Lenovo ideapad 530S - Debian

Hardware info on main page.

Links

Install Debian 12 with encrypted Root-on-ZFS,

Work log

2024-05-09: zroot - SecureBoot - with it enabled, shim works and loads rEFInd, but ZFSBootMenu (and the FreeBSD loader) are not signed, so it fails to load them.

2024-05-09: zroot - shim - it seems that shim (from shim-signed) requires that the program to load is named 'grubx64.efi' or something else it knows. I copied refind_x64.efi to grubx64.efi and shim booted without complaint, and efibootmgr verifies

tingo@kg-pod530lin:~$ efibootmgr
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,0006,0002,0003,0001,2001,2002,2003
Boot0000* SB rEFInd
Boot0001* ZFSBootMenu (Backup)
Boot0002* FreeBSD
Boot0003* ZFSBootMenu
Boot0006* rEFInd
Boot2001* EFI USB Device
Boot2002* EFI DVD/CDROM
Boot2003* EFI Network

secureboot is still off

tingo@kg-pod530lin:~$ mokutil --sb-state
SecureBoot disabled

2024-05-09: zroot - efibootmgr - the created entry didn't stick around, after a reboot, I'm back to

tingo@kg-pod530lin:~$ efibootmgr -v
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0006,0002,0003,0001,2001,2002,2003
Boot0001* ZFSBootMenu (Backup)  HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ-BACKUP.EFI)
Boot0002* FreeBSD   HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\FreeBSD\BOOTx64.efi)
Boot0003* ZFSBootMenu   HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ.EFI)
Boot0006* rEFInd    HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\refind\refind_x64.efi)
Boot2001* EFI USB Device    RC
Boot2002* EFI DVD/CDROM RC
Boot2003* EFI Network   RC

try again

tingo@kg-pod530lin:~$ sudo efibootmgr -c -d /dev/nvme0n1 -l /EFI/refind/shimx64s.efi -L "SB rEFInd" -u "shimx64s.efi refind_x64.efi"
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0000,0006,0002,0003,0001,2001,2002,2003
Boot0001* ZFSBootMenu (Backup)
Boot0002* FreeBSD
Boot0003* ZFSBootMenu
Boot0006* rEFInd
Boot2001* EFI USB Device
Boot2002* EFI DVD/CDROM
Boot2003* EFI Network
Boot0000* SB rEFInd

verify

tingo@kg-pod530lin:~$ efibootmgr -v
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0000,0006,0002,0003,0001,2001,2002,2003
Boot0000* SB rEFInd HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\refind\shimx64s.efi)s.h.i.m.x.6.4.s...e.f.i. .r.e.f.i.n.d._.x.6.4...e.f.i.
Boot0001* ZFSBootMenu (Backup)  HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ-BACKUP.EFI)
Boot0002* FreeBSD   HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\FreeBSD\BOOTx64.efi)
Boot0003* ZFSBootMenu   HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ.EFI)
Boot0006* rEFInd    HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\refind\refind_x64.efi)
Boot2001* EFI USB Device    RC
Boot2002* EFI DVD/CDROM RC
Boot2003* EFI Network   RC

looks better now.

2024-05-09: zroot - efibootmgr - set up a boot entry for the shim enabled rEFInd

tingo@kg-pod530lin:~$ sudo efibootmgr -c -d /dev/nvme0n1 -l /boot/efi/EFI/refind/shimx64s.efi -L "SB rEFInd" -u "shimx64s.efi refind_x64.efi"
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0000,0006,0002,0003,0001,2001,2002,2003
Boot0001* ZFSBootMenu (Backup)
Boot0002* FreeBSD
Boot0003* ZFSBootMenu
Boot0006* rEFInd
Boot2001* EFI USB Device
Boot2002* EFI DVD/CDROM
Boot2003* EFI Network
Boot0000* SB rEFInd

verify

tingo@kg-pod530lin:~$ efibootmgr -v
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0000,0006,0002,0003,0001,2001,2002,2003
Boot0000* SB rEFInd HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\boot\efi\EFI\refind\shimx64s.efi)s.h.i.m.x.6.4.s...e.f.i. .r.e.f.i.n.d._.x.6.4...e.f.i.
Boot0001* ZFSBootMenu (Backup)  HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ-BACKUP.EFI)
Boot0002* FreeBSD   HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\FreeBSD\BOOTx64.efi)
Boot0003* ZFSBootMenu   HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ.EFI)
Boot0006* rEFInd    HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\refind\refind_x64.efi)
Boot2001* EFI USB Device    RC
Boot2002* EFI DVD/CDROM RC
Boot2003* EFI Network   RC

2024-05-09: zroot - copy the signed shim to the refind directory

tingo@kg-pod530lin:~$ sudo cp -pv /usr/lib/shim/shimx64.efi.signed /boot/efi/EFI/refind/shimx64s.efi
'/usr/lib/shim/shimx64.efi.signed' -> '/boot/efi/EFI/refind/shimx64s.efi'

2024-05-09: zroot - check the ZFSBootMenu binaries with sbverify too

tingo@kg-pod530lin:~$ sbverify --list /boot/efi/EFI/ZBM/VMLINUZ.EFI
warning: data remaining[48315392 vs 48324804]: gaps between PE/COFF sections?
warning: data remaining[48315392 vs 48324808]: gaps between PE/COFF sections?
No signature table present
tingo@kg-pod530lin:~$ sbverify --list /boot/efi/EFI/ZBM/VMLINUZ-BACKUP.EFI
warning: data remaining[48315392 vs 48324804]: gaps between PE/COFF sections?
warning: data remaining[48315392 vs 48324808]: gaps between PE/COFF sections?
No signature table present

not signed, I expected that.

2024-05-09: zroot - apt - install shim-signed

tingo@kg-pod530lin:~$ sudo apt install shim-signed
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  gettext-base grub-common grub-efi-amd64-bin grub-efi-amd64-signed grub2-common libfuse2 os-prober shim-helpers-amd64-signed
  shim-signed-common
Suggested packages:
  multiboot-doc grub-emu mtools xorriso
Recommended packages:
  secureboot-db
The following NEW packages will be installed:
  gettext-base grub-common grub-efi-amd64-bin grub-efi-amd64-signed grub2-common libfuse2 os-prober shim-helpers-amd64-signed
  shim-signed shim-signed-common
0 upgraded, 10 newly installed, 0 to remove and 0 not upgraded.
Need to get 7,105 kB of archives.
After this operation, 57.2 MB of additional disk space will be used.
[..]
Setting up shim-signed:amd64 (1.39+15.7-1) ...
Secure Boot not enabled on this system.
Processing triggers for man-db (2.11.2-2) ...
Processing triggers for libc-bin (2.36-9+deb12u6) ...

