cd EFI
cd debian
shimx64.efi

Boots without issue

I know what to do as a workaround. Upgrade the second EFI partition.

What to do on the Debian side, that I have not a lot of input to, other than the previous idea to call this out in Release Notes.

Kind Regards
Thorsten

#1135137#50
Date:
2026-04-29 12:32:47 UTC
From:
To:
A thought on how to improve the postinst of grub

Something along these lines - not this exact script, but in spirit - would update grub on all ESPs

```
#!/usr/bin/env bash
set -euo pipefail

ESP_GUID="c12a7328-f81f-11d2-ba4b-00a0c93ec93b"

lsblk -rno NAME,PARTTYPE,FSTYPE | while read -r name parttype fstype; do
  if [[ "$parttype" == "$ESP_GUID" && "$fstype" == "vfat" ]]; then
    dev="/dev/$name"
    mnt="$(mktemp -d)"

    echo "Installing GRUB to $dev"

    mount "$dev" "$mnt"

    grub-install \
      --target=x86_64-efi \
      --efi-directory="$mnt" \
      --bootloader-id=debian \
      --recheck

    umount "$mnt"
    rmdir "$mnt"
  fi
done
```

#1135137#55
Date:
2026-04-29 22:46:30 UTC
From:
To:
Thorsten Behrens wrote:

What is the point of having multiple ESPs with RAID 0 ? It does not
provide any redundancy, so if either drive fails the system would fail
to boot anyway.

Both ESPs have the same LABEL (this is wrong, LABELs should be unique)
and fstab mounts the ESP by LABEL. So the mounted ESP is chosen randomly
(or at least not reliably) and only the ESP mounted on /boot/efi is
updated by grub-install.

FWIW this is the contents of the embedded SBAT CSV, not the GRUB
version. The actual GRUB version can be found in another string:

GNU GRUB  version %s
2.06-13+deb12u1

EFI boot entries are not reliable enough. They do not even exist on some
systems.

This is a bad idea. Not all detected ESPs may belong to this system.
A correct solution requires to record the ESPs which are managed by this
system and must be updated.

#1135137#60
Date:
2026-05-01 05:42:47 UTC
From:
To:
Fair. The same issue is present with RAID 1, and I am dealing with an installation where multiple ESPs are being created on RAID 0. A solution for RAID 1 would also solve RAID 0 systems.

Thank you for adding color re why my boot failures were random. Not great by OVH; also though with RAID 1, a boot failure would occur on disk failure even on a system with unique labels.

Noted. So, that solution is bad. A solution, of some kind, would be great. As that's clearly not trivial, a note at https://www.debian.org/releases/stable/release-notes/issues.en.html#things-to-be-aware-of-while-upgrading-to-releasename to look out for systems with multiple ESPs such as RAID 1 setups, and manually updating the ones belonging to Debian and not currently mounted to /boot/efi, would be amazing.

Sincerely yours
Thorsten

#1135137#65
Date:
2026-05-01 09:16:43 UTC
From:
To:
Thank you for your patience as I learn how Debian hangs together. Is this an equally bad idea?

Get UUID of  currently mounted /boot/grub with CURRENT_UUID=$(lsblk -no UUID $(df /boot/grub | tail -1 | awk '{print $1}'))

Get UUID that `grub.cfg` on the ESP I am looking at chains to with `ESP_UUID=$(grep "search.fs_uuid" "$mnt"/EFI/debian/grub.cfg | awk '{print $2}')`

If the two match, this ESP is managed by this system and should be updated

The main point being whether comparing these two UUIDs is the right way to identify that an ESP is managed by the current system.

My tail and awk and grep stuff may well not be robust to get these two UUIDs in the first place.

Yours
Thorsten

#1135137#70
Date:
2026-05-01 11:49:53 UTC
From:
To:
Debian does not support multiple ESPs out of the box, so users who set
this up should already know.

This is not generic and reliable enough. grub.cfg in the ESP is
generated only with signed GRUB images (shim + grub-efi-$arch-signed).
Signed GRUB images are available only for amd64 and arm64.

grub-pc records the devices where GRUB should be installed in debconf,
why wouldn't grub-efi just do the same for EFI partitions ?

#1135137#75
Date:
2026-05-01 18:23:35 UTC
From:
To:
That clearly isn't always so in practice, particularly when the Debian setup is done by a provider of rented equipment. I think it'd be friendly and good UX to mention it in release notes; but I can also see a point of "that's too niche, we can't mention everything".

Over to the maintainers of grub-efi. I am not nearly deep enough in Debian to hold an opinion.

Yours sincerely
Thorsten