zie https://blog.getreu.net/projects/legacy-to-uefi-boot/
Enable UEFI in bios.
Boot an recent Debian live system on USB or DVD.
Backup your data!
My lecagy boot system had a 243MiB ext2 partition mounted on /boot. This partition is never encrypted. It is where the grub files and Linux kernels reside. Check by double clicking on the partition icon on the live-disk-desktop and have a look inside.
# ls -l
total 21399
-rw-r--r-- 1 root root 155429 Sep 28 00:59 config-3.16-0.bpo.2-amd64
drwxr-xr-x 3 root root 7168 Nov 5 08:03 grub
-rw-r--r-- 1 root root 15946275 Nov 5 16:28 initrd.img-3.16-0.bpo.2-amd64
drwx------ 2 root root 12288 Nov 24 2012 lost+found
-rw-r--r-- 1 root root 2664392 Sep 28 00:59 System.map-3.16-0.bpo.2-amd64
-rw-r--r-- 1 root root 3126096 Sep 28 00:48 vmlinuz-3.16-0.bpo.2-amd64
# df -h
Filesystem Size Used Avail Use% Mounted on
...
/dev/sdb1 234M 28M 206M 13% /media/....
As you can see in the following partition table of the Debian legacy boot system my /boot partition is number 1 (/dev/sdb1).
Although 1 is the default value for standard debian installations better check!
The live system has identified this partition as /dev/sdb. The debian system on your harddisk could reference it differently.
Partition table of the Debian legacy boot system
# fdisk -l /dev/sdb
...
Device Boot Start End Blocks Id System
/dev/sdb1 * 2048 499711 44032 7 HPFS/NTFS/exFAT
...
/dev/sdb5 501760 976771071 488134656 83 Linux
In legacy boot mode the /boot partition must have the boot-flag (*) set. This confirms our assumption: the /boot filesystem is on: /dev/sdb1.
# gdisk -l /dev/sdb
GPT fdisk (gdisk) version 0.8.5Partition table scan:
MBR: MBR only
BSD: not present
APM: not present
GPT: not present
...
Number Start (sector) End (sector) Size Code Name
1 2048 499711 243.0 MiB 8300 Linux filesystem
5 501760 976771071 238.2 GiB 8300 Linux filesystem
Transform the partition table from MBR to GPT with
# gdisk /dev/sdb
optie r recovery and transformation options (experts only)
optie f load MBR and build fresh GPT from it
optie w write table to disk and exit
A good graphical tool is the Gnome Partition Editor gparted:
# gparted /dev/sdb
Shrink the /root partition to 200MB in order to free 43MB (see partition 1 below).
Create a new 43MB partition for efi using gparted with partition code EF00 (EFI system) and flag it bootable. Format the partition with a fat32 [1] filesystem (see partition 2 below).
UEFI needs additionally [2] a not formatted 1MB partition . [3] (see partition 3 below).
Leave the other partitions untouched (see partition 5 below).
Here the result:
Partition table of the Debian UEFI boot system
# gdisk -l /dev/sdb
GPT fdisk (gdisk) version 0.8.5Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: presentFound valid GPT with protective MBR; using GPT.
Disk /dev/sdb: 976773168 sectors, 465.8 GiB...
Number Start (sector) End (sector) Size Code Name
1 2048 411647 200.0 MiB 8300 Linux filesystem
2 411648 499711 43.0 MiB EF00 Efi partition
3 499712 501759 1024.0 KiB 8300 Linux filesystem
5 501760 976771071 465.5 GiB 8300 Linux filesystem
[4]
The next step differs whether the root-filesystem is encrypted or not.
Mount the / (root) filesystem.
For non-encrypted root filesystems a simple mount will do.
# mount -t ext4 /dev/sdb5 /mnt
For encrypted root filesystems the mounting procedure can be a little tricky especially when the root filesystem resides inside a logical volume which is encrypted. This section shows how to mount and unmount an encrypted root-filesystem.
The recovery mode of the Debian 9 Stretch installer disk automates all following steps. Try this first. If it does not work follow the rest of this section.
3.2.1. Find the device and partition of the to be mounted logical volume
Connect the disk with host-system and observe the kernel messages in /var/log/syslog
root@host-system:~# tail -f /var/log/syslog
sd 3:0:0:0: [sdb] 976773168 512-byte logical blocks: (500 GB/465 GiB)
sd 3:0:0:0: [sdb] Write Protect is of manually.
sd 3:0:0:0: [sdb] Mode Sense: 43 00 00 00
sd 3:0:0:0: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
sdb: sdb1 sdb2 sdb3 sdb5
sd 3:0:0:0: [sdb] Attached SCSI disk
The to be mounted device is /dev/sdb.
Find the partition
root@host-system:~# gdisk -l /dev/sdb
GPT fdisk (gdisk) version 0.8.5
...
Number Start (sector) End (sector) Size Code Name
1 2048 411647 200.0 MiB 8300 Linux filesystem
2 411648 494821 43.0 MiB 0700
3 494822 501759 1024.0 KiB 8300 Linux filesystem
5 501760 976771071 465.5 GiB 8300 Linux filesystem
The to be mounted logical volume of disk-system resides on /dev/sdb5.
