Lenovo ideapad 530S - Debian

Hardware info on main page.

Links

Install Debian 12 with encrypted Root-on-ZFS, ZFSBootMenu, zfsbootmenu-sb,

Work log

2024-12-25: zroot - apt - autoremove

tingo@kg-pod530lin:~$ sudo apt autoremove
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be REMOVED:
  libwpe-1.0-1 libwpebackend-fdo-1.0-1
0 upgraded, 0 newly installed, 2 to remove and 0 not upgraded.
After this operation, 186 kB disk space will be freed.
Do you want to continue? [Y/n] 
(Reading database ... 152493 files and directories currently installed.)
Removing libwpebackend-fdo-1.0-1:amd64 (1.14.2-1) ...
Removing libwpe-1.0-1:amd64 (1.14.0-1) ...
Processing triggers for libc-bin (2.36-9+deb12u9) ...

2024-12-25: zroot - reboot, Debian 12.8 is in

tingo@kg-pod530lin:~$ cat /etc/debian_version 
12.8

kernel

tingo@kg-pod530lin:~$ uname -a
Linux kg-pod530lin 6.1.0-28-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.119-1 (2024-11-22) x86_64 GNU/Linux

2024-12-25: zroot - apt - upgrade

tingo@kg-pod530lin:~$ sudo apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
  libwpe-1.0-1 libwpebackend-fdo-1.0-1
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
  linux-headers-6.1.0-28-amd64 linux-headers-6.1.0-28-common linux-image-6.1.0-28-amd64
The following packages will be upgraded:
  atril atril-common base-files bash bsdextrautils bsdutils bubblewrap cups cups-browsed cups-client cups-common cups-core-drivers cups-daemon cups-filters
  cups-filters-core-drivers cups-ipp-utils cups-ppdc cups-server-common curl dns-root-data eject fdisk firefox-esr fonts-opensymbol ghostscript gir1.2-gdkpixbuf-2.0
  gir1.2-gst-plugins-base-1.0 gir1.2-gstreamer-1.0 gir1.2-gtk-3.0 gir1.2-javascriptcoregtk-4.0 gir1.2-webkit2-4.0 gstreamer1.0-alsa gstreamer1.0-gl
  gstreamer1.0-plugins-base gstreamer1.0-x gtk-update-icon-cache gtk2-engines-pixbuf imagemagick-6-common initramfs-tools initramfs-tools-core iputils-ping less
  libaom3 libarchive13 libatrildocument3 libatrilview3 libavcodec59 libavfilter8 libavformat59 libavutil57 libblkid1 libbluetooth3 libc-bin libc-dev-bin libc-devtools
  libc-l10n libc6 libc6-dev libcjson1 libcups2 libcupsfilters1 libcurl3-gnutls libcurl4 libdav1d6 libexpat1 libfdisk1 libfontembed1 libfreetype6 libgail-common
  libgail18 libgdk-pixbuf-2.0-0 libgdk-pixbuf2.0-bin libgdk-pixbuf2.0-common libglib2.0-0 libglib2.0-data libgnutls30 libgs-common libgs10 libgs10-common
  libgssapi-krb5-2 libgstreamer-gl1.0-0 libgstreamer-plugins-base1.0-0 libgstreamer1.0-0 libgtk-3-0 libgtk-3-bin libgtk-3-common libgtk2.0-0 libgtk2.0-bin
  libgtk2.0-common libheif1 libjavascriptcoregtk-4.0-18 libjavascriptcoregtk-4.1-0 libk5crypto3 libkrb5-3 libkrb5support0 libltdl7 libmagickcore-6.q16-6
  libmagickcore-6.q16-6-extra libmagickwand-6.q16-6 libmount1 libmpg123-0 libndp0 libnghttp2-14 libnss3 libntfs-3g89 libpam-systemd libpostproc56 libpython3.11
  libpython3.11-minimal libpython3.11-stdlib libreoffice-base-core libreoffice-calc libreoffice-common libreoffice-core libreoffice-draw libreoffice-gtk3
  libreoffice-help-common libreoffice-help-en-us libreoffice-impress libreoffice-math libreoffice-style-colibre libreoffice-writer libseccomp2 libsmartcols1
  libsqlite3-0 libssl3 libswresample4 libswscale6 libsystemd-shared libsystemd0 libudev1 libuno-cppu3 libuno-cppuhelpergcc3-3 libuno-purpenvhelpergcc3-3 libuno-sal3
  libuno-salhelpergcc3-3 libuuid1 libvpx7 libwebkit2gtk-4.0-37 libwebkit2gtk-4.1-0 linux-compiler-gcc-12-x86 linux-headers-amd64 linux-image-amd64 linux-kbuild-6.1
  linux-libc-dev locales mount nano ntfs-3g openssh-client openssh-server openssh-sftp-server openssl python3-uno python3.11 python3.11-minimal
  shim-helpers-amd64-signed shim-signed shim-signed-common shim-unsigned systemd systemd-sysv tzdata udev uno-libs-private ure usb.ids util-linux util-linux-extra
  wpasupplicant xserver-common xserver-xorg-core xserver-xorg-legacy
173 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 408 MB of archives.
After this operation, 508 MB of additional disk space will be used.
[..]
W: Possible missing firmware /lib/firmware/amdgpu/sienna_cichlid_dmcub.bin for module amdgpu
W: Possible missing firmware /lib/firmware/amdgpu/renoir_dmcub.bin for module amdgpu

check bootorder again

tingo@kg-pod530lin:~$ efibootmgr
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,0006,0002,0003,0001,2001,2002,2003
Boot0000* SB rEFInd
Boot0001* ZFSBootMenu (Backup)
Boot0002* FreeBSD
Boot0003* ZFSBootMenu
Boot0006* rEFInd
Boot2001* EFI USB Device
Boot2002* EFI DVD/CDROM
Boot2003* EFI Network

it is good.

2024-12-25: zroot - lsblk info

tingo@kg-pod530lin:~$ lsblk -f
NAME        FSTYPE     FSVER LABEL UUID                                 FSAVAIL FSUSE% MOUNTPOINTS
nvme0n1                                                                                
├─nvme0n1p1 vfat       FAT16       8F86-1AF2                             100.6M    50% /boot/efi
├─nvme0n1p2                                                                            
├─nvme0n1p3 ufs        2           5f2027ccb14aecab                                    
├─nvme0n1p4                                                                             └─swap    swap       1     swap  d085ab3f-a6aa-4f0d-8658-6f8b7636eb90                [SWAP]
└─nvme0n1p5 zfs_member 5000  zroot 17433648056724219961                                

df info

tingo@kg-pod530lin:~$ df -h
Filesystem         Size  Used Avail Use% Mounted on
udev               1.7G     0  1.7G   0% /dev
tmpfs              346M  1.4M  345M   1% /run
zroot/ROOT/debian   55G  2.7G   52G   5% /
tmpfs              1.7G     0  1.7G   0% /dev/shm
tmpfs              5.0M   12K  5.0M   1% /run/lock
/dev/nvme0n1p1     200M  100M  101M  50% /boot/efi
tmpfs              1.7G  8.0K  1.7G   1% /tmp
zroot/home          52G  244M   52G   1% /home
tmpfs              346M   52K  346M   1% /run/user/1000

this machine still has Debian 12.5

tingo@kg-pod530lin:~$ cat /etc/debian_version 
12.5

boot order info

tingo@kg-pod530lin:~$ efibootmgr
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,0006,0002,0003,0001,2001,2002,2003
Boot0000* SB rEFInd
Boot0001* ZFSBootMenu (Backup)
Boot0002* FreeBSD
Boot0003* ZFSBootMenu
Boot0006* rEFInd
Boot2001* EFI USB Device
Boot2002* EFI DVD/CDROM
Boot2003* EFI Network

2024-06-15: no, signing the FreeBSD loader wasn't enough, it starts to boot, then restarts (perhaps failing to load an unsigned kernel?).

2024-06-15: zroot - now, for fun, try to sign the FreeBSD loader too. first copy it

tingo@kg-pod530lin:~/work$ mkdir fbsd
tingo@kg-pod530lin:~/work$ cd fbsd
tingo@kg-pod530lin:~/work/fbsd$ cp -v /boot/efi/EFI/FreeBSD/BOOTx64.efi .
'/boot/efi/EFI/FreeBSD/BOOTx64.efi' -> './BOOTx64.efi'

check it

tingo@kg-pod530lin:~/work/fbsd$ sbverify --list BOOTx64.efi
warning: data remaining[86016 vs 393216]: gaps between PE/COFF sections?
No signature table present

change the name

tingo@kg-pod530lin:~/work/fbsd$ mv BOOTx64.efi BOOTx64.efi_org

sign

tingo@kg-pod530lin:~/work/fbsd$ sbsign --key ../pod530_local.key --cert ../pod530_local.crt --output BOOTx64.efi BOOTx64.efi_org
warning: data remaining[86016 vs 393216]: gaps between PE/COFF sections?
Signing Unsigned original image

verify

tingo@kg-pod530lin:~/work/fbsd$ sbverify --list BOOTx64.efi
warning: data remaining[87584 vs 394784]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /CN=Torfinn Ingolfsen
image signature certificates:
 - subject: /CN=Torfinn Ingolfsen
   issuer:  /CN=Torfinn Ingolfsen

copy it back.

tingo@kg-pod530lin:~/work/fbsd$ sudo cp -v BOOTx64.efi /boot/efi/EFI/FreeBSD/
'BOOTx64.efi' -> '/boot/efi/EFI/FreeBSD/BOOTx64.efi'

2024-06-15: zroot - reboot, enroll the new mok, reboot, enable Secure Boot, reboot, and check:

tingo@kg-pod530lin:~$ sudo dmesg | grep -i secure
[    0.000000] secureboot: Secure boot could not be determined (mode 0)
[    0.937566] Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
[    0.937589] Loaded X.509 cert 'Debian Secure Boot Signer 2022 - linux: 14011249c2675ea8e5148542202005810584b25f'
[    0.952235] ima: secureboot mode enabled
[    0.953311] integrity: Loaded X.509 cert 'Debian Secure Boot CA: 6ccece7e4c6c0d1f6149f3dd27dfcc5cbb419ea1'
tingo@kg-pod530lin:~$ mokutil --sb-state
SecureBoot enabled

yes!