files in shim-signed

tingo@kg-pod530lin:~$ dpkg-query -L shim-signed
/.
/usr
/usr/lib
/usr/lib/shim
/usr/lib/shim/shimx64.efi.signed
/usr/share
/usr/share/doc
/usr/share/doc/shim-signed
/usr/share/doc/shim-signed/changelog.gz
/usr/share/doc/shim-signed/copyright

check signature

tingo@kg-pod530lin:~$ sbverify --list /usr/lib/shim/shimx64.efi.signed
warning: data remaining[823184 vs 948768]: gaps between PE/COFF sections?
signature 1
image signature issuers:
 - /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
image signature certificates:
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Windows UEFI Driver Publisher
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
 - subject: /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation UEFI CA 2011
   issuer:  /C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/CN=Microsoft Corporation Third Party Marketplace Root

2024-05-09: zroot - sbsigntool - see what's signed and not

tingo@kg-pod530lin:~$ sbverify --list /boot/efi/EFI/refind/refind_x64.efi
signature 1
image signature issuers:
 - /CN=Roderick W. Smith, rodsmith@rodsbooks.com
image signature certificates:
 - subject: /CN=Roderick W. Smith, rodsmith@rodsbooks.com
   issuer:  /CN=Roderick W. Smith, rodsmith@rodsbooks.com
tingo@kg-pod530lin:~$ sbverify --list /boot/efi/EFI/refind/shimx64.efi
warning: data remaining[813568 vs 939147]: gaps between PE/COFF sections?
warning: data remaining[813568 vs 939152]: gaps between PE/COFF sections?
No signature table present
tingo@kg-pod530lin:~$ sbverify --list /boot/efi/EFI/refind/mmx64.efi
warning: data remaining[730112 vs 848137]: gaps between PE/COFF sections?
warning: data remaining[730112 vs 848144]: gaps between PE/COFF sections?
No signature table present

ok, so neither shim nor mokmanager are signed.

tingo@kg-pod530lin:~/dl/refind-bin-0.14.2$ sbverify --cert keys/refind.crt /boot/efi/EFI/refind/refind_x64.efi
Signature verification OK

and the signature on refind checks out.

2024-05-09: zroot - apt - install sbsigntool

tingo@kg-pod530lin:~$ sudo apt install sbsigntool
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  sbsigntool
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 68.4 kB of archives.
After this operation, 429 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main amd64 sbsigntool amd64 0.9.4-3.1 [68.4 kB]
Fetched 68.4 kB in 0s (1,012 kB/s)
Selecting previously unselected package sbsigntool.
(Reading database ... 130478 files and directories currently installed.)
Preparing to unpack .../sbsigntool_0.9.4-3.1_amd64.deb ...
Unpacking sbsigntool (0.9.4-3.1) ...
Setting up sbsigntool (0.9.4-3.1) ...
Processing triggers for man-db (2.11.2-2) ...

files in package

tingo@kg-pod530lin:~$ dpkg-query -L sbsigntool
/.
/usr
/usr/bin
/usr/bin/sbattach
/usr/bin/sbkeysync
/usr/bin/sbsiglist
/usr/bin/sbsign
/usr/bin/sbvarsign
/usr/bin/sbverify
/usr/share
/usr/share/doc
/usr/share/doc/sbsigntool
/usr/share/doc/sbsigntool/NEWS.gz
/usr/share/doc/sbsigntool/README
/usr/share/doc/sbsigntool/changelog.Debian.gz
/usr/share/doc/sbsigntool/changelog.gz
/usr/share/doc/sbsigntool/copyright
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/sbattach.1.gz
/usr/share/man/man1/sbkeysync.1.gz
/usr/share/man/man1/sbsiglist.1.gz
/usr/share/man/man1/sbsign.1.gz
/usr/share/man/man1/sbvarsign.1.gz
/usr/share/man/man1/sbverify.1.gz

2024-05-09: zroot - current EFI boot entries

tingo@kg-pod530lin:~$ efibootmgr -v
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0006,0002,0003,0001,2001,2002,2003
Boot0001* ZFSBootMenu (Backup)  HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ-BACKUP.EFI)
Boot0002* FreeBSD   HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\FreeBSD\BOOTx64.efi)
Boot0003* ZFSBootMenu   HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\ZBM\VMLINUZ.EFI)
Boot0006* rEFInd    HD(1,GPT,c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40,0x28,0x64000)/File(\EFI\refind\refind_x64.efi)
Boot2001* EFI USB Device    RC
Boot2002* EFI DVD/CDROM RC
Boot2003* EFI Network   RC

2024-05-09: Secure boot - ok, booting with Secure Boot on still refuses to let rEFInd boot.

2024-05-09: zroot - use mokutil to import the refind key

tingo@kg-pod530lin:~/dl/refind-bin-0.14.2$ mokutil -i keys/refind.cer
Failed to accesss kernel trusted keyring: Required key not available
input password: 
input password again: 
Failed to enroll new keys

try with sudo

ingo@kg-pod530lin:~/dl/refind-bin-0.14.2$ sudo mokutil -i keys/refind.cer
input password: 
input password again: 

