Legacy naar UEFI

legacy naar uefi

zie https://blog.getreu.net/projects/legacy-to-uefi-boot/

1. Boot a live system

Enable UEFI in bios.

Boot an recent Debian live system on USB or DVD.

2. Prepare the harddisk

2.1. Backup your data

Backup your data!

2.2. Identify Debian’s “/boot” partition

My lecagy boot system had a 243MiB ext2 partition mounted on /boot. This partition is never encrypted. It is where the grub files and Linux kernels reside. Check by double clicking on the partition icon on the live-disk-desktop and have a look inside.

# ls -l
total 21399
-rw-r--r-- 1 root root 155429 Sep 28 00:59 config-3.16-0.bpo.2-amd64
drwxr-xr-x 3 root root 7168 Nov 5 08:03 grub
-rw-r--r-- 1 root root 15946275 Nov 5 16:28 initrd.img-3.16-0.bpo.2-amd64
drwx------ 2 root root 12288 Nov 24 2012 lost+found
-rw-r--r-- 1 root root 2664392 Sep 28 00:59 System.map-3.16-0.bpo.2-amd64
-rw-r--r-- 1 root root 3126096 Sep 28 00:48 vmlinuz-3.16-0.bpo.2-amd64
# df -h
Filesystem Size Used Avail Use% Mounted on
...
/dev/sdb1 234M 28M 206M 13% /media/....

As you can see in the following partition table of the Debian legacy boot system my /boot partition is number 1 (/dev/sdb1).

Although 1 is the default value for standard debian installations better check!
The live system has identified this partition as /dev/sdb. The debian system on your harddisk could reference it differently.
Partition table of the Debian legacy boot system


# fdisk -l /dev/sdb
...
Device Boot Start End Blocks Id System
/dev/sdb1 * 2048 499711 44032 7 HPFS/NTFS/exFAT
...
/dev/sdb5 501760 976771071 488134656 83 Linux


In legacy boot mode the /boot partition must have the boot-flag (*) set. This confirms our assumption: the /boot filesystem is on: /dev/sdb1.

# gdisk -l /dev/sdb
GPT fdisk (gdisk) version 0.8.5

Partition table scan:
MBR: MBR only
BSD: not present
APM: not present
GPT: not present
...
Number Start (sector) End (sector) Size Code Name
1 2048 499711 243.0 MiB 8300 Linux filesystem
5 501760 976771071 238.2 GiB 8300 Linux filesystem

2.3. Create GPT partition table

Transform the partition table from MBR to GPT with

gdisk /dev/sdb

optie  r     recovery and transformation options (experts only)
optie  f     load MBR and build fresh GPT from it

optie w    write table to disk and exit

2.4. Create an UEFI partition

A good graphical tool is the Gnome Partition Editor gparted:

# gparted /dev/sdb


Shrink the /root partition to 200MB in order to free 43MB (see partition 1 below).

Create a new 43MB partition for efi using gparted with partition code EF00 (EFI system) and flag it bootable. Format the partition with a fat32 [1] filesystem (see partition 2 below).

UEFI needs additionally [2] a not formatted 1MB partition . [3] (see partition 3 below).

Leave the other partitions untouched (see partition 5 below).

Here the result:

Partition table of the Debian UEFI boot system
 

# gdisk -l /dev/sdb
GPT fdisk (gdisk) version 0.8.5

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Found valid GPT with protective MBR; using GPT.
Disk /dev/sdb: 976773168 sectors, 465.8 GiB

...

Number Start (sector) End (sector) Size Code Name
1 2048 411647 200.0 MiB 8300 Linux filesystem
2 411648 499711 43.0 MiB EF00 Efi partition
3 499712 501759 1024.0 KiB 8300 Linux filesystem
5 501760 976771071 465.5 GiB 8300 Linux filesystem
[4]

3. Mount the Debian filesystem

The next step differs whether the root-filesystem is encrypted or not.