2024-06-15: zroot - interesting, there is a mok in /var/lib/dkms/

tingo@kg-pod530lin:~$ ls -l /var/lib/dkms/
total 18
-rw------- 1 root root 1704 Apr 28 18:03 mok.key
-rw-r--r-- 1 root root  811 Apr 28 18:03 mok.pub
drwxr-xr-x 3 root root    4 Apr 28 18:07 zfs

it just needs to be enrolled, and enabled in /etc/dkms/framework.conf

tingo@kg-pod530lin:~$ grep -i mok /etc/dkms/framework.conf
# mok_signing_key can also be a "pkcs11:..." string for PKCS#11 engine, as
# mok_signing_key=/var/lib/dkms/mok.key
# mok_certificate=/var/lib/dkms/mok.pub

like this

tingo@kg-pod530lin:~$ file /var/lib/dkms/mok.*
/var/lib/dkms/mok.key: regular file, no read permission
/var/lib/dkms/mok.pub: Certificate, Version=3
tingo@kg-pod530lin:~$ sudo file /var/lib/dkms/mok.*
/var/lib/dkms/mok.key: ASCII text
/var/lib/dkms/mok.pub: Certificate, Version=3

check if the zfs module is signed

tingo@kg-pod530lin:~$ sudo modinfo zfs | grep sig
sig_id:         PKCS#7
signer:         DKMS module signing key
sig_key:        5B:8C:B6:02:F3:64:65:67:93:23:6D:DC:0E:D5:4A:69:B4:97:78:15
sig_hashalgo:   sha256
signature:      41:C8:A6:E8:A6:FE:22:63:47:52:C9:C0:EC:08:70:C6:E5:69:EF:76:

indeed. Lets enroll this key then.

tingo@kg-pod530lin:~$ sudo mokutil --import /var/lib/dkms/mok.pub
input password: 
input password again: 

verify

tingo@kg-pod530lin:~$ sudo mokutil --list-new
[key 1]
SHA1 Fingerprint: 08:88:a0:fe:df:e9:af:16:50:31:d4:38:56:9b:9e:d7:d2:d6:0c:62
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5b:8c:b6:02:f3:64:65:67:93:23:6d:dc:0e:d5:4a:69:b4:97:78:15
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=DKMS module signing key
        Validity
            Not Before: Apr 28 16:03:54 2024 GMT
            Not After : Apr  4 16:03:54 2124 GMT
        Subject: CN=DKMS module signing key
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b8:0b:dc:71:c2:2f:08:8d:83:09:20:36:31:58:
                    a2:6a:3b:24:10:0b:1e:55:e8:9a:6b:30:ac:22:a0:
                    5b:dd:51:67:37:7a:62:f3:6b:f5:25:7e:90:d9:b9:
                    87:0b:75:e8:ab:e3:45:c3:94:60:52:e2:f7:70:a8:
                    db:8d:ad:f7:1b:c5:32:7d:bc:22:ec:38:65:0a:36:
                    22:e4:23:08:46:47:bc:51:be:54:66:40:d7:97:d7:
                    82:b3:cf:88:03:11:a4:70:41:aa:05:a6:b6:d6:12:
                    55:da:59:c6:b3:0c:4d:7b:87:a3:48:11:d2:59:0a:
                    ab:d2:c4:a0:27:47:01:66:ed:03:f1:b0:56:5c:c3:
                    de:8e:8d:3a:5f:43:ae:65:82:3c:da:7a:ef:fa:a4:
                    50:11:3b:3c:9c:a3:08:4e:ac:36:fd:d5:77:90:90:
                    02:d9:91:b2:28:6e:84:2d:0f:ee:22:f0:1c:10:98:
                    d9:b4:86:9f:d0:8f:45:20:bb:36:e3:29:78:c6:26:
                    21:91:a8:19:29:2a:2b:0b:8b:a1:63:63:58:1c:b2:
                    df:30:13:74:54:32:d3:96:89:e8:81:b5:0a:63:90:
                    5e:5b:cb:79:74:79:c2:6a:15:48:0b:33:26:ac:07:
                    da:a8:85:db:3d:a3:f8:2e:85:1f:ee:8b:59:fa:fc:
                    fc:7d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                23:7A:E1:BE:8A:F6:A3:C9:25:57:B3:2B:A3:A6:D4:00:B4:EA:2E:14
            X509v3 Authority Key Identifier: 
                23:7A:E1:BE:8A:F6:A3:C9:25:57:B3:2B:A3:A6:D4:00:B4:EA:2E:14
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        43:76:51:b0:17:33:87:53:cf:fc:40:f2:c9:1c:45:c0:e2:48:
        d0:58:20:4a:93:68:d3:cf:3e:b7:7e:49:31:c3:aa:0f:46:76:
        c2:e9:db:54:a4:68:fa:22:f3:d3:6b:ea:9b:fd:28:30:d6:56:
        de:b8:6c:e3:26:c5:c4:3a:5c:db:01:c5:47:d9:8e:96:a7:dd:
        18:9d:64:53:32:ab:50:1b:4b:2b:bc:a5:77:46:a1:d8:3a:16:
        10:6b:df:b5:6b:0b:c6:81:f6:38:90:51:34:0f:8f:a9:eb:3b:
        86:56:e4:6a:42:a3:cc:27:4c:69:b2:27:f4:fa:c5:5f:f9:a6:
        dc:15:a9:b7:0f:6c:bd:83:ae:87:ac:6b:48:92:e0:8c:84:97:
        53:fd:4d:37:b0:ca:58:68:83:14:52:70:a7:45:10:3f:b3:53:
        f0:4c:61:a2:60:ab:f3:4a:ef:d5:c6:eb:9d:5a:38:c2:8d:08:
        f5:1d:21:cd:d2:7b:02:e1:3f:41:3d:6c:09:62:e4:75:1c:17:
        57:23:f5:b2:9c:0d:65:5a:0a:75:5b:e0:5c:da:7e:cd:f8:ef:
        c3:0b:ea:7e:3e:26:0b:ce:2b:2b:7f:44:9c:9e:98:8d:dd:5c:
        a7:bf:d3:9a:45:79:39:75:c9:7b:fc:88:3a:68:5b:af:77:70:
        65:65:a6:05

2024-06-15: Secure Boot - with SB enabled, ZBM starts, but then

Failed to load ZFS modules.
Manually load the modules and exit.

(initramfs)

unfortunately I can't get the modules loaded, I've tried /sbin/modprobe zfs and many other things, but it doesn't help.

2024-06-15: zroot - EFI boot entries

tingo@kg-pod530lin:~/work/zbm$ efibootmgr -v
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,0006,0002,0003,0001,2001,2002,2003
Boot0000* SB rEFInd HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\refind\shimx64s.efi)s.h.i.m.x.6.4.s...e.f.i. .r.e.f.i.n.d._.x.6.4...e.f.i.
Boot0001* ZFSBootMenu (Backup)  HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ-BACKUP.EFI)
Boot0002* FreeBSD   HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\FreeBSD\BOOTx64.efi)
Boot0003* ZFSBootMenu   HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ.EFI)
Boot0006* rEFInd    HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\refind\refind_x64.efi)
Boot2001* EFI USB Device    RC
Boot2002* EFI DVD/CDROM RC
Boot2003* EFI Network   RC

2024-06-15: zroot - copy the signed ZBM to the ESP verify that it is signed

tingo@kg-pod530lin:~/work/zbm$ sbverify --list VMLINUZ-BACKUP.EFI
warning: data remaining[48316960 vs 48326376]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /CN=Torfinn Ingolfsen
image signature certificates:
 - subject: /CN=Torfinn Ingolfsen
   issuer:  /CN=Torfinn Ingolfsen

before

tingo@kg-pod530lin:~/work/zbm$ ls -l /boot/efi/EFI/ZBM
total 94400
-rwxr-xr-x 1 root root 48324804 Apr 28 18:21 VMLINUZ-BACKUP.EFI
-rwxr-xr-x 1 root root 48324804 Apr 28 18:20 VMLINUZ.EFI

copy

tingo@kg-pod530lin:~/work/zbm$ sudo cp -v VMLINUZ-BACKUP.EFI /boot/efi/EFI/ZBM/
'VMLINUZ-BACKUP.EFI' -> '/boot/efi/EFI/ZBM/VMLINUZ-BACKUP.EFI'

after

tingo@kg-pod530lin:~/work/zbm$ ls -l /boot/efi/EFI/ZBM
total 94400
-rwxr-xr-x 1 root root 48326376 Jun 15 19:02 VMLINUZ-BACKUP.EFI
-rwxr-xr-x 1 root root 48324804 Apr 28 18:20 VMLINUZ.EFI

2024-06-15: zroot - copy the MOK to the ESP (why?)

tingo@kg-pod530lin:~/work$ sudo cp -v pod530_local.cer /boot/efi/EFI/refind/keys/
'pod530_local.cer' -> '/boot/efi/EFI/refind/keys/pod530_local.cer'