check

tingo@kg-pod530lin:~/dl/refind-bin-0.14.2$ sudo mokutil --list-new
[key 1]
SHA1 Fingerprint: d8:a8:6a:e5:b8:29:86:d0:b4:96:f3:85:f3:89:e7:72:f6:a4:28:ad
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e0:c5:ec:74:0c:15:52:4e
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Roderick W. Smith, rodsmith@rodsbooks.com
        Validity
            Not Before: Dec  6 21:38:28 2012 GMT
            Not After : Dec  1 21:38:28 2032 GMT
        Subject: CN=Roderick W. Smith, rodsmith@rodsbooks.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:aa:4e:75:93:bd:f7:a6:1f:55:cf:e1:1a:a2:08:
                    84:e6:d5:9b:af:c2:29:75:f9:78:5c:71:8c:76:61:
                    0d:b7:21:4f:de:d4:3b:dd:9f:9c:6d:93:a4:24:d0:
                    84:1a:f2:96:06:f0:3a:d0:74:e4:09:90:8b:6f:dc:
                    f0:d8:b8:eb:b4:67:1f:dd:1d:59:bd:de:89:07:04:
                    04:b5:5f:62:49:72:c9:6c:c0:7b:ff:84:00:13:b3:
                    45:e7:bf:77:c9:b7:7d:26:27:48:da:f8:a0:db:48:
                    e6:77:57:43:07:fa:98:c1:91:cf:fa:3e:4e:f1:1e:
                    e3:a4:5b:08:c9:ea:23:f9:9d:e3:de:0f:ca:06:bd:
                    07:06:bb:06:5e:f5:78:62:2b:53:4a:6b:6d:e3:f5:
                    6c:d5:53:c8:65:d1:bb:a1:c9:ab:41:77:fc:40:4a:
                    cf:49:9d:4b:26:12:1b:06:76:a6:ac:76:65:a9:e9:
                    0a:93:be:3f:d0:c1:6a:09:77:b2:79:ce:65:34:93:
                    94:86:b7:92:34:90:a4:06:2a:8f:de:a4:25:3d:5d:
                    d0:1f:e7:3d:7d:f0:9d:03:e9:7c:8f:7c:dd:f2:d9:
                    96:13:3c:66:ff:d6:b3:0d:75:c7:90:5c:3c:61:97:
                    fa:6c:de:7e:00:fe:a2:0a:89:95:b7:2a:cf:1c:3a:
                    3f:87
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                D3:0C:06:BD:39:58:A6:6C:98:75:7F:09:A8:08:55:E1:74:4A:5A:70
            X509v3 Authority Key Identifier: 
                D3:0C:06:BD:39:58:A6:6C:98:75:7F:09:A8:08:55:E1:74:4A:5A:70
            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
    Signature Value:
        a8:f7:fb:e1:46:21:bd:a0:c1:1a:26:d8:a1:cb:8f:e9:61:3b:
        3d:12:22:82:43:a7:b0:cd:c6:d0:68:1c:fb:98:f5:de:73:b8:
        79:13:82:ee:c6:11:3b:46:5f:fe:d7:fc:6a:df:d5:fc:0f:b0:
        b4:99:b0:f2:37:40:eb:b7:73:af:7f:e8:61:cd:67:69:90:32:
        10:ff:b3:fa:49:d4:53:c4:05:c4:fb:fc:54:3a:3e:7b:8c:43:
        4f:5d:95:95:d2:30:ed:53:2d:4c:19:93:7d:20:a0:14:5d:f9:
        cf:7e:6b:fb:d8:56:0d:f5:7a:14:56:fd:dd:e7:2c:bd:c1:20:
        9c:ff:d0:25:18:7c:7c:94:60:c9:fe:9e:c3:25:25:c6:98:12:
        8e:05:05:7f:d5:8d:fd:18:2c:5a:49:67:72:ad:c8:e7:57:5b:
        30:50:12:ce:f6:d7:ac:7c:24:70:7e:8a:3f:ac:d8:7e:c2:02:
        bd:3f:e7:a6:2d:b8:7e:8d:24:cb:ff:35:bf:61:ed:4d:4b:45:
        57:0f:7a:56:4e:cc:00:ec:ce:d7:60:ec:ba:28:e3:76:bc:ab:
        a9:17:21:e1:0e:3d:cd:33:3b:29:ab:cf:e8:0d:01:cb:bd:4c:
        ea:d4:8f:33:f7:db:1d:8a:df:76:79:62:76:24:aa:07:ea:74:
        8a:0c:a5:ea

2024-05-09: zroot - refind - copy shim and MokManager to the refind directory

root@kg-pod530lin:/boot/efi/EFI# cp -pv /usr/lib/shim/shimx64.efi ./refind/
'/usr/lib/shim/shimx64.efi' -> './refind/shimx64.efi'
root@kg-pod530lin:/boot/efi/EFI# cp -pv /usr/lib/shim/mmx64.efi ./refind/
'/usr/lib/shim/mmx64.efi' -> './refind/mmx64.efi'

copy the refind key to the refind directory

tingo@kg-pod530lin:~/dl/refind-bin-0.14.2$ sudo cp -v keys/refind.cer /boot/efi/EFI/refind/
'keys/refind.cer' -> '/boot/efi/EFI/refind/refind.cer'

2024-05-09: zroot - refind - I renamed the old refind directory

root@kg-pod530lin:/boot/efi/EFI# mv refind refind_0.12

then created an empty one

root@kg-pod530lin:/boot/efi/EFI# mkdir refind

then I installed refind 0.14.2 from a zip file usinfg the script

tingo@kg-pod530lin:~/dl/refind-bin-0.14.2$ ./refind-install
Not running as root; attempting to elevate privileges via sudo....
[sudo] password for tingo: 
ShimSource is none
Installing rEFInd on Linux....
ESP was found at /boot/efi using vfat
Copied rEFInd binary files

Copying sample configuration file as refind.conf; edit this file to configure
rEFInd.

Keeping existing NVRAM entry
rEFInd is set as the default boot manager.
Creating //boot/refind_linux.conf; edit it to adjust kernel options.

Installation has completed successfully.

now the refind directory has

root@kg-pod530lin:/boot/efi/EFI# ls -lF refind
total 336
-rwxr-xr-x 1 root root    140 May  9 17:01 BOOT.CSV*
drwxr-xr-x 3 root root   8192 May  9 17:01 icons/
drwxr-xr-x 2 root root   8192 May  9 17:01 keys/
-rwxr-xr-x 1 root root  36351 May  9 17:01 refind.conf*
-rwxr-xr-x 1 root root 278328 May  9 17:01 refind_x64.efi*

2024-05-09: zroot - check things with mokutil

tingo@kg-pod530lin:~$ mokutil --sb-state
SecureBoot disabled
tingo@kg-pod530lin:~$ mokutil --list-enrolled

2024-05-09: zroot - apt - install mokutil

tingo@kg-pod530lin:~$ sudo apt install mokutil
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  mokutil
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 26.9 kB of archives.
After this operation, 81.9 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main amd64 mokutil amd64 0.6.0-2 [26.9 kB]
Fetched 26.9 kB in 0s (211 kB/s)   
Selecting previously unselected package mokutil.
(Reading database ... 130472 files and directories currently installed.)
Preparing to unpack .../mokutil_0.6.0-2_amd64.deb ...
Unpacking mokutil (0.6.0-2) ...
Setting up mokutil (0.6.0-2) ...
Processing triggers for man-db (2.11.2-2) ...

files in the package

tingo@kg-pod530lin:~$ dpkg-query -L mokutil
/.
/usr
/usr/bin
/usr/bin/mokutil
/usr/share
/usr/share/bash-completion
/usr/share/bash-completion/completions
/usr/share/bash-completion/completions/mokutil
/usr/share/doc
/usr/share/doc/mokutil
/usr/share/doc/mokutil/changelog.Debian.gz
/usr/share/doc/mokutil/copyright
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/mokutil.1.gz

2024-05-09: zroot - apt - install shim-unsigned

tingo@kg-pod530lin:~$ sudo apt install shim-unsigned
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  shim-unsigned
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 436 kB of archives.
After this operation, 1,907 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm/main amd64 shim-unsigned amd64 15.7-1 [436 kB]
Fetched 436 kB in 0s (2,259 kB/s) 
Selecting previously unselected package shim-unsigned.
(Reading database ... 130464 files and directories currently installed.)
Preparing to unpack .../shim-unsigned_15.7-1_amd64.deb ...
Unpacking shim-unsigned (15.7-1) ...
Setting up shim-unsigned (15.7-1) ...

files in package

tingo@kg-pod530lin:~$ dpkg-query -L shim-unsigned
/.
/usr
/usr/lib
/usr/lib/shim
/usr/lib/shim/BOOTX64.CSV
/usr/lib/shim/fbx64.efi
/usr/lib/shim/mmx64.efi
/usr/lib/shim/shimx64.efi
/usr/share
/usr/share/doc
/usr/share/doc/shim-unsigned
/usr/share/doc/shim-unsigned/changelog.Debian.gz
/usr/share/doc/shim-unsigned/copyright

2024-05-09: Secure Boot - (pressed F2 to enter UEFI, switched on Secure Boot) with Secure Boot enabled, rEFInd can NOT boot, ZFSBootMenu can NOT boot.