3.1. Mount a non-encrypted root-filesystem

Mount the / (root) filesystem.

For non-encrypted root filesystems a simple mount will do.

# mount -t ext4 /dev/sdb5 /mnt

3.2. Mount an encrypted root-filesystem

For encrypted root filesystems the mounting procedure can be a little tricky especially when the root filesystem resides inside a logical volume which is encrypted. This section shows how to mount and unmount an encrypted root-filesystem.

            The recovery mode of the Debian 9 Stretch installer disk automates all following steps. Try this first. If it does not work follow the rest of this section.
3.2.1. Find the device and partition of the to be mounted logical volume
            Connect the disk with host-system and observe the kernel messages in /var/log/syslog

root@host-system:~# tail  -f  /var/log/syslog
sd 3:0:0:0: [sdb] 976773168 512-byte logical blocks: (500 GB/465 GiB)
sd 3:0:0:0: [sdb] Write Protect is of manually.
sd 3:0:0:0: [sdb] Mode Sense: 43 00 00 00
sd 3:0:0:0: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
sdb: sdb1 sdb2 sdb3 sdb5
sd 3:0:0:0: [sdb] Attached SCSI disk

The to be mounted device is /dev/sdb.

Find the partition

root@host-system:~# gdisk -l /dev/sdb
GPT fdisk (gdisk) version 0.8.5
...
Number Start (sector) End (sector) Size Code Name
1 2048 411647 200.0 MiB 8300 Linux filesystem
2 411648 494821 43.0 MiB 0700
3 494822 501759 1024.0 KiB 8300 Linux filesystem
5 501760 976771071 465.5 GiB 8300 Linux filesystem

The to be mounted logical volume of disk-system resides on /dev/sdb5.

3.2.2. Mount encrypted logical volume
            Open decryption layer.

root@host-system:~# lvscan
ACTIVE '/dev/host-system/root' [231.03 GiB] inherit
ACTIVE '/dev/host-system/swap_1' [7.20 GiB] inherit
Logical volume is not registered yet. Do so.

root@host-system:~# cryptsetup luksOpen /dev/sdb5 sdb5_crypt


Enter passphrase for /dev/sdb5:
Enter disk password.

root@host-system:~# lvscan
inactive '/dev/disk-system/root' [457.74 GiB] inherit
inactive '/dev/disk-system/swap_1' [7.78 GiB] inherit
ACTIVE '/dev/host-system/root' [231.03 GiB] inherit
ACTIVE '/dev/host-system/swap_1' [7.20 GiB] inherit
Logical volume of disk-system`is registered now. It contains one `root partition (line 1) and and one swap partition (line 2).

Activate logical volumes

root@host-system:~# lvchange -a y disk-system
Check success.

root@host-system:~# lvscan
ACTIVE '/dev/disk-system/root' [457.74 GiB] inherit
ACTIVE '/dev/disk-system/swap_1' [7.78 GiB] inherit
ACTIVE '/dev/host-system/root' [231.03 GiB] inherit
ACTIVE '/dev/host-system/swap_1' [7.20 GiB] inherit

root@host-system:~# ls /dev/mapper
control disksystem-root disksystem-swap_1 hostsystem-root hostsystem-swap_1 mymapper sdb5_crypt


Mount logical volume

root@host-system:~# mount -t ext4 /dev/mapper/disksystem-root /mnt
 

Check success.

root@host-system:~# ls /mnt
bin etc initrd.img.old lib64 mnt proc sbin sys var
boot home lib lost+found mnt2 root selinux tmp vmlinuz
dev initrd.img lib32 media opt run srv usr vmlinuz.old