2024-06-15: zroot - sign the ZBM binaries with the MOK

tingo@kg-pod530lin:~/work/zbm$ sbsign --key ../pod530_local.key --cert ../pod530_local.crt --output VMLINUZ-signed.EFI VMLINUZ.EFI
warning: data remaining[48315392 vs 48324804]: gaps between PE/COFF sections?
warning: data remaining[48315392 vs 48324808]: gaps between PE/COFF sections?
Signing Unsigned original image

the backup too

tingo@kg-pod530lin:~/work/zbm$ sbsign --key ../pod530_local.key --cert ../pod530_local.crt --output VMLINUZ-BACKUP-signed.EFI VMLINUZ-BACKUP.EFI
warning: data remaining[48315392 vs 48324804]: gaps between PE/COFF sections?
warning: data remaining[48315392 vs 48324808]: gaps between PE/COFF sections?
Signing Unsigned original image

verify

tingo@kg-pod530lin:~/work/zbm$ sbverify --list VMLINUZ-signed.EFI
warning: data remaining[48316960 vs 48326376]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /CN=Torfinn Ingolfsen
image signature certificates:
 - subject: /CN=Torfinn Ingolfsen
   issuer:  /CN=Torfinn Ingolfsen
tingo@kg-pod530lin:~/work/zbm$ sbverify --list VMLINUZ-BACKUP-signed.EFI
warning: data remaining[48316960 vs 48326376]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /CN=Torfinn Ingolfsen
image signature certificates:
 - subject: /CN=Torfinn Ingolfsen
   issuer:  /CN=Torfinn Ingolfsen

check the originals

tingo@kg-pod530lin:~/work/zbm$ sbverify --list VMLINUZ.EFI
warning: data remaining[48315392 vs 48324804]: gaps between PE/COFF sections?
warning: data remaining[48315392 vs 48324808]: gaps between PE/COFF sections?
No signature table present
tingo@kg-pod530lin:~/work/zbm$ sbverify --list VMLINUZ-BACKUP.EFI
warning: data remaining[48315392 vs 48324804]: gaps between PE/COFF sections?
warning: data remaining[48315392 vs 48324808]: gaps between PE/COFF sections?
No signature table present

they are not signed.

2024-06-15: zroot - import the new MOK with mokutil check the new list first

tingo@kg-pod530lin:~/work$ sudo mokutil --list-new

import the key

tingo@kg-pod530lin:~/work$ sudo mokutil -i pod530_local.cer
input password: 
input password again: 

you need to create a password here. Verify

tingo@kg-pod530lin:~/work$ sudo mokutil --list-new
[key 1]
SHA1 Fingerprint: 3e:9b:b2:2d:bb:d6:dd:d7:54:f9:c9:0a:06:ee:5b:81:58:f4:4b:c0
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            43:fb:f9:c4:33:dd:9a:fa:ea:26:80:0e:6c:b5:6e:e1:b5:4e:4d:b3
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Torfinn Ingolfsen
        Validity
            Not Before: Jun 15 16:31:23 2024 GMT
            Not After : Jun 13 16:31:23 2034 GMT
        Subject: CN=Torfinn Ingolfsen
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:de:51:40:e9:af:ab:c5:39:33:ba:08:44:0c:ae:
                    e6:90:3a:e3:87:cf:3c:42:a5:0a:f2:c6:fc:ce:da:
                    b0:17:ac:55:39:b9:6b:d4:d9:98:bf:6d:1d:19:f7:
                    07:b2:7a:ed:7e:22:c6:7e:83:44:82:3f:7f:ce:26:
                    cd:fc:6a:95:53:db:a0:d3:48:d6:c3:62:71:c0:24:
                    10:63:b0:e5:ca:f7:c1:a7:dd:18:d0:65:f0:bb:a2:
                    bc:a3:ba:90:f2:18:7d:d6:b1:59:57:53:dc:73:35:
                    55:d9:84:4c:b1:a8:82:7d:58:85:77:19:4d:8e:09:
                    a9:81:42:78:d0:14:4c:51:69:82:9b:c9:b9:c1:77:
                    11:87:25:e7:e3:39:29:1b:c9:9a:12:7f:94:ec:d4:
                    cd:9c:39:98:5d:c6:40:a4:1e:22:e7:e5:75:f3:1c:
                    85:55:98:c8:80:4c:3e:bd:d0:b1:68:7c:ed:28:a6:
                    f7:06:df:94:89:f7:b4:e9:84:74:d0:08:4a:b5:6b:
                    03:8a:70:61:bb:56:89:1b:8f:e0:82:01:5d:b5:73:
                    44:66:1d:06:fb:7a:cf:3e:b2:9e:a6:21:1d:1e:be:
                    28:8a:f0:c6:9c:bd:e5:95:43:26:88:71:9c:13:32:
                    9e:83:bc:8d:3e:73:8e:20:98:a8:49:c6:c5:70:17:
                    44:79
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                ED:21:85:6F:F4:B0:B0:4B:9C:0E:87:2C:FB:D2:1C:E3:69:6D:69:85
            X509v3 Authority Key Identifier: 
                ED:21:85:6F:F4:B0:B0:4B:9C:0E:87:2C:FB:D2:1C:E3:69:6D:69:85
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        63:2e:9a:f7:d0:79:c6:3a:00:f1:00:a0:be:ef:22:0f:88:ea:
        7e:d8:fd:5d:cd:ec:40:07:e5:3d:71:79:ba:a6:93:fe:07:73:
        db:40:5d:b5:d1:7c:69:d4:19:53:8a:d6:06:93:69:b6:86:ad:
        e5:02:07:4f:52:b5:c1:63:5b:ec:8f:d5:fa:75:8d:f2:06:f9:
        2e:2f:c9:35:be:5e:c9:50:f9:c4:63:83:92:28:95:c3:90:25:
        47:78:c8:19:87:ba:fe:46:d1:2d:83:c0:a9:a7:98:a1:3e:d0:
        b1:d3:c7:02:22:2b:35:d1:4c:84:7f:21:6d:ed:68:71:28:e2:
        23:c7:7e:37:9f:20:75:10:a1:76:49:0d:40:5d:66:b9:c8:d1:
        41:65:d4:97:ca:83:0f:dd:20:d1:4a:a4:bf:44:f6:3f:c7:a1:
        14:fb:6b:41:54:f9:d7:92:9f:9d:54:3a:b6:a8:33:6e:7b:94:
        05:3d:c3:cf:3d:30:21:66:75:51:35:3e:d1:4b:f5:a9:ba:58:
        22:2a:ab:05:9d:75:e8:9d:e0:5c:65:4e:19:01:ac:31:ac:99:
        d3:57:1f:df:21:64:5a:75:97:a9:4e:0f:f0:0a:6b:b2:f0:9b:
        e8:ba:ff:82:71:9c:c4:b0:a8:ab:ce:14:df:5b:31:23:87:e9:
        af:05:8c:e4

it is there. And it lasts ten years.

2024-06-15: zroot - create a MOK with openssl

tingo@kg-pod530lin:~$ mkdir work
tingo@kg-pod530lin:~$ cd work

create

tingo@kg-pod530lin:~/work$ openssl req -new -x509 -newkey rsa:2048 -keyout pod530_local.key -out pod530_local.crt -nodes -days 3650 -subj "/CN=Torfinn Ingolfsen/"
.....+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..+............+..+......+..........+...+......+..............+.+.........+..+....+...+.....+.+......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+.+...+...........+....+..+...+.+........+......+.+..............+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*............+...+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...........+..+....+...+......+......+...+...+............+...........+................+........+......+.+.........+...............+.........+..+...+.+.....+.+...+...+.....+.......+..+.........+............+...+.+...+..+...+...+...+....+..+......+...+....+.....+.+...........+..........+......+..+......+.......+..................+......+........+.......+.....+......+...+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----

generate .cer file

tingo@kg-pod530lin:~/work$ openssl x509 -in pod530_local.crt -out pod530_local.cer -outform DER

verify

tingo@kg-pod530lin:~/work$ ls -l
total 14
-rw-r--r-- 1 tingo tingo  797 Jun 15 18:35 pod530_local.cer
-rw-r--r-- 1 tingo tingo 1135 Jun 15 18:31 pod530_local.crt
-rw------- 1 tingo tingo 1704 Jun 15 18:31 pod530_local.key

2024-05-09: zroot - SecureBoot - with it enabled, shim works and loads rEFInd, but ZFSBootMenu (and the FreeBSD loader) are not signed, so it fails to load them.

2024-05-09: zroot - shim - it seems that shim (from shim-signed) requires that the program to load is named 'grubx64.efi' or something else it knows. I copied refind_x64.efi to grubx64.efi and shim booted without complaint, and efibootmgr verifies

tingo@kg-pod530lin:~$ efibootmgr
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,0006,0002,0003,0001,2001,2002,2003
Boot0000* SB rEFInd
Boot0001* ZFSBootMenu (Backup)
Boot0002* FreeBSD
Boot0003* ZFSBootMenu
Boot0006* rEFInd
Boot2001* EFI USB Device
Boot2002* EFI DVD/CDROM
Boot2003* EFI Network

secureboot is still off

tingo@kg-pod530lin:~$ mokutil --sb-state
SecureBoot disabled

2024-05-09: zroot - efibootmgr - the created entry didn't stick around, after a reboot, I'm back to

tingo@kg-pod530lin:~$ efibootmgr -v
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0006,0002,0003,0001,2001,2002,2003
Boot0001* ZFSBootMenu (Backup)  HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ-BACKUP.EFI)
Boot0002* FreeBSD   HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\FreeBSD\BOOTx64.efi)
Boot0003* ZFSBootMenu   HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ.EFI)
Boot0006* rEFInd    HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\refind\refind_x64.efi)
Boot2001* EFI USB Device    RC
Boot2002* EFI DVD/CDROM RC
Boot2003* EFI Network   RC

try again

tingo@kg-pod530lin:~$ sudo efibootmgr -c -d /dev/nvme0n1 -l /EFI/refind/shimx64s.efi -L "SB rEFInd" -u "shimx64s.efi refind_x64.efi"
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0000,0006,0002,0003,0001,2001,2002,2003
Boot0001* ZFSBootMenu (Backup)
Boot0002* FreeBSD
Boot0003* ZFSBootMenu
Boot0006* rEFInd
Boot2001* EFI USB Device
Boot2002* EFI DVD/CDROM
Boot2003* EFI Network
Boot0000* SB rEFInd

verify

tingo@kg-pod530lin:~$ efibootmgr -v
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0000,0006,0002,0003,0001,2001,2002,2003
Boot0000* SB rEFInd HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\refind\shimx64s.efi)s.h.i.m.x.6.4.s...e.f.i. .r.e.f.i.n.d._.x.6.4...e.f.i.
Boot0001* ZFSBootMenu (Backup)  HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ-BACKUP.EFI)
Boot0002* FreeBSD   HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\FreeBSD\BOOTx64.efi)
Boot0003* ZFSBootMenu   HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ.EFI)
Boot0006* rEFInd    HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\refind\refind_x64.efi)
Boot2001* EFI USB Device    RC
Boot2002* EFI DVD/CDROM RC
Boot2003* EFI Network   RC

looks better now.