2024-04-28: zroot - yes - that worked, but I ended up without networking, I had to connect a usb-to-ethenet adapter and run dhclient manually, so I could install missing pieces, like firmware-atheros, a desktop environment and network-manager. Status

tingo@kg-pod530lin:~$ date;acpi -t;/sbin/swapon --show;df -h;uptime
Sun Apr 28 07:28:47 PM CEST 2024
NAME      TYPE      SIZE USED PRIO
/dev/dm-0 partition   4G   0B   -2
Filesystem         Size  Used Avail Use% Mounted on
udev               1.7G     0  1.7G   0% /dev
tmpfs              346M  1.4M  345M   1% /run
zroot/ROOT/debian   55G  2.6G   52G   5% /
tmpfs              1.7G     0  1.7G   0% /dev/shm
tmpfs              5.0M   12K  5.0M   1% /run/lock
/dev/nvme0n1p1     200M   95M  105M  48% /boot/efi
tmpfs              1.7G  8.0K  1.7G   1% /tmp
zroot/home          52G  1.2M   52G   1% /home
tmpfs              346M   60K  346M   1% /run/user/1000
 19:28:47 up 7 min,  2 users,  load average: 0.04, 0.08, 0.05

lsblk info

tingo@kg-pod530lin:~$ lsblk
NAME        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINTS
nvme0n1     259:0    0 119.2G  0 disk  
├─nvme0n1p1 259:1    0   200M  0 part  /boot/efi
├─nvme0n1p2 259:2    0     4G  0 part  
├─nvme0n1p3 259:3    0    55G  0 part  
├─nvme0n1p4 259:4    0     4G  0 part   └─swap    254:0    0     4G  0 crypt [SWAP]
└─nvme0n1p5 259:5    0    56G  0 part  

blkid info

tingo@kg-pod530lin:~$ sudo blkid
/dev/nvme0n1p5: LABEL="zroot" UUID="17433648056724219961" UUID_SUB="15808678309036509384" BLOCK_SIZE="4096" TYPE="zfs_member" PARTLABEL="pool" PARTUUID="245b8887-fe70-468e-b937-746f73cfee83"
/dev/nvme0n1p3: UUID="5f2027ccb14aecab" BLOCK_SIZE="4096" TYPE="ufs" PARTUUID="182bde44-d0d6-11ea-a01f-9ffdf410df40"
/dev/nvme0n1p1: SEC_TYPE="msdos" UUID="8F86-1AF2" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40"
/dev/nvme0n1p4: PARTLABEL="swap" PARTUUID="c505c44e-c36e-4913-905b-2048e195e6f5"
/dev/nvme0n1p2: PARTUUID="e1424b7a-d0d5-11ea-a01f-9ffdf410df40"
/dev/mapper/swap: LABEL="swap" UUID="fed42fad-b7f3-40a6-92b7-dc98a2a8dc31" TYPE="swap"

zpool status

tingo@kg-pod530lin:~$ zpool status zroot
  pool: zroot
 state: ONLINE
config:

    NAME                                    STATE     READ WRITE CKSUM
    zroot                                   ONLINE       0     0     0
      245b8887-fe70-468e-b937-746f73cfee83  ONLINE       0     0     0

errors: No known data errors

cryptsetup status

tingo@kg-pod530lin:~$ sudo cryptsetup status swap
/dev/mapper/swap is active and is in use.
  type:    PLAIN
  cipher:  aes-xts-plain64
  keysize: 512 bits
  key location: dm-crypt
  device:  /dev/nvme0n1p4
  sector size:  512
  offset:  2048 sectors
  size:    8386560 sectors
  mode:    read/write

zfs list

tingo@kg-pod530lin:~$ zfs list
NAME                USED  AVAIL     REFER  MOUNTPOINT
zroot              2.59G  51.7G      192K  none
zroot/ROOT         2.59G  51.7G      192K  none
zroot/ROOT/debian  2.59G  51.7G     2.59G  /
zroot/home         1.11M  51.7G     1.11M  /home

encryption

tingo@kg-pod530lin:~$ zfs get encryption zroot
NAME   PROPERTY    VALUE        SOURCE
zroot  encryption  aes-256-gcm  -

key status

tingo@kg-pod530lin:~$ zfs get keystatus zroot
NAME   PROPERTY   VALUE        SOURCE
zroot  keystatus  available    -

2024-04-28: zfs - configure ZFSBootMenu properties on datasets

root@debian:/# zfs set org.zfsbootmenu:commandline="quiet loglevel=4" zroot/ROOT
root@debian:/# zfs set org.zfsbootmenu:keysource="zroot/ROOT/${ID}" zroot

key caching in zfsbootmenu, set up a cachefile

root@debian:/# zpool set cachefile=/etc/zfs/zpool.cache zroot

fetch and install ZFSBootMenu

root@debian:/# mkdir -p /boot/efi/EFI/ZBM
root@debian:/# curl -o /boot/efi/EFI/ZBM/VMLINUZ.EFI -L https://get.zfsbootmenu.org/efi
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:02 --:--:--     0
  0     0    0     0    0     0      0      0 --:--:--  0:00:03 --:--:--     0
100 46.0M  100 46.0M    0     0  8572k      0  0:00:05  0:00:05 --:--:-- 30.6M
root@debian:/# cp /boot/efi/EFI/ZBM/VMLINUZ.EFI /boot/efi/EFI/ZBM/VMLINUZ-BACKUP.EFI