3.2.3. Unmount encrypted logical volume
           This subsection is only for completeness. Skip it.

root@host-system:~# umount /mnt

root@host-system:~# lvscan
ACTIVE '/dev/disk-system/root' [457.74 GiB] inherit
ACTIVE '/dev/disk-system/swap_1' [7.78 GiB] inherit
ACTIVE '/dev/host-system/root' [231.03 GiB] inherit
ACTIVE '/dev/host-system/swap_1' [7.20 GiB] inherit

root@host-system:~# lvchange -a n disk-system
root@host-system:~# lvscan
inactive '/dev/disk-system/root' [457.74 GiB] inherit
inactive '/dev/disk-system/swap_1' [7.78 GiB] inherit
ACTIVE '/dev/host-system/root' [231.03 GiB] inherit
ACTIVE '/dev/host-system/swap_1' [7.20 GiB] inherit

root@host-system:~# cryptsetup luksClose sdb5_crypt
root@host-system:~# lvscan
ACTIVE '/dev/host-system/root' [231.03 GiB] inherit
ACTIVE '/dev/host-system/swap_1' [7.20 GiB] inherit

3.3. Mount the remaining filesystems

        Either this way…​

# mount /dev/sdb1 /mnt/boot
# mount /dev/sdb2 /mnt/boot/efi

# for i in /dev /dev/pts /proc /sys /sys/firmware/efi/efivars /run; do sudo mount -B $i /mnt$i; done
# chroot /mnt /bin/bash

or this way, both commands do the same…​

# mount /dev/sdb1 /mnt/boot
# mount /dev/sdb2 /mnt/boot/efi
# mount --bind /sys /mnt/sys
# mount --bind /proc /mnt/proc
# mount --bind /dev /mnt/dev
# mount --bind /dev/pts /mnt/dev/pts
Internet access
For internet access inside chroot:

    # cp /etc/resolv.conf /mnt/etc/resolv.conf

probleem : efi variabelen are not supported  (modprobe efivars niet geladen of missing efivars in /sys/firmware/efi/efivars)

    grub-install --force-extra-removable --target=x86_64-efi /dev/sda --recheck

4. Update debians /etc/fstab

        Update the entries in /mnt/etc/fstab to reflect the partition changes above. Compare the UUID’s there with the ones listed here:

# ls /dev/disk/by-uuid
 

        Add the new UEFI partition (see last line in /etc/fstab below) in order to get it mounted permanently on /boot/efi.

# cat /mnt/etc/fstab
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/mapper/koobue1-root / ext4 errors=remount-ro 0 1
# /boot was on /dev/sdb1 during installation
UUID=040cdd12-8e45-48bd-822e-7b73ef9fa09f /boot ext2 defaults 0 2
/dev/mapper/koobue1-swap_1 none swap sw 0 0
/dev/sr0 /media/cdrom0 udf,iso9660 user,noauto 0 0
#Jens: tmpfs added for SSD
tmpfs /tmp tmpfs defaults,nodev,nosuid,size=500m 0 0
tmpfs /var/lock tmpfs defaults,nodev,nosuid,noexec,mode=1777,size=100m 0 0
tmpfs /var/run tmpfs defaults,nodev,nosuid,noexec,mode=0775,size=100m 0 0
UUID=19F0-4372 /boot/efi vfat defaults 0 2

 

        I use /dev/mapper for the encrypted file system and tmpfs because I have an SSD disk.

5. Inside the chroot environment

        5.1. Preparation

        Enter with:

# chroot /mnt
 

        Check

# cat /etc/fstab
 

        for not yet mounted entries and mount them manually e.g.

# mount /tmp
# mount /run
# mount /var/lock
...

5.2. Install grub-efi

# apt-get remove grub-pc
# apt-get install grub-efi
# grub-install /dev/sdb

 

        Check presence of the efi file:

# file /boot/efi/EFI/debian/grubx64.efi
/boot/efi/EFI/debian/grubx64.efi: PE32+ executable (EFI application) x86-64 (stripped to external PDB), for MS Windows

 

        A Debian entry should be listed here:

# efibootmgr
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,2001,2002,2003
Boot0000* debian
Boot2001* EFI USB Device
Boot2002* EFI DVD/CDROM
Boot2003* EFI Network

 

        Exit chroot environment.

                exit
        Reboot the system.