2024-05-09: zroot - efibootmgr - set up a boot entry for the shim enabled rEFInd

tingo@kg-pod530lin:~$ sudo efibootmgr -c -d /dev/nvme0n1 -l /boot/efi/EFI/refind/shimx64s.efi -L "SB rEFInd" -u "shimx64s.efi refind_x64.efi"
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0000,0006,0002,0003,0001,2001,2002,2003
Boot0001* ZFSBootMenu (Backup)
Boot0002* FreeBSD
Boot0003* ZFSBootMenu
Boot0006* rEFInd
Boot2001* EFI USB Device
Boot2002* EFI DVD/CDROM
Boot2003* EFI Network
Boot0000* SB rEFInd

verify

tingo@kg-pod530lin:~$ efibootmgr -v
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0000,0006,0002,0003,0001,2001,2002,2003
Boot0000* SB rEFInd HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\boot\efi\EFI\refind\shimx64s.efi)s.h.i.m.x.6.4.s...e.f.i. .r.e.f.i.n.d._.x.6.4...e.f.i.
Boot0001* ZFSBootMenu (Backup)  HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ-BACKUP.EFI)
Boot0002* FreeBSD   HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\FreeBSD\BOOTx64.efi)
Boot0003* ZFSBootMenu   HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ.EFI)
Boot0006* rEFInd    HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\refind\refind_x64.efi)
Boot2001* EFI USB Device    RC
Boot2002* EFI DVD/CDROM RC
Boot2003* EFI Network   RC

2024-05-09: zroot - copy the signed shim to the refind directory

tingo@kg-pod530lin:~$ sudo cp -pv /usr/lib/shim/shimx64.efi.signed /boot/efi/EFI/refind/shimx64s.efi
'/usr/lib/shim/shimx64.efi.signed' -> '/boot/efi/EFI/refind/shimx64s.efi'

2024-05-09: zroot - check the ZFSBootMenu binaries with sbverify too

tingo@kg-pod530lin:~$ sbverify --list /boot/efi/EFI/ZBM/VMLINUZ.EFI
warning: data remaining[48315392 vs 48324804]: gaps between PE/COFF sections?
warning: data remaining[48315392 vs 48324808]: gaps between PE/COFF sections?
No signature table present
tingo@kg-pod530lin:~$ sbverify --list /boot/efi/EFI/ZBM/VMLINUZ-BACKUP.EFI
warning: data remaining[48315392 vs 48324804]: gaps between PE/COFF sections?
warning: data remaining[48315392 vs 48324808]: gaps between PE/COFF sections?
No signature table present

not signed, I expected that.

2024-05-09: zroot - apt - install shim-signed

tingo@kg-pod530lin:~$ sudo apt install shim-signed
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  gettext-base grub-common grub-efi-amd64-bin grub-efi-amd64-signed grub2-common libfuse2 os-prober shim-helpers-amd64-signed
  shim-signed-common
Suggested packages:
  multiboot-doc grub-emu mtools xorriso
Recommended packages:
  secureboot-db
The following NEW packages will be installed:
  gettext-base grub-common grub-efi-amd64-bin grub-efi-amd64-signed grub2-common libfuse2 os-prober shim-helpers-amd64-signed
  shim-signed shim-signed-common
0 upgraded, 10 newly installed, 0 to remove and 0 not upgraded.
Need to get 7,105 kB of archives.
After this operation, 57.2 MB of additional disk space will be used.
[..]
Setting up shim-signed:amd64 (1.39+15.7-1) ...
Secure Boot not enabled on this system.
Processing triggers for man-db (2.11.2-2) ...
Processing triggers for libc-bin (2.36-9+deb12u6) ...

files in shim-signed

tingo@kg-pod530lin:~$ dpkg-query -L shim-signed
/.
/usr
/usr/lib
/usr/lib/shim
/usr/lib/shim/shimx64.efi.signed
/usr/share
/usr/share/doc
/usr/share/doc/shim-signed
/usr/share/doc/shim-signed/changelog.gz
/usr/share/doc/shim-signed/copyright

check signature

tingo@kg-pod530lin:~$ sbverify --list /usr/lib/shim/shimx64.efi.signed
warning: data remaining[823184 vs 948768]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root

2024-05-09: zroot - sbsigntool - see what's signed and not

tingo@kg-pod530lin:~$ sbverify --list /boot/efi/EFI/refind/refind_x64.efi
signature 1
image signature issuers:
 - /CN=Roderick W. Smith, rodsmith@rodsbooks.com
image signature certificates:
 - subject: /CN=Roderick W. Smith, rodsmith@rodsbooks.com
   issuer:  /CN=Roderick W. Smith, rodsmith@rodsbooks.com
tingo@kg-pod530lin:~$ sbverify --list /boot/efi/EFI/refind/shimx64.efi
warning: data remaining[813568 vs 939147]: gaps between PE/COFF sections?
warning: data remaining[813568 vs 939152]: gaps between PE/COFF sections?
No signature table present
tingo@kg-pod530lin:~$ sbverify --list /boot/efi/EFI/refind/mmx64.efi
warning: data remaining[730112 vs 848137]: gaps between PE/COFF sections?
warning: data remaining[730112 vs 848144]: gaps between PE/COFF sections?
No signature table present

ok, so neither shim nor mokmanager are signed.

tingo@kg-pod530lin:~/dl/refind-bin-0.14.2$ sbverify --cert keys/refind.crt /boot/efi/EFI/refind/refind_x64.efi
Signature verification OK

and the signature on refind checks out.

2024-05-09: zroot - apt - install sbsigntool

tingo@kg-pod530lin:~$ sudo apt install sbsigntool
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  sbsigntool
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 68.4 kB of archives.
After this operation, 429 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main amd64 sbsigntool amd64 0.9.4-3.1 [68.4 kB]
Fetched 68.4 kB in 0s (1,012 kB/s)
Selecting previously unselected package sbsigntool.
(Reading database ... 130478 files and directories currently installed.)
Preparing to unpack .../sbsigntool_0.9.4-3.1_amd64.deb ...
Unpacking sbsigntool (0.9.4-3.1) ...
Setting up sbsigntool (0.9.4-3.1) ...
Processing triggers for man-db (2.11.2-2) ...

files in package

tingo@kg-pod530lin:~$ dpkg-query -L sbsigntool
/.
/usr
/usr/bin
/usr/bin/sbattach
/usr/bin/sbkeysync
/usr/bin/sbsiglist
/usr/bin/sbsign
/usr/bin/sbvarsign
/usr/bin/sbverify
/usr/share
/usr/share/doc
/usr/share/doc/sbsigntool
/usr/share/doc/sbsigntool/NEWS.gz
/usr/share/doc/sbsigntool/README
/usr/share/doc/sbsigntool/changelog.Debian.gz
/usr/share/doc/sbsigntool/changelog.gz
/usr/share/doc/sbsigntool/copyright
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/sbattach.1.gz
/usr/share/man/man1/sbkeysync.1.gz
/usr/share/man/man1/sbsiglist.1.gz
/usr/share/man/man1/sbsign.1.gz
/usr/share/man/man1/sbvarsign.1.gz
/usr/share/man/man1/sbverify.1.gz

2024-05-09: zroot - current EFI boot entries

tingo@kg-pod530lin:~$ efibootmgr -v
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0006,0002,0003,0001,2001,2002,2003
Boot0001* ZFSBootMenu (Backup)  HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ-BACKUP.EFI)
Boot0002* FreeBSD   HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\FreeBSD\BOOTx64.efi)
Boot0003* ZFSBootMenu   HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ.EFI)
Boot0006* rEFInd    HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\refind\refind_x64.efi)
Boot2001* EFI USB Device    RC
Boot2002* EFI DVD/CDROM RC
Boot2003* EFI Network   RC

2024-05-09: Secure boot - ok, booting with Secure Boot on still refuses to let rEFInd boot.