configure EFI boot entries

root@debian:/# mount -t efivarfs efivarfs /sys/firmware/efi/efivars
root@debian:/# efibootmgr -c -d /dev/nvme0n1 -p 1 -L "ZFSBootMenu (Backup)" -l '\EFI\ZBM\VMLINUZ-BACKUP.EFI'
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0001,0006,0002,0000,2001,2002,2003
Boot0000* Linpus lite
Boot0002* FreeBSD
Boot0006* rEFInd
Boot2001* EFI USB Device
Boot2002* EFI DVD/CDROM
Boot2003* EFI Network
Boot0001* ZFSBootMenu (Backup)
root@debian:/# efibootmgr -c -d /dev/nvme0n1 -p 1 -L "ZFSBootMenu" -l '\EFI\ZBM\VMLINUZ.EFI'                
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0003,0001,0006,0002,0000,2001,2002,2003
Boot0000* Linpus lite
Boot0001* ZFSBootMenu (Backup)
Boot0002* FreeBSD
Boot0006* rEFInd
Boot2001* EFI USB Device
Boot2002* EFI DVD/CDROM
Boot2003* EFI Network
Boot0003* ZFSBootMenu

check order

root@debian:/# efibootmgr
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0003,0001,0006,0002,0000,2001,2002,2003
Boot0000* Linpus lite
Boot0001* ZFSBootMenu (Backup)
Boot0002* FreeBSD
Boot0003* ZFSBootMenu
Boot0006* rEFInd
Boot2001* EFI USB Device
Boot2002* EFI DVD/CDROM
Boot2003* EFI Network

fix it

root@debian:/# efibootmgr -o 6,2,3,1,2001,2002,2003,0
BootCurrent: 0006
Timeout: 0 seconds
BootOrder: 0006,0002,0003,0001,2001,2002,2003,0000
Boot0000* Linpus lite
Boot0001* ZFSBootMenu (Backup)
Boot0002* FreeBSD
Boot0003* ZFSBootMenu
Boot0006* rEFInd
Boot2001* EFI USB Device
Boot2002* EFI DVD/CDROM
Boot2003* EFI Network

clean up. exit chroot and unmount

root@debian:/# exit 
exit
root@debian:~# umount -n -R /mnt

export the zfs pool

root@debian:~# zpool export zroot

then reboot.

2024-04-28: zfs - configure zfs apt - install required packages

root@debian:/# apt install linux-headers-amd64 linux-image-amd64 zfs-initramfs dosfstools
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
dosfstools is already the newest version (4.2-1).
The following additional packages will be installed:
  apparmor binutils binutils-common binutils-x86-64-linux-gnu build-essential busybox bzip2 cpp cpp-12 dirmngr dkms dpkg-dev fakeroot file firmware-linux-free
  fontconfig-config fonts-dejavu-core g++ g++-12 gcc gcc-12 gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm initramfs-tools
  initramfs-tools-core klibc-utils libabsl20220623 libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libaom3 libasan8 libassuan0 libatomic1
  libavif15 libbinutils libc-dev-bin libc-devtools libc6-dev libcc1-0 libcrypt-dev libctf-nobfd0 libctf0 libdav1d6 libde265-0 libdeflate0 libdpkg-perl libfakeroot
  libfile-fcntllock-perl libfontconfig1 libfreetype6 libgav1-1 libgcc-12-dev libgd3 libgdbm-compat4 libgdbm6 libgomp1 libgprofng0 libheif1 libisl23 libitm1 libjbig0
  libjpeg62-turbo libklibc libksba8 liblerc4 liblsan0 libmagic-mgc libmagic1 libmpc3 libmpfr6 libnpth0 libnsl-dev libnuma1 libnvpair3linux libperl5.36 libpng16-16
  libpython3-stdlib libpython3.11-minimal libpython3.11-stdlib libquadmath0 librav1e0 libsqlite3-0 libstdc++-12-dev libsvtav1enc1 libtiff6 libtirpc-dev libtsan2
  libubsan1 libuutil3linux libwebp7 libx265-199 libxpm4 libyuv0 libzfs4linux libzpool5linux linux-base linux-compiler-gcc-12-x86 linux-headers-6.1.0-20-amd64
  linux-headers-6.1.0-20-common linux-image-6.1.0-20-amd64 linux-kbuild-6.1 linux-libc-dev lsb-release make manpages manpages-dev media-types patch perl
  perl-modules-5.36 pinentry-curses python3 python3-distutils python3-lib2to3 python3-minimal python3.11 python3.11-minimal rpcsvc-proto sudo xz-utils zfs-dkms zfs-zed
  zfsutils-linux zstd
Suggested packages:
  apparmor-profiles-extra apparmor-utils binutils-doc bzip2-doc cpp-doc gcc-12-locales cpp-12-doc pinentry-gnome3 tor menu debian-keyring g++-multilib g++-12-multilib
  gcc-12-doc gcc-multilib autoconf automake libtool flex bison gdb gcc-doc gcc-12-multilib parcimonie xloadimage scdaemon bash-completion glibc-doc git bzr libgd-tools
  gdbm-l10n libstdc++-12-doc linux-doc-6.1 debian-kernel-handbook grub-pc | grub-efi-amd64 | extlinux make-doc man-browser ed diffutils-doc perl-doc
  libterm-readline-gnu-perl | libterm-readline-perl-perl libtap-harness-archive-perl pinentry-doc python3-doc python3-tk python3-venv python3.11-venv python3.11-doc
  binfmt-support debhelper nfs-kernel-server samba-common-bin
The following NEW packages will be installed:
  apparmor binutils binutils-common binutils-x86-64-linux-gnu build-essential busybox bzip2 cpp cpp-12 dirmngr dkms dpkg-dev fakeroot file firmware-linux-free
  fontconfig-config fonts-dejavu-core g++ g++-12 gcc gcc-12 gnupg gnupg-l10n gnupg-utils gpg gpg-agent gpg-wks-client gpg-wks-server gpgconf gpgsm initramfs-tools
  initramfs-tools-core klibc-utils libabsl20220623 libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libaom3 libasan8 libassuan0 libatomic1
  libavif15 libbinutils libc-dev-bin libc-devtools libc6-dev libcc1-0 libcrypt-dev libctf-nobfd0 libctf0 libdav1d6 libde265-0 libdeflate0 libdpkg-perl libfakeroot
  libfile-fcntllock-perl libfontconfig1 libfreetype6 libgav1-1 libgcc-12-dev libgd3 libgdbm-compat4 libgdbm6 libgomp1 libgprofng0 libheif1 libisl23 libitm1 libjbig0
  libjpeg62-turbo libklibc libksba8 liblerc4 liblsan0 libmagic-mgc libmagic1 libmpc3 libmpfr6 libnpth0 libnsl-dev libnuma1 libnvpair3linux libperl5.36 libpng16-16
  libpython3-stdlib libpython3.11-minimal libpython3.11-stdlib libquadmath0 librav1e0 libsqlite3-0 libstdc++-12-dev libsvtav1enc1 libtiff6 libtirpc-dev libtsan2
  libubsan1 libuutil3linux libwebp7 libx265-199 libxpm4 libyuv0 libzfs4linux libzpool5linux linux-base linux-compiler-gcc-12-x86 linux-headers-6.1.0-20-amd64
  linux-headers-6.1.0-20-common linux-headers-amd64 linux-image-6.1.0-20-amd64 linux-image-amd64 linux-kbuild-6.1 linux-libc-dev lsb-release make manpages manpages-dev
  media-types patch perl perl-modules-5.36 pinentry-curses python3 python3-distutils python3-lib2to3 python3-minimal python3.11 python3.11-minimal rpcsvc-proto sudo
  xz-utils zfs-dkms zfs-initramfs zfs-zed zfsutils-linux zstd
0 upgraded, 135 newly installed, 0 to remove and 10 not upgraded.
Need to get 194 MB of archives.
After this operation, 928 MB of additional disk space will be used.
[..]
update-initramfs: Generating /boot/initrd.img-6.1.0-20-amd64
Setting up zfs-initramfs (2.1.11-1) ...
Setting up zfs-zed (2.1.11-1) ...
Running in chroot, ignoring request.
Created symlink /etc/systemd/system/zed.service  /lib/systemd/system/zfs-zed.service.
Created symlink /etc/systemd/system/zfs.target.wants/zfs-zed.service  /lib/systemd/system/zfs-zed.service.
Processing triggers for initramfs-tools (0.142) ...
update-initramfs: Generating /boot/initrd.img-6.1.0-20-amd64