3.2.2. Mount encrypted logical volume
Open decryption layer.
root@host-system:~# lvscan
ACTIVE '/dev/host-system/root' [231.03 GiB] inherit
ACTIVE '/dev/host-system/swap_1' [7.20 GiB] inherit
Logical volume is not registered yet. Do so.root@host-system:~# cryptsetup luksOpen /dev/sdb5 sdb5_crypt
Enter passphrase for /dev/sdb5:
Enter disk password.
root@host-system:~# lvscan
inactive '/dev/disk-system/root' [457.74 GiB] inherit
inactive '/dev/disk-system/swap_1' [7.78 GiB] inherit
ACTIVE '/dev/host-system/root' [231.03 GiB] inherit
ACTIVE '/dev/host-system/swap_1' [7.20 GiB] inherit
Logical volume of disk-system`is registered now. It contains one `root partition (line 1) and and one swap partition (line 2).
Activate logical volumes
root@host-system:~# lvchange -a y disk-system
Check success.
root@host-system:~# lvscan
ACTIVE '/dev/disk-system/root' [457.74 GiB] inherit
ACTIVE '/dev/disk-system/swap_1' [7.78 GiB] inherit
ACTIVE '/dev/host-system/root' [231.03 GiB] inherit
ACTIVE '/dev/host-system/swap_1' [7.20 GiB] inherit
root@host-system:~# ls /dev/mapper
control disksystem-root disksystem-swap_1 hostsystem-root hostsystem-swap_1 mymapper sdb5_crypt
Mount logical volume
root@host-system:~# mount -t ext4 /dev/mapper/disksystem-root /mnt
Check success.
root@host-system:~# ls /mnt
bin etc initrd.img.old lib64 mnt proc sbin sys var
boot home lib lost+found mnt2 root selinux tmp vmlinuz
dev initrd.img lib32 media opt run srv usr vmlinuz.old
3.2.3. Unmount encrypted logical volume
This subsection is only for completeness. Skip it.
root@host-system:~# umount /mnt
root@host-system:~# lvscan
ACTIVE '/dev/disk-system/root' [457.74 GiB] inherit
ACTIVE '/dev/disk-system/swap_1' [7.78 GiB] inherit
ACTIVE '/dev/host-system/root' [231.03 GiB] inherit
ACTIVE '/dev/host-system/swap_1' [7.20 GiB] inheritroot@host-system:~# lvchange -a n disk-system
root@host-system:~# lvscan
inactive '/dev/disk-system/root' [457.74 GiB] inherit
inactive '/dev/disk-system/swap_1' [7.78 GiB] inherit
ACTIVE '/dev/host-system/root' [231.03 GiB] inherit
ACTIVE '/dev/host-system/swap_1' [7.20 GiB] inheritroot@host-system:~# cryptsetup luksClose sdb5_crypt
root@host-system:~# lvscan
ACTIVE '/dev/host-system/root' [231.03 GiB] inherit
ACTIVE '/dev/host-system/swap_1' [7.20 GiB] inherit
Either this way…
# mount /dev/sdb1 /mnt/boot
# mount /dev/sdb2 /mnt/boot/efi# for i in /dev /dev/pts /proc /sys /sys/firmware/efi/efivars /run; do sudo mount -B $i /mnt$i; done
# chroot /mnt /bin/bash
or this way, both commands do the same…# mount /dev/sdb1 /mnt/boot
# mount /dev/sdb2 /mnt/boot/efi
# mount --bind /sys /mnt/sys
# mount --bind /proc /mnt/proc
# mount --bind /dev /mnt/dev
# mount --bind /dev/pts /mnt/dev/pts
Internet access
For internet access inside chroot:# cp /etc/resolv.conf /mnt/etc/resolv.conf
probleem : efi variabelen are not supported (modprobe efivars niet geladen of missing efivars in /sys/firmware/efi/efivars)
grub-install --force-extra-removable --target=x86_64-efi /dev/sda --recheck
Update the entries in /mnt/etc/fstab to reflect the partition changes above. Compare the UUID’s there with the ones listed here:
# ls /dev/disk/by-uuid
Add the new UEFI partition (see last line in /etc/fstab below) in order to get it mounted permanently on /boot/efi.
# cat /mnt/etc/fstab
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/koobue1-root / ext4 errors=remount-ro 0 1
# /boot was on /dev/sdb1 during installation
UUID=040cdd12-8e45-48bd-822e-7b73ef9fa09f /boot ext2 defaults 0 2
/dev/mapper/koobue1-swap_1 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
#Jens: tmpfs added for SSD
tmpfs /tmp tmpfs defaults,nodev,nosuid,size=500m 0 0
tmpfs /var/lock tmpfs defaults,nodev,nosuid,noexec,mode=1777,size=100m 0 0
tmpfs /var/run tmpfs defaults,nodev,nosuid,noexec,mode=0775,size=100m 0 0
UUID=19F0-4372 /boot/efi vfat defaults 0 2
I use /dev/mapper for the encrypted file system and tmpfs because I have an SSD disk.
5.1. Preparation
Enter with:
# chroot /mnt
Check
# cat /etc/fstab
for not yet mounted entries and mount them manually e.g.
# mount /tmp
# mount /run
# mount /var/lock
...
# apt-get remove grub-pc
# apt-get install grub-efi
# grub-install /dev/sdb
Check presence of the efi file:
# file /boot/efi/EFI/debian/grubx64.efi
/boot/efi/EFI/debian/grubx64.efi: PE32+ executable (EFI application) x86-64 (stripped to external PDB), for MS Windows
A Debian entry should be listed here:
# efibootmgr
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,2001,2002,2003
Boot0000* debian
Boot2001* EFI USB Device
Boot2002* EFI DVD/CDROM
Boot2003* EFI Network
Exit chroot environment.
exit
Reboot the system.