2024-05-09: zroot - use mokutil to import the refind key

tingo@kg-pod530lin:~/dl/refind-bin-0.14.2$ mokutil -i keys/refind.cer
Failed to accesss kernel trusted keyring: Required key not available
input password: 
input password again: 
Failed to enroll new keys

try with sudo

ingo@kg-pod530lin:~/dl/refind-bin-0.14.2$ sudo mokutil -i keys/refind.cer
input password: 
input password again: 

check

tingo@kg-pod530lin:~/dl/refind-bin-0.14.2$ sudo mokutil --list-new
[key 1]
SHA1 Fingerprint: d8:a8:6a:e5:b8:29:86:d0:b4:96:f3:85:f3:89:e7:72:f6:a4:28:ad
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e0:c5:ec:74:0c:15:52:4e
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Roderick W. Smith, rodsmith@rodsbooks.com
        Validity
            Not Before: Dec  6 21:38:28 2012 GMT
            Not After : Dec  1 21:38:28 2032 GMT
        Subject: CN=Roderick W. Smith, rodsmith@rodsbooks.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:aa:4e:75:93:bd:f7:a6:1f:55:cf:e1:1a:a2:08:
                    84:e6:d5:9b:af:c2:29:75:f9:78:5c:71:8c:76:61:
                    0d:b7:21:4f:de:d4:3b:dd:9f:9c:6d:93:a4:24:d0:
                    84:1a:f2:96:06:f0:3a:d0:74:e4:09:90:8b:6f:dc:
                    f0:d8:b8:eb:b4:67:1f:dd:1d:59:bd:de:89:07:04:
                    04:b5:5f:62:49:72:c9:6c:c0:7b:ff:84:00:13:b3:
                    45:e7:bf:77:c9:b7:7d:26:27:48:da:f8:a0:db:48:
                    e6:77:57:43:07:fa:98:c1:91:cf:fa:3e:4e:f1:1e:
                    e3:a4:5b:08:c9:ea:23:f9:9d:e3:de:0f:ca:06:bd:
                    07:06:bb:06:5e:f5:78:62:2b:53:4a:6b:6d:e3:f5:
                    6c:d5:53:c8:65:d1:bb:a1:c9:ab:41:77:fc:40:4a:
                    cf:49:9d:4b:26:12:1b:06:76:a6:ac:76:65:a9:e9:
                    0a:93:be:3f:d0:c1:6a:09:77:b2:79:ce:65:34:93:
                    94:86:b7:92:34:90:a4:06:2a:8f:de:a4:25:3d:5d:
                    d0:1f:e7:3d:7d:f0:9d:03:e9:7c:8f:7c:dd:f2:d9:
                    96:13:3c:66:ff:d6:b3:0d:75:c7:90:5c:3c:61:97:
                    fa:6c:de:7e:00:fe:a2:0a:89:95:b7:2a:cf:1c:3a:
                    3f:87
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                D3:0C:06:BD:39:58:A6:6C:98:75:7F:09:A8:08:55:E1:74:4A:5A:70
            X509v3 Authority Key Identifier: 
                D3:0C:06:BD:39:58:A6:6C:98:75:7F:09:A8:08:55:E1:74:4A:5A:70
            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
    Signature Value:
        a8:f7:fb:e1:46:21:bd:a0:c1:1a:26:d8:a1:cb:8f:e9:61:3b:
        3d:12:22:82:43:a7:b0:cd:c6:d0:68:1c:fb:98:f5:de:73:b8:
        79:13:82:ee:c6:11:3b:46:5f:fe:d7:fc:6a:df:d5:fc:0f:b0:
        b4:99:b0:f2:37:40:eb:b7:73:af:7f:e8:61:cd:67:69:90:32:
        10:ff:b3:fa:49:d4:53:c4:05:c4:fb:fc:54:3a:3e:7b:8c:43:
        4f:5d:95:95:d2:30:ed:53:2d:4c:19:93:7d:20:a0:14:5d:f9:
        cf:7e:6b:fb:d8:56:0d:f5:7a:14:56:fd:dd:e7:2c:bd:c1:20:
        9c:ff:d0:25:18:7c:7c:94:60:c9:fe:9e:c3:25:25:c6:98:12:
        8e:05:05:7f:d5:8d:fd:18:2c:5a:49:67:72:ad:c8:e7:57:5b:
        30:50:12:ce:f6:d7:ac:7c:24:70:7e:8a:3f:ac:d8:7e:c2:02:
        bd:3f:e7:a6:2d:b8:7e:8d:24:cb:ff:35:bf:61:ed:4d:4b:45:
        57:0f:7a:56:4e:cc:00:ec:ce:d7:60:ec:ba:28:e3:76:bc:ab:
        a9:17:21:e1:0e:3d:cd:33:3b:29:ab:cf:e8:0d:01:cb:bd:4c:
        ea:d4:8f:33:f7:db:1d:8a:df:76:79:62:76:24:aa:07:ea:74:
        8a:0c:a5:ea

2024-05-09: zroot - refind - copy shim and MokManager to the refind directory

root@kg-pod530lin:/boot/efi/EFI# cp -pv /usr/lib/shim/shimx64.efi ./refind/
'/usr/lib/shim/shimx64.efi' -> './refind/shimx64.efi'
root@kg-pod530lin:/boot/efi/EFI# cp -pv /usr/lib/shim/mmx64.efi ./refind/
'/usr/lib/shim/mmx64.efi' -> './refind/mmx64.efi'

copy the refind key to the refind directory

tingo@kg-pod530lin:~/dl/refind-bin-0.14.2$ sudo cp -v keys/refind.cer /boot/efi/EFI/refind/
'keys/refind.cer' -> '/boot/efi/EFI/refind/refind.cer'

2024-05-09: zroot - refind - I renamed the old refind directory

root@kg-pod530lin:/boot/efi/EFI# mv refind refind_0.12

then created an empty one

root@kg-pod530lin:/boot/efi/EFI# mkdir refind

then I installed refind 0.14.2 from a zip file usinfg the script

tingo@kg-pod530lin:~/dl/refind-bin-0.14.2$ ./refind-install
Not running as root; attempting to elevate privileges via sudo....
[sudo] password for tingo: 
ShimSource is none
Installing rEFInd on Linux....
ESP was found at /boot/efi using vfat
Copied rEFInd binary files

Copying sample configuration file as refind.conf; edit this file to configure
rEFInd.

Keeping existing NVRAM entry
rEFInd is set as the default boot manager.
Creating //boot/refind_linux.conf; edit it to adjust kernel options.

Installation has completed successfully.

now the refind directory has

root@kg-pod530lin:/boot/efi/EFI# ls -lF refind
total 336
-rwxr-xr-x 1 root root    140 May  9 17:01 BOOT.CSV*
drwxr-xr-x 3 root root   8192 May  9 17:01 icons/
drwxr-xr-x 2 root root   8192 May  9 17:01 keys/
-rwxr-xr-x 1 root root  36351 May  9 17:01 refind.conf*
-rwxr-xr-x 1 root root 278328 May  9 17:01 refind_x64.efi*

2024-05-09: zroot - check things with mokutil

tingo@kg-pod530lin:~$ mokutil --sb-state
SecureBoot disabled
tingo@kg-pod530lin:~$ mokutil --list-enrolled

2024-05-09: zroot - apt - install mokutil

tingo@kg-pod530lin:~$ sudo apt install mokutil
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  mokutil
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 26.9 kB of archives.
After this operation, 81.9 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main amd64 mokutil amd64 0.6.0-2 [26.9 kB]
Fetched 26.9 kB in 0s (211 kB/s)   
Selecting previously unselected package mokutil.
(Reading database ... 130472 files and directories currently installed.)
Preparing to unpack .../mokutil_0.6.0-2_amd64.deb ...
Unpacking mokutil (0.6.0-2) ...
Setting up mokutil (0.6.0-2) ...
Processing triggers for man-db (2.11.2-2) ...

files in the package

tingo@kg-pod530lin:~$ dpkg-query -L mokutil
/.
/usr
/usr/bin
/usr/bin/mokutil
/usr/share
/usr/share/bash-completion
/usr/share/bash-completion/completions
/usr/share/bash-completion/completions/mokutil
/usr/share/doc
/usr/share/doc/mokutil
/usr/share/doc/mokutil/changelog.Debian.gz
/usr/share/doc/mokutil/copyright
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/mokutil.1.gz

2024-05-09: zroot - apt - install shim-unsigned

tingo@kg-pod530lin:~$ sudo apt install shim-unsigned
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  shim-unsigned
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 436 kB of archives.
After this operation, 1,907 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main amd64 shim-unsigned amd64 15.7-1 [436 kB]
Fetched 436 kB in 0s (2,259 kB/s) 
Selecting previously unselected package shim-unsigned.
(Reading database ... 130464 files and directories currently installed.)
Preparing to unpack .../shim-unsigned_15.7-1_amd64.deb ...
Unpacking shim-unsigned (15.7-1) ...
Setting up shim-unsigned (15.7-1) ...

files in package

tingo@kg-pod530lin:~$ dpkg-query -L shim-unsigned
/.
/usr
/usr/lib
/usr/lib/shim
/usr/lib/shim/BOOTX64.CSV
/usr/lib/shim/fbx64.efi
/usr/lib/shim/mmx64.efi
/usr/lib/shim/shimx64.efi
/usr/share
/usr/share/doc
/usr/share/doc/shim-unsigned
/usr/share/doc/shim-unsigned/changelog.Debian.gz
/usr/share/doc/shim-unsigned/copyright

2024-05-09: Secure Boot - (pressed F2 to enter UEFI, switched on Secure Boot) with Secure Boot enabled, rEFInd can NOT boot, ZFSBootMenu can NOT boot.

2024-04-28: zroot - yes - that worked, but I ended up without networking, I had to connect a usb-to-ethenet adapter and run dhclient manually, so I could install missing pieces, like firmware-atheros, a desktop environment and network-manager. Status

tingo@kg-pod530lin:~$ date;acpi -t;/sbin/swapon --show;df -h;uptime
Sun Apr 28 07:28:47 PM CEST 2024
NAME      TYPE      SIZE USED PRIO
/dev/dm-0 partition   4G   0B   -2
Filesystem         Size  Used Avail Use% Mounted on
udev               1.7G     0  1.7G   0% /dev
tmpfs              346M  1.4M  345M   1% /run
zroot/ROOT/debian   55G  2.6G   52G   5% /
tmpfs              1.7G     0  1.7G   0% /dev/shm
tmpfs              5.0M   12K  5.0M   1% /run/lock
/dev/nvme0n1p1     200M   95M  105M  48% /boot/efi
tmpfs              1.7G  8.0K  1.7G   1% /tmp
zroot/home          52G  1.2M   52G   1% /home
tmpfs              346M   60K  346M   1% /run/user/1000
 19:28:47 up 7 min,  2 users,  load average: 0.04, 0.08, 0.05

lsblk info

tingo@kg-pod530lin:~$ lsblk
NAME        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
nvme0n1     259:0    0 119.2G  0 disk  
├─nvme0n1p1 259:1    0   200M  0 part  /boot/efi
├─nvme0n1p2 259:2    0     4G  0 part  
├─nvme0n1p3 259:3    0    55G  0 part  
├─nvme0n1p4 259:4    0     4G  0 part   └─swap    254:0    0     4G  0 crypt [SWAP]
└─nvme0n1p5 259:5    0    56G  0 part  

blkid info

tingo@kg-pod530lin:~$ sudo blkid
/dev/nvme0n1p5: LABEL="zroot" UUID="17433648056724219961" UUID_SUB="15808678309036509384" BLOCK_SIZE="4096" TYPE="zfs_member" PARTLABEL="pool" PARTUUID="245b8887-fe70-468e-b937-746f73cfee83"
/dev/nvme0n1p3: UUID="5f2027ccb14aecab" BLOCK_SIZE="4096" TYPE="ufs" PARTUUID="182bde44-d0d6-11ea-a01f-9ffdf410df40"
/dev/nvme0n1p1: SEC_TYPE="msdos" UUID="8F86-1AF2" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40"
/dev/nvme0n1p4: PARTLABEL="swap" PARTUUID="c505c44e-c36e-4913-905b-2048e195e6f5"
/dev/nvme0n1p2: PARTUUID="e1424b7a-d0d5-11ea-a01f-9ffdf410df40"
/dev/mapper/swap: LABEL="swap" UUID="fed42fad-b7f3-40a6-92b7-dc98a2a8dc31" TYPE="swap"

zpool status

tingo@kg-pod530lin:~$ zpool status zroot
  pool: zroot
 state: ONLINE
config:

    NAME                                    STATE     READ WRITE CKSUM
    zroot                                   ONLINE       0     0     0
      245b8887-fe70-468e-b937-746f73cfee83  ONLINE       0     0     0

errors: No known data errors

cryptsetup status

tingo@kg-pod530lin:~$ sudo cryptsetup status swap
/dev/mapper/swap is active and is in use.
  type:    PLAIN
  cipher:  aes-xts-plain64
  keysize: 512 bits
  key location: dm-crypt
  device:  /dev/nvme0n1p4
  sector size:  512
  offset:  2048 sectors
  size:    8386560 sectors
  mode:    read/write

zfs list

tingo@kg-pod530lin:~$ zfs list
NAME                USED  AVAIL     REFER  MOUNTPOINT
zroot              2.59G  51.7G      192K  none
zroot/ROOT         2.59G  51.7G      192K  none
zroot/ROOT/debian  2.59G  51.7G     2.59G  /
zroot/home         1.11M  51.7G     1.11M  /home

encryption

tingo@kg-pod530lin:~$ zfs get encryption zroot
NAME   PROPERTY    VALUE        SOURCE
zroot  encryption  aes-256-gcm  -

key status

tingo@kg-pod530lin:~$ zfs get keystatus zroot
NAME   PROPERTY   VALUE        SOURCE
zroot  keystatus  available    -

2024-04-28: zfs - configure ZFSBootMenu properties on datasets

root@debian:/# zfs set org.zfsbootmenu:commandline="quiet loglevel=4" zroot/ROOT
root@debian:/# zfs set org.zfsbootmenu:keysource="zroot/ROOT/${ID}" zroot

key caching in zfsbootmenu, set up a cachefile

root@debian:/# zpool set cachefile=/etc/zfs/zpool.cache zroot

fetch and install ZFSBootMenu

root@debian:/# mkdir -p /boot/efi/EFI/ZBM
root@debian:/# curl -o /boot/efi/EFI/ZBM/VMLINUZ.EFI -L https://get.zfsbootmenu.org/efi
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0
100 46.0M  100 46.0M    0     0  8572k      0  0:00:05  0:00:05 --:--:-- 30.6M
root@debian:/# cp /boot/efi/EFI/ZBM/VMLINUZ.EFI /boot/efi/EFI/ZBM/VMLINUZ-BACKUP.EFI

configure EFI boot entries

root@debian:/# mount -t efivarfs efivarfs /sys/firmware/efi/efivars
root@debian:/# efibootmgr -c -d /dev/nvme0n1 -p 1 -L "ZFSBootMenu (Backup)" -l '\EFI\ZBM\VMLINUZ-BACKUP.EFI'
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0001,0006,0002,0000,2001,2002,2003
Boot0000* Linpus lite
Boot0002* FreeBSD
Boot0006* rEFInd
Boot2001* EFI USB Device
Boot2002* EFI DVD/CDROM
Boot2003* EFI Network
Boot0001* ZFSBootMenu (Backup)
root@debian:/# efibootmgr -c -d /dev/nvme0n1 -p 1 -L "ZFSBootMenu" -l '\EFI\ZBM\VMLINUZ.EFI'                
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0003,0001,0006,0002,0000,2001,2002,2003
Boot0000* Linpus lite
Boot0001* ZFSBootMenu (Backup)
Boot0002* FreeBSD
Boot0006* rEFInd
Boot2001* EFI USB Device
Boot2002* EFI DVD/CDROM
Boot2003* EFI Network
Boot0003* ZFSBootMenu

check order

root@debian:/# efibootmgr
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0003,0001,0006,0002,0000,2001,2002,2003
Boot0000* Linpus lite
Boot0001* ZFSBootMenu (Backup)
Boot0002* FreeBSD
Boot0003* ZFSBootMenu
Boot0006* rEFInd
Boot2001* EFI USB Device
Boot2002* EFI DVD/CDROM
Boot2003* EFI Network

fix it

root@debian:/# efibootmgr -o 6,2,3,1,2001,2002,2003,0
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0006,0002,0003,0001,2001,2002,2003,0000
Boot0000* Linpus lite
Boot0001* ZFSBootMenu (Backup)
Boot0002* FreeBSD
Boot0003* ZFSBootMenu
Boot0006* rEFInd
Boot2001* EFI USB Device
Boot2002* EFI DVD/CDROM
Boot2003* EFI Network

clean up. exit chroot and unmount

root@debian:/# exit 
exit
root@debian:~# umount -n -R /mnt

export the zfs pool

root@debian:~# zpool export zroot

then reboot.

2024-04-28: zfs - configure zfs apt - install required packages

root@debian:/# apt install linux-headers-amd64 linux-image-amd64 zfs-initramfs dosfstools
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
dosfstools is already the newest version (4.2-1).
The following additional packages will be installed:
  apparmor binutils binutils-common binutils-x86-64-linux-gnu build-essential busybox bzip2 cpp cpp-12 dirmngr dkms dpkg-dev fakeroot file firmware-linux-free
  fontconfig-config fonts-dejavu-core g++ g++-12 gcc gcc-12 gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm initramfs-tools
  initramfs-tools-core klibc-utils libabsl20220623 libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libaom3 libasan8 libassuan0 libatomic1
  libavif15 libbinutils libc-dev-bin libc-devtools libc6-dev libcc1-0 libcrypt-dev libctf-nobfd0 libctf0 libdav1d6 libde265-0 libdeflate0 libdpkg-perl libfakeroot
  libfile-fcntllock-perl libfontconfig1 libfreetype6 libgav1-1 libgcc-12-dev libgd3 libgdbm-compat4 libgdbm6 libgomp1 libgprofng0 libheif1 libisl23 libitm1 libjbig0
  libjpeg62-turbo libklibc libksba8 liblerc4 liblsan0 libmagic-mgc libmagic1 libmpc3 libmpfr6 libnpth0 libnsl-dev libnuma1 libnvpair3linux libperl5.36 libpng16-16
  libpython3-stdlib libpython3.11-minimal libpython3.11-stdlib libquadmath0 librav1e0 libsqlite3-0 libstdc++-12-dev libsvtav1enc1 libtiff6 libtirpc-dev libtsan2
  libubsan1 libuutil3linux libwebp7 libx265-199 libxpm4 libyuv0 libzfs4linux libzpool5linux linux-base linux-compiler-gcc-12-x86 linux-headers-6.1.0-20-amd64
  linux-headers-6.1.0-20-common linux-image-6.1.0-20-amd64 linux-kbuild-6.1 linux-libc-dev lsb-release make manpages manpages-dev media-types patch perl
  perl-modules-5.36 pinentry-curses python3 python3-distutils python3-lib2to3 python3-minimal python3.11 python3.11-minimal rpcsvc-proto sudo xz-utils zfs-dkms zfs-zed
  zfsutils-linux zstd
Suggested packages:
  apparmor-profiles-extra apparmor-utils binutils-doc bzip2-doc cpp-doc gcc-12-locales cpp-12-doc pinentry-gnome3 tor menu debian-keyring g++-multilib g++-12-multilib
  gcc-12-doc gcc-multilib autoconf automake libtool flex bison gdb gcc-doc gcc-12-multilib parcimonie xloadimage scdaemon bash-completion glibc-doc git bzr libgd-tools
  gdbm-l10n libstdc++-12-doc linux-doc-6.1 debian-kernel-handbook grub-pc | grub-efi-amd64 | extlinux make-doc man-browser ed diffutils-doc perl-doc
  libterm-readline-gnu-perl | libterm-readline-perl-perl libtap-harness-archive-perl pinentry-doc python3-doc python3-tk python3-venv python3.11-venv python3.11-doc
  binfmt-support debhelper nfs-kernel-server samba-common-bin
The following NEW packages will be installed:
  apparmor binutils binutils-common binutils-x86-64-linux-gnu build-essential busybox bzip2 cpp cpp-12 dirmngr dkms dpkg-dev fakeroot file firmware-linux-free
  fontconfig-config fonts-dejavu-core g++ g++-12 gcc gcc-12 gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm initramfs-tools
  initramfs-tools-core klibc-utils libabsl20220623 libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libaom3 libasan8 libassuan0 libatomic1
  libavif15 libbinutils libc-dev-bin libc-devtools libc6-dev libcc1-0 libcrypt-dev libctf-nobfd0 libctf0 libdav1d6 libde265-0 libdeflate0 libdpkg-perl libfakeroot
  libfile-fcntllock-perl libfontconfig1 libfreetype6 libgav1-1 libgcc-12-dev libgd3 libgdbm-compat4 libgdbm6 libgomp1 libgprofng0 libheif1 libisl23 libitm1 libjbig0
  libjpeg62-turbo libklibc libksba8 liblerc4 liblsan0 libmagic-mgc libmagic1 libmpc3 libmpfr6 libnpth0 libnsl-dev libnuma1 libnvpair3linux libperl5.36 libpng16-16
  libpython3-stdlib libpython3.11-minimal libpython3.11-stdlib libquadmath0 librav1e0 libsqlite3-0 libstdc++-12-dev libsvtav1enc1 libtiff6 libtirpc-dev libtsan2
  libubsan1 libuutil3linux libwebp7 libx265-199 libxpm4 libyuv0 libzfs4linux libzpool5linux linux-base linux-compiler-gcc-12-x86 linux-headers-6.1.0-20-amd64
  linux-headers-6.1.0-20-common linux-headers-amd64 linux-image-6.1.0-20-amd64 linux-image-amd64 linux-kbuild-6.1 linux-libc-dev lsb-release make manpages manpages-dev
  media-types patch perl perl-modules-5.36 pinentry-curses python3 python3-distutils python3-lib2to3 python3-minimal python3.11 python3.11-minimal rpcsvc-proto sudo
  xz-utils zfs-dkms zfs-initramfs zfs-zed zfsutils-linux zstd
0 upgraded, 135 newly installed, 0 to remove and 10 not upgraded.
Need to get 194 MB of archives.
After this operation, 928 MB of additional disk space will be used.
[..]
update-initramfs: Generating /boot/initrd.img-6.1.0-20-amd64
Setting up zfs-initramfs (2.1.11-1) ...
Setting up zfs-zed (2.1.11-1) ...
Running in chroot, ignoring request.
Created symlink /etc/systemd/system/zed.service  /lib/systemd/system/zfs-zed.service.
Created symlink /etc/systemd/system/zfs.target.wants/zfs-zed.service  /lib/systemd/system/zfs-zed.service.
Processing triggers for initramfs-tools (0.142) ...
update-initramfs: Generating /boot/initrd.img-6.1.0-20-amd64