and do this

echo "REMAKE_INITRD=yes" > /etc/dkms/zfs.conf

enable systemd zfs services

root@debian:/# systemctl enable zfs.target
root@debian:/# systemctl enable zfs-import-cache
root@debian:/# systemctl enable zfs-mount
Synchronizing state of zfs-mount.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable zfs-mount
root@debian:/# systemctl enable zfs-import.target

configure initramfs

root@debian:/# echo "UMASK=0077" > /etc/initramfs-tools/conf.d/umask.conf

Because the encryption key is stored in the /etc/zfs directory, it will automatically be copied into the initramfs. rebuild intramfs

root@debian:/# update-initramfs -c -k all
update-initramfs: Generating /boot/initrd.img-6.1.0-20-amd64

2024-04-28: create encrypted swap

root@debian:/# echo "swap /dev/disk/by-partlabel/swap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=512" >> /etc/crypttab

verify

root@debian:/# cat /etc/crypttab
# <target name> <source device>     <key file>  <options>
swap /dev/disk/by-partlabel/swap /dev/urandom swap,offset=2048,cipher=aes-xts-plain64,size=512

This will map /dev/disk/by-partlabel/swap to /dev/mapper/swap as a swap partition that can be added in /etc/fstab like a normal swap. set up fstab

root@debian:/# cat /etc/fstab
/dev/nvme0n1p1 /boot/efi vfat defaults 0 0
/dev/mapper/swap none swap defaults 0 0
tmpfs /tmp tmpfs defaults,nosuid,nodev 0 0

mount efi

root@debian:/# mkdir -p /boot/efi
root@debian:/# mount /boot/efi

2024-04-28: install Debian

root@debian:~# debootstrap bookworm /mnt
I: Target architecture can be executed
I: Retrieving InRelease 
I: Checking Release signature
I: Valid Release signature (key id 4D64FEC119C2029067D6E791F8D2585B8783D481)
I: Retrieving Packages 
I: Validating Packages 
I: Resolving dependencies of required packages...
I: Resolving dependencies of base packages...
I: Checking component main on http://deb.debian.org/debian...
I: Retrieving adduser 3.134
[..]
I: Configuring libc-bin...
I: Base system installed successfully.

copy files into the new install

root@debian:~# cp /etc/hostid /mnt/etc/
root@debian:~# cp /etc/resolv.conf /mnt/etc/
root@debian:~# mkdir /mnt/etc/zfs
root@debian:~# cp /etc/zfs/zroot.key /mnt/etc/zfs/

chroot into new os

root@debian:~# mount -t proc proc /mnt/proc
root@debian:~# mount -t sysfs sys /mnt/sys
root@debian:~# mount -B /dev /mnt/dev
root@debian:~# mount -t devpts pts /mnt/dev/pts
root@debian:~# chroot /mnt /bin/bash
root@debian:/# 

set hostname

root@debian:/# echo 'kg-pod530lin' > /etc/hostname
root@debian:/# echo -e '127.0.1.1\tkg-pod530lin' >> /etc/hosts

update /etc/apt/sources.list

root@debian:/# cat <<EOF > /etc/apt/sources.list
deb http://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware

deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
deb-src http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware

deb http://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware

deb http://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
deb-src http://deb.debian.org/debian/ bookworm-backports main contrib non-free non-free-firmware
EOF

and run apt update

root@debian:/# apt update
[..]
12 packages can be upgraded. Run 'apt list --upgradable' to see them.

apt - install additional base packages

root@debian:/# apt install console-setup cryptsetup curl dosfstools efibootmgr keyboard-configuration
Reading package lists... Done
Building dependency tree... Done
The following additional packages will be installed:
  ca-certificates console-setup-linux cryptsetup-bin kbd libbrotli1 libcurl4 libefiboot1 libefivar1 libldap-2.5-0 libldap-common libnghttp2-14 libpsl5 librtmp1
  libsasl2-2 libsasl2-modules libsasl2-modules-db libssh2-1 openssl publicsuffix xkb-data
Suggested packages:
  locales cryptsetup-initramfs keyutils libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal libsasl2-modules-ldap libsasl2-modules-otp libsasl2-modules-sql
The following NEW packages will be installed:
  ca-certificates console-setup console-setup-linux cryptsetup cryptsetup-bin curl dosfstools efibootmgr kbd keyboard-configuration libbrotli1 libcurl4 libefiboot1
  libefivar1 libldap-2.5-0 libldap-common libnghttp2-14 libpsl5 librtmp1 libsasl2-2 libsasl2-modules libsasl2-modules-db libssh2-1 openssl publicsuffix xkb-data
0 upgraded, 26 newly installed, 0 to remove and 12 not upgraded.
Need to get 7857 kB of archives.
After this operation, 25.3 MB of additional disk space will be used.
[..]
Setting up console-setup (1.221) ...
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
Processing triggers for libc-bin (2.36-9+deb12u4) ...
Processing triggers for ca-certificates (20230311) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

set timezone

root@debian:/# dpkg-reconfigure tzdata
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
    LANGUAGE = (unset),
    LC_ALL = (unset),
    LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
/usr/bin/locale: Cannot set LC_CTYPE to default locale: No such file or directory
/usr/bin/locale: Cannot set LC_MESSAGES to default locale: No such file or directory
/usr/bin/locale: Cannot set LC_ALL to default locale: No such file or directory

Current default time zone: 'Europe/Oslo'
Local time is now:      Sun Apr 28 17:17:20 CEST 2024.
Universal Time is now:  Sun Apr 28 15:17:20 UTC 2024.

configure locales

root@debian:/# dpkg-reconfigure locales
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
    LANGUAGE = (unset),
    LC_ALL = (unset),
    LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
dpkg-query: package 'locales' is not installed and no information is available
Use dpkg --info (= dpkg-deb --info) to examine archive files.
/usr/sbin/dpkg-reconfigure: locales is not installed

aha - apt - fix it

root@debian:/# apt install locales
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  libc-bin libc-l10n libc6
Suggested packages:
  glibc-doc libnss-nis libnss-nisplus
Recommended packages:
  manpages
The following NEW packages will be installed:
  libc-l10n locales
The following packages will be upgraded:
  libc-bin libc6
2 upgraded, 2 newly installed, 0 to remove and 10 not upgraded.
Need to get 7936 kB of archives.
After this operation, 20.7 MB of additional disk space will be used.
[..]
Generating locales (this might take a while)...
Generation complete.

retry

root@debian:/# dpkg-reconfigure locales
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
    LANGUAGE = (unset),
    LC_ALL = (unset),
    LANG = "en_US.UTF-8"
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
locale: Cannot set LC_CTYPE to default locale: No such file or directory
locale: Cannot set LC_MESSAGES to default locale: No such file or directory
locale: Cannot set LC_ALL to default locale: No such file or directory
/usr/bin/locale: Cannot set LC_CTYPE to default locale: No such file or directory
/usr/bin/locale: Cannot set LC_MESSAGES to default locale: No such file or directory
/usr/bin/locale: Cannot set LC_ALL to default locale: No such file or directory
Generating locales (this might take a while)...
  en_US.UTF-8... done
  nb_NO.UTF-8... done
Generation complete.

set console font

root@debian:/# dpkg-reconfigure console-setup
root@debian:/# setupcon
setupcon: We are not on the console, the console is left unconfigured.

keyboard setup

root@debian:/# dpkg-reconfigure keyboard-configuration

add a user

root@debian:/# adduser tingo
Adding user `tingo' ...
Adding new group `tingo' (1000) ...
Adding new user `tingo' (1000) with group `tingo (1000)' ...
Creating home directory `/home/tingo' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for tingo
Enter the new value, or press ENTER for the default
    Full Name []: Torfinn Ingolfsen
    Room Number []: 
    Work Phone []: 
    Home Phone []: 
    Other []: 
Is the information correct? [Y/n] 
Adding new user `tingo' to supplemental / extra groups `users' ...
Adding user `tingo' to group `users' ...

I added it to some more groups

root@debian:/# groups tingo
tingo : tingo adm lp dialout cdrom floppy sudo audio dip video plugdev users netdev

apt - install openssh-server

root@debian:/# apt install openssh-server
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  dbus dbus-bin dbus-daemon dbus-session-bus-common dbus-system-bus-common dbus-user-session libcbor0.8 libdbus-1-3 libexpat1 libfido2-1 libnsl2 libpam-systemd
  libwrap0 libx11-6 libx11-data libxau6 libxcb1 libxdmcp6 libxext6 libxmuu1 ncurses-term openssh-client openssh-sftp-server runit-helper ucf xauth
Suggested packages:
  keychain libpam-ssh monkeysphere ssh-askpass molly-guard ufw
The following NEW packages will be installed:
  dbus dbus-bin dbus-daemon dbus-session-bus-common dbus-system-bus-common dbus-user-session libcbor0.8 libdbus-1-3 libexpat1 libfido2-1 libnsl2 libpam-systemd
  libwrap0 libx11-6 libx11-data libxau6 libxcb1 libxdmcp6 libxext6 libxmuu1 ncurses-term openssh-client openssh-server openssh-sftp-server runit-helper ucf xauth
0 upgraded, 27 newly installed, 0 to remove and 10 not upgraded.
Need to get 4,775 kB of archives.
After this operation, 19.8 MB of additional disk space will be used.
[..]
Setting up openssh-server (1:9.2p1-2+deb12u2) ...

Creating config file /etc/ssh/sshd_config with new version
Creating SSH2 RSA key; this may take some time ...
3072 SHA256:UQ/h42Hqk/HUOoX8MLqfLVb25IOLjKx1ZVej1EV9YzM root@debian (RSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:8vjFesYkjt4H6kury2HzmeHB6K12rH4giBZMYBFJf2U root@debian (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:OU4+ArV+LJ9dMScoDXHXK97wKjV8ywCqruXUc/S5N9Q root@debian (ED25519)
Running in chroot, ignoring request.
Created symlink /etc/systemd/system/sshd.service  /lib/systemd/system/ssh.service.
Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service  /lib/systemd/system/ssh.service.
Setting up dbus-user-session (1.14.10-1~deb12u1) ...
Processing triggers for libc-bin (2.36-9+deb12u6) ...

2024-04-28: zfs - create filesystems first, set id

root@debian:~# source /etc/os-release
root@debian:~# export ID
root@debian:~# echo $ID
debian

then create filesystems

root@debian:~# zfs create -o mountpoint=none zroot/ROOT
root@debian:~# zfs create -o mountpoint=/ -o canmount=noauto zroot/ROOT/${ID}
root@debian:~# zfs create -o mountpoint=/home zroot/home

set preferred boot file system

root@debian:~# zpool set bootfs=zroot/ROOT/${ID} zroot

export and re-import the pool

root@debian:~# zpool export zroot
root@debian:~# zpool import -N -R /mnt zroot

mount root and /home

root@debian:~# zfs load-key -L prompt zroot
Enter passphrase for 'zroot':
root@debian:~# zfs mount zroot/ROOT/${ID}
root@debian:~# zfs mount zroot/home

verify mount points

root@debian:~# mount -t zfs
zroot/ROOT/debian on /mnt type zfs (rw,relatime,xattr,posixacl)
zroot/home on /mnt/home type zfs (rw,relatime,xattr,posixacl)

update device symlinks

root@debian:~# udevadm trigger

2024-04-28: zfs - create the pool

root@debian:~# zpool create -f -o ashift=12 -O compression=lz4 -O acltype=posixacl  -O xattr=sa -O relatime=on -o autotrim=on -O encryption=aes-256-gcm -O keylocation=file:///etc/zfs/zroot.key -O keyformat=passphrase -m none zroot "/dev/disk/by-partuuid/245b8887-fe70-468e-b937-746f73cfee83"
cannot create 'zroot': Passphrase too short (min 8).