and do this

echo "REMAKE_INITRD=yes" > /etc/dkms/zfs.conf

enable systemd zfs services

root@debian:/# systemctl enable zfs.target
root@debian:/# systemctl enable zfs-import-cache
root@debian:/# systemctl enable zfs-mount
Synchronizing state of zfs-mount.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable zfs-mount
root@debian:/# systemctl enable zfs-import.target

configure initramfs

root@debian:/# echo "UMASK=0077" > /etc/initramfs-tools/conf.d/umask.conf

Because the encryption key is stored in the /etc/zfs directory, it will automatically be copied into the initramfs. rebuild intramfs

root@debian:/# update-initramfs -c -k all
update-initramfs: Generating /boot/initrd.img-6.1.0-20-amd64

2024-04-28: create encrypted swap

root@debian:/# echo "swap /dev/disk/by-partlabel/swap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=512" >> /etc/crypttab

verify

root@debian:/# cat /etc/crypttab
# <target name> <source device>     <key file>  <options>
swap /dev/disk/by-partlabel/swap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=512

This will map /dev/disk/by-partlabel/swap to /dev/mapper/swap as a swap partition that can be added in /etc/fstab like a normal swap. set up fstab

root@debian:/# cat /etc/fstab
/dev/nvme0n1p1 /boot/efi vfat defaults 0 0
/dev/mapper/swap none swap defaults 0 0
tmpfs /tmp tmpfs defaults,nosuid,nodev 0 0

mount efi

root@debian:/# mkdir -p /boot/efi
root@debian:/# mount /boot/efi

2024-04-28: install Debian

root@debian:~# debootstrap bookworm /mnt
I: Target architecture can be executed
I: Retrieving InRelease 
I: Checking Release signature
I: Valid Release signature (key id 4D64FEC119C2029067D6E791F8D2585B8783D481)
I: Retrieving Packages 
I: Validating Packages 
I: Resolving dependencies of required packages...
I: Resolving dependencies of base packages...
I: Checking component main on http://deb.debian.org/debian...
I: Retrieving adduser 3.134
[..]
I: Configuring libc-bin...
I: Base system installed successfully.

copy files into the new install

root@debian:~# cp /etc/hostid /mnt/etc/
root@debian:~# cp /etc/resolv.conf /mnt/etc/
root@debian:~# mkdir /mnt/etc/zfs
root@debian:~# cp /etc/zfs/zroot.key /mnt/etc/zfs/

chroot into new os

root@debian:~# mount -t proc proc /mnt/proc
root@debian:~# mount -t sysfs sys /mnt/sys
root@debian:~# mount -B /dev /mnt/dev
root@debian:~# mount -t devpts pts /mnt/dev/pts
root@debian:~# chroot /mnt /bin/bash
root@debian:/# 

set hostname

root@debian:/# echo 'kg-pod530lin' > /etc/hostname
root@debian:/# echo -e '127.0.1.1\tkg-pod530lin' >> /etc/hosts

update /etc/apt/sources.list

root@debian:/# cat <<EOF > /etc/apt/sources.list
deb http://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware

deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware

deb http://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware

deb http://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
EOF

and run apt update

root@debian:/# apt update
[..]
12 packages can be upgraded. Run 'apt list --upgradable' to see them.

apt - install additional base packages

root@debian:/# apt install console-setup cryptsetup curl dosfstools efibootmgr keyboard-configuration
Reading package lists... Done
Building dependency tree... Done
The following additional packages will be installed:
  ca-certificates console-setup-linux cryptsetup-bin kbd libbrotli1 libcurl4 libefiboot1 libefivar1 libldap-2.5-0 libldap-common libnghttp2-14 libpsl5 librtmp1
  libsasl2-2 libsasl2-modules libsasl2-modules-db libssh2-1 openssl publicsuffix xkb-data
Suggested packages:
  locales cryptsetup-initramfs keyutils libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal libsasl2-modules-ldap libsasl2-modules-otp libsasl2-modules-sql
The following NEW packages will be installed:
  ca-certificates console-setup console-setup-linux cryptsetup cryptsetup-bin curl dosfstools efibootmgr kbd keyboard-configuration libbrotli1 libcurl4 libefiboot1
  libefivar1 libldap-2.5-0 libldap-common libnghttp2-14 libpsl5 librtmp1 libsasl2-2 libsasl2-modules libsasl2-modules-db libssh2-1 openssl publicsuffix xkb-data
0 upgraded, 26 newly installed, 0 to remove and 12 not upgraded.
Need to get 7857 kB of archives.
After this operation, 25.3 MB of additional disk space will be used.
[..]
Setting up console-setup (1.221) ...
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
Processing triggers for libc-bin (2.36-9+deb12u4) ...
Processing triggers for ca-certificates (20230311) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

set timezone

root@debian:/# dpkg-reconfigure tzdata
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
    LANGUAGE = (unset),
    LC_ALL = (unset),
    LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
/usr/bin/locale: Cannot set LC_CTYPE to default locale: No such file or directory
/usr/bin/locale: Cannot set LC_MESSAGES to default locale: No such file or directory
/usr/bin/locale: Cannot set LC_ALL to default locale: No such file or directory

Current default time zone: 'Europe/Oslo'
Local time is now:      Sun Apr 28 17:17:20 CEST 2024.
Universal Time is now:  Sun Apr 28 15:17:20 UTC 2024.

configure locales

root@debian:/# dpkg-reconfigure locales
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
    LANGUAGE = (unset),
    LC_ALL = (unset),
    LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
dpkg-query: package 'locales' is not installed and no information is available
Use dpkg --info (= dpkg-deb --info) to examine archive files.
/usr/sbin/dpkg-reconfigure: locales is not installed

aha - apt - fix it

root@debian:/# apt install locales
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libc-bin libc-l10n libc6
Suggested packages:
  glibc-doc libnss-nis libnss-nisplus
Recommended packages:
  manpages
The following NEW packages will be installed:
  libc-l10n locales
The following packages will be upgraded:
  libc-bin libc6
2 upgraded, 2 newly installed, 0 to remove and 10 not upgraded.
Need to get 7936 kB of archives.
After this operation, 20.7 MB of additional disk space will be used.
[..]
Generating locales (this might take a while)...
Generation complete.

retry

root@debian:/# dpkg-reconfigure locales
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
    LANGUAGE = (unset),
    LC_ALL = (unset),
    LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
/usr/bin/locale: Cannot set LC_CTYPE to default locale: No such file or directory
/usr/bin/locale: Cannot set LC_MESSAGES to default locale: No such file or directory
/usr/bin/locale: Cannot set LC_ALL to default locale: No such file or directory
Generating locales (this might take a while)...
  en_US.UTF-8... done
  nb_NO.UTF-8... done
Generation complete.

set console font

root@debian:/# dpkg-reconfigure console-setup
root@debian:/# setupcon
setupcon: We are not on the console, the console is left unconfigured.

keyboard setup

root@debian:/# dpkg-reconfigure keyboard-configuration

add a user

root@debian:/# adduser tingo
Adding user `tingo' ...
Adding new group `tingo' (1000) ...
Adding new user `tingo' (1000) with group `tingo (1000)' ...
Creating home directory `/home/tingo' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for tingo
Enter the new value, or press ENTER for the default
    Full Name []: Torfinn Ingolfsen
    Room Number []: 
    Work Phone []: 
    Home Phone []: 
    Other []: 
Is the information correct? [Y/n] 
Adding new user `tingo' to supplemental / extra groups `users' ...
Adding user `tingo' to group `users' ...

I added it to some more groups

root@debian:/# groups tingo
tingo : tingo adm lp dialout cdrom floppy sudo audio dip video plugdev users netdev

apt - install openssh-server

root@debian:/# apt install openssh-server
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  dbus dbus-bin dbus-daemon dbus-session-bus-common dbus-system-bus-common dbus-user-session libcbor0.8 libdbus-1-3 libexpat1 libfido2-1 libnsl2 libpam-systemd
  libwrap0 libx11-6 libx11-data libxau6 libxcb1 libxdmcp6 libxext6 libxmuu1 ncurses-term openssh-client openssh-sftp-server runit-helper ucf xauth
Suggested packages:
  keychain libpam-ssh monkeysphere ssh-askpass molly-guard ufw
The following NEW packages will be installed:
  dbus dbus-bin dbus-daemon dbus-session-bus-common dbus-system-bus-common dbus-user-session libcbor0.8 libdbus-1-3 libexpat1 libfido2-1 libnsl2 libpam-systemd
  libwrap0 libx11-6 libx11-data libxau6 libxcb1 libxdmcp6 libxext6 libxmuu1 ncurses-term openssh-client openssh-server openssh-sftp-server runit-helper ucf xauth
0 upgraded, 27 newly installed, 0 to remove and 10 not upgraded.
Need to get 4,775 kB of archives.
After this operation, 19.8 MB of additional disk space will be used.
[..]
Setting up openssh-server (1:9.2p1-2+deb12u2) ...

Creating config file /etc/ssh/sshd_config with new version
Creating SSH2 RSA key; this may take some time ...
3072 SHA256:UQ/h42Hqk/HUOoX8MLqfLVb25IOLjKx1ZVej1EV9YzM root@debian (RSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:8vjFesYkjt4H6kury2HzmeHB6K12rH4giBZMYBFJf2U root@debian (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:OU4+ArV+LJ9dMScoDXHXK97wKjV8ywCqruXUc/S5N9Q root@debian (ED25519)
Running in chroot, ignoring request.
Created symlink /etc/systemd/system/sshd.service  /lib/systemd/system/ssh.service.
Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service  /lib/systemd/system/ssh.service.
Setting up dbus-user-session (1.14.10-1~deb12u1) ...
Processing triggers for libc-bin (2.36-9+deb12u6) ...

2024-04-28: zfs - create filesystems first, set id

root@debian:~# source /etc/os-release
root@debian:~# export ID
root@debian:~# echo $ID
debian

then create filesystems

root@debian:~# zfs create -o mountpoint=none zroot/ROOT
root@debian:~# zfs create -o mountpoint=/ -o canmount=noauto zroot/ROOT/${ID}
root@debian:~# zfs create -o mountpoint=/home zroot/home

set preferred boot file system

root@debian:~# zpool set bootfs=zroot/ROOT/${ID} zroot

export and re-import the pool

root@debian:~# zpool export zroot
root@debian:~# zpool import -N -R /mnt zroot

mount root and /home

root@debian:~# zfs load-key -L prompt zroot
Enter passphrase for 'zroot':
root@debian:~# zfs mount zroot/ROOT/${ID}
root@debian:~# zfs mount zroot/home

verify mount points

root@debian:~# mount -t zfs
zroot/ROOT/debian on /mnt type zfs (rw,relatime,xattr,posixacl)
zroot/home on /mnt/home type zfs (rw,relatime,xattr,posixacl)

update device symlinks

root@debian:~# udevadm trigger

2024-04-28: zfs - create the pool

root@debian:~# zpool create -f -o ashift=12 -O compression=lz4 -O acltype=posixacl  -O xattr=sa -O relatime=on -o autotrim=on -O encryption=aes-256-gcm -O keylocation=file:///etc/zfs/zroot.key -O keyformat=passphrase -m none zroot "/dev/disk/by-partuuid/245b8887-fe70-468e-b937-746f73cfee83"
cannot create 'zroot': Passphrase too short (min 8).

ok, fix that

root@debian:~# zpool create -f -o ashift=12 -O compression=lz4 -O acltype=posixacl  -O xattr=sa -O relatime=on -o autotrim=on -O encryption=aes-256-gcm -O keylocation=file:///etc/zfs/zroot.key -O keyformat=passphrase -m none zroot "/dev/disk/by-partuuid/245b8887-fe70-468e-b937-746f73cfee83"

2024-04-28: set up a zfs passphrase to unlock the encrypted pool

# echo 'SomeKeyphrase' > /etc/zfs/zroot.key
root@debian:~# chmod 000 /etc/zfs/zroot.key

2024-04-28: zfs partition needs to be located by partuuid, to ensure that the zfs import doesn't fail. Baby steps

root@debian:~# blkid
/dev/nvme0n1p1: SEC_TYPE="msdos" UUID="8F86-1AF2" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40"
/dev/nvme0n1p3: UUID="5f2027ccb14aecab" BLOCK_SIZE="4096" TYPE="ufs" PARTUUID="182bde44-d0d6-11ea-a01f-9ffdf410df40"
/dev/sda1: BLOCK_SIZE="2048" UUID="2023-12-10-17-43-24-00" LABEL="d-live 12.4.0 xf amd64" TYPE="iso9660" PARTUUID="2d331e75-01"
/dev/loop0: TYPE="squashfs"
/dev/nvme0n1p5: PARTLABEL="pool" PARTUUID="245b8887-fe70-468e-b937-746f73cfee83"
/dev/nvme0n1p4: PARTLABEL="swap" PARTUUID="c505c44e-c36e-4913-905b-2048e195e6f5"
/dev/nvme0n1p2: PARTUUID="e1424b7a-d0d5-11ea-a01f-9ffdf410df40"
/dev/sda2: SEC_TYPE="msdos" UUID="6575-F8BC" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="2d331e75-02"

get the pool partition

root@debian:~# blkid | grep /dev/nvme0n1p5
/dev/nvme0n1p5: PARTLABEL="pool" PARTUUID="245b8887-fe70-468e-b937-746f73cfee83"

step

root@debian:~# blkid | grep /dev/nvme0n1p5 | cut -d ' ' -f 3
PARTUUID="245b8887-fe70-468e-b937-746f73cfee83"

by step

root@debian:~# blkid | grep /dev/nvme0n1p5 | cut -d ' ' -f 3 | cut -d '"' -f 2
245b8887-fe70-468e-b937-746f73cfee83

so the correct line is

root@debian:~# ls -l /dev/disk/by-partuuid/245b8887-fe70-468e-b937-746f73cfee83
lrwxrwxrwx 1 root root 15 Apr 28 14:01 /dev/disk/by-partuuid/245b8887-fe70-468e-b937-746f73cfee83 -> ../../nvme0n1p5

2024-04-28: situation now

root@debian:~# lsblk
NAME        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
loop0         7:0    0   2.5G  1 loop /usr/lib/live/mount/rootfs/filesystem.squashfs
                                      /run/live/rootfs/filesystem.squashfs
sda           8:0    1   7.5G  0 disk 
├─sda1        8:1    1     3G  0 part /usr/lib/live/mount/medium
│                                     /run/live/medium
└─sda2        8:2    1     5M  0 part 
nvme0n1     259:0    0 119.2G  0 disk 
├─nvme0n1p1 259:6    0   200M  0 part 
├─nvme0n1p2 259:7    0     4G  0 part 
├─nvme0n1p3 259:8    0    55G  0 part 
├─nvme0n1p4 259:9    0     4G  0 part 
└─nvme0n1p5 259:10   0    56G  0 part 

so /dev/nvme0n1p5 is the pool partition.

2024-04-28: create a swap partition

root@debian:~# sgdisk -n "4:0:+4g" -t "4:8200" -c 0:swap "/dev/nvme0n1"
The operation has completed successfully.

verify

root@debian:~# sgdisk -p /dev/nvme0n1
Disk /dev/nvme0n1: 250069680 sectors, 119.2 GiB
Model: RPFTJ128PDD2EWX                         
Sector size (logical/physical): 512/512 bytes
Disk identifier (GUID): F891D804-265E-42D8-BF50-78240F5C4180
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 250069646
Partitions will be aligned on 8-sector boundaries
Total free space is 117539437 sectors (56.0 GiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1              40          409639   200.0 MiB   EF00  
   2          409640         8798247   4.0 GiB     A502  
   3         8798248       124141607   55.0 GiB    A503  
   4       124141608       132530215   4.0 GiB     8200  swap

create a partition for the zfs pool

root@debian:~# sgdisk -n "5:0:-10m" -t "5:bf00" -c 0:pool "/dev/nvme0n1"
The operation has completed successfully.

verify

root@debian:~# sgdisk -p /dev/nvme0n1
Disk /dev/nvme0n1: 250069680 sectors, 119.2 GiB
Model: RPFTJ128PDD2EWX                         
Sector size (logical/physical): 512/512 bytes
Disk identifier (GUID): F891D804-265E-42D8-BF50-78240F5C4180
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 250069646
Partitions will be aligned on 8-sector boundaries
Total free space is 20486 sectors (10.0 MiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1              40          409639   200.0 MiB   EF00  
   2          409640         8798247   4.0 GiB     A502  
   3         8798248       124141607   55.0 GiB    A503  
   4       124141608       132530215   4.0 GiB     8200  swap
   5       132530216       250049166   56.0 GiB    BF00  pool

2024-04-28: I booted Debian from a live usb stick, and intend to install Debian with root on zfs, and encrypted, and still have it dual boot with FreeBSD.

root@debian:~# sgdisk -p /dev/nvme0n1
Disk /dev/nvme0n1: 250069680 sectors, 119.2 GiB
Model: RPFTJ128PDD2EWX                         
Sector size (logical/physical): 512/512 bytes
Disk identifier (GUID): F891D804-265E-42D8-BF50-78240F5C4180
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 250069646
Partitions will be aligned on 8-sector boundaries
Total free space is 125928045 sectors (60.0 GiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1              40          409639   200.0 MiB   EF00  
   2          409640         8798247   4.0 GiB     A502  
   3         8798248       124141607   55.0 GiB    A503  

running sgdisk to print out the existing partiion table on the internal ssd, there is 60 GB free space. EF00 is the EFI partion, A502 is FreeBSD swap, A503 is FreeBSD UFS.