ok, fix that

root@debian:~# zpool create -f -o ashift=12 -O compression=lz4 -O acltype=posixacl  -O xattr=sa -O relatime=on -o autotrim=on -O encryption=aes-256-gcm -O keylocation=file:///etc/zfs/zroot.key -O keyformat=passphrase -m none zroot "/dev/disk/by-partuuid/245b8887-fe70-468e-b937-746f73cfee83"

2024-04-28: set up a zfs passphrase to unlock the encrypted pool

# echo 'SomeKeyphrase' > /etc/zfs/zroot.key
root@debian:~# chmod 000 /etc/zfs/zroot.key

2024-04-28: zfs partition needs to be located by partuuid, to ensure that the zfs import doesn't fail. Baby steps

root@debian:~# blkid
/dev/nvme0n1p1: SEC_TYPE="msdos" UUID="8F86-1AF2" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="c1a2a7d6-d0d5-11ea-a01f-9ffdf410df40"
/dev/nvme0n1p3: UUID="5f2027ccb14aecab" BLOCK_SIZE="4096" TYPE="ufs" PARTUUID="182bde44-d0d6-11ea-a01f-9ffdf410df40"
/dev/sda1: BLOCK_SIZE="2048" UUID="2023-12-10-17-43-24-00" LABEL="d-live 12.4.0 xf amd64" TYPE="iso9660" PARTUUID="2d331e75-01"
/dev/loop0: TYPE="squashfs"
/dev/nvme0n1p5: PARTLABEL="pool" PARTUUID="245b8887-fe70-468e-b937-746f73cfee83"
/dev/nvme0n1p4: PARTLABEL="swap" PARTUUID="c505c44e-c36e-4913-905b-2048e195e6f5"
/dev/nvme0n1p2: PARTUUID="e1424b7a-d0d5-11ea-a01f-9ffdf410df40"
/dev/sda2: SEC_TYPE="msdos" UUID="6575-F8BC" BLOCK_SIZE="512" TYPE="vfat" PARTUUID="2d331e75-02"

get the pool partition

root@debian:~# blkid | grep /dev/nvme0n1p5
/dev/nvme0n1p5: PARTLABEL="pool" PARTUUID="245b8887-fe70-468e-b937-746f73cfee83"

step

root@debian:~# blkid | grep /dev/nvme0n1p5 | cut -d ' ' -f 3
PARTUUID="245b8887-fe70-468e-b937-746f73cfee83"

by step

root@debian:~# blkid | grep /dev/nvme0n1p5 | cut -d ' ' -f 3 | cut -d '"' -f 2
245b8887-fe70-468e-b937-746f73cfee83

so the correct line is

root@debian:~# ls -l /dev/disk/by-partuuid/245b8887-fe70-468e-b937-746f73cfee83
lrwxrwxrwx 1 root root 15 Apr 28 14:01 /dev/disk/by-partuuid/245b8887-fe70-468e-b937-746f73cfee83 -> ../../nvme0n1p5

2024-04-28: situation now

root@debian:~# lsblk
NAME        MAJ:MIN RM   SIZE RO TYPE MOUNTPOINTS
loop0         7:0    0   2.5G  1 loop /usr/lib/live/mount/rootfs/filesystem.squashfs
                                      /run/live/rootfs/filesystem.squashfs
sda           8:0    1   7.5G  0 disk 
├─sda1        8:1    1     3G  0 part /usr/lib/live/mount/medium
│                                     /run/live/medium
└─sda2        8:2    1     5M  0 part 
nvme0n1     259:0    0 119.2G  0 disk 
├─nvme0n1p1 259:6    0   200M  0 part 
├─nvme0n1p2 259:7    0     4G  0 part 
├─nvme0n1p3 259:8    0    55G  0 part 
├─nvme0n1p4 259:9    0     4G  0 part 
└─nvme0n1p5 259:10   0    56G  0 part 

so /dev/nvme0n1p5 is the pool partition.

2024-04-28: create a swap partition

root@debian:~# sgdisk -n "4:0:+4g" -t "4:8200" -c 0:swap "/dev/nvme0n1"
The operation has completed successfully.

verify

root@debian:~# sgdisk -p /dev/nvme0n1
Disk /dev/nvme0n1: 250069680 sectors, 119.2 GiB
Model: RPFTJ128PDD2EWX                         
Sector size (logical/physical): 512/512 bytes
Disk identifier (GUID): F891D804-265E-42D8-BF50-78240F5C4180
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 250069646
Partitions will be aligned on 8-sector boundaries
Total free space is 117539437 sectors (56.0 GiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1              40          409639   200.0 MiB   EF00  
   2          409640         8798247   4.0 GiB     A502  
   3         8798248       124141607   55.0 GiB    A503  
   4       124141608       132530215   4.0 GiB     8200  swap

create a partition for the zfs pool

root@debian:~# sgdisk -n "5:0:-10m" -t "5:bf00" -c 0:pool "/dev/nvme0n1"
The operation has completed successfully.

verify

root@debian:~# sgdisk -p /dev/nvme0n1
Disk /dev/nvme0n1: 250069680 sectors, 119.2 GiB
Model: RPFTJ128PDD2EWX                         
Sector size (logical/physical): 512/512 bytes
Disk identifier (GUID): F891D804-265E-42D8-BF50-78240F5C4180
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 250069646
Partitions will be aligned on 8-sector boundaries
Total free space is 20486 sectors (10.0 MiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1              40          409639   200.0 MiB   EF00  
   2          409640         8798247   4.0 GiB     A502  
   3         8798248       124141607   55.0 GiB    A503  
   4       124141608       132530215   4.0 GiB     8200  swap
   5       132530216       250049166   56.0 GiB    BF00  pool

2024-04-28: I booted Debian from a live usb stick, and intend to install Debian with root on zfs, and encrypted, and still have it dual boot with FreeBSD.

root@debian:~# sgdisk -p /dev/nvme0n1
Disk /dev/nvme0n1: 250069680 sectors, 119.2 GiB
Model: RPFTJ128PDD2EWX                         
Sector size (logical/physical): 512/512 bytes
Disk identifier (GUID): F891D804-265E-42D8-BF50-78240F5C4180
Partition table holds up to 128 entries
Main partition table begins at sector 2 and ends at sector 33
First usable sector is 34, last usable sector is 250069646
Partitions will be aligned on 8-sector boundaries
Total free space is 125928045 sectors (60.0 GiB)

Number  Start (sector)    End (sector)  Size       Code  Name
   1              40          409639   200.0 MiB   EF00  
   2          409640         8798247   4.0 GiB     A502  
   3         8798248       124141607   55.0 GiB    A503  

running sgdisk to print out the existing partiion table on the internal ssd, there is 60 GB free space. EF00 is the EFI partion, A502 is FreeBSD swap, A503 is FreeBSD UFS.