Boot loader disapears after locking and unlocking the drive.

[dennyh]

I have a Samsung SSD 840 EVO that supports OPAL 2. First I installed Debian 11, then I followed the instructions at Encrypting your drive. I installed the BIOS PBA image BIOS32.img on the ssd connected to a PC that does not support UEFI, Motherboard: Asus striker II formula. That seem to work as intended. I PSID reset the drive, working as expected. I then decided move the drive to another computer and repeat the process. I am now on the motherboard (MSI P67A-GD65 (B3)). This one does have support for UEFI. So I again installed Debian 11 and followed instructions to install the PBA, UEFI64.img to the same drive.

Now I ran in to problems. It seems that every time I lock the drive I loose Debians UEFI Boot loader GRUB. It is no longer showing up as a bootable UEFI program. I reinstalled GRUB a few times with the Debian installer rescue mode. But I could not get it to stick around after a power cycle when locking was also enabled. I tried installing the BIOS32.img PBA instead and that made no difference.

I am wondering what is happening here? What can I do to figure this one out?

[gohrner]

@dennyh: I often manually have to set the correct default boot entry using efibootmgr on Linux only machines.

Otherwise, it won't boot - it will load the fallback boot loader in EFI/boot and get stuck.

The UEFIs on my machines support a "boot from file" option where I can manually select the (in my case) Ubuntu boot loader on the EFI partition to boot the freshly installed system, and then I can use efibootmgr to point the default boot to it.

Maybe this helps?

[dennyh]

I messed around a little with efibootmgr that @gohrner mentioned. I made another boot entry in the UEFI boot manager and pointed it to grubx64.efi and made it default, instead of the previous default, shimx64.efi. I thought that perhaps shim was introducing some issue related to sedutil's incompatibility with secure boot. (As far as I can tell; secure boot is disabled on my system.) I performed a warm reboot and tested this new boot entry and it worked as expected. I now had two entries for launching the boot loader.

However, as soon as i did a cold restart and unlocked the drive, both entries were gone from the boot manager. I assume my UEFI can't find the partition or files or they are otherwise deemed corrupt maybe. I booted windows and I can see the three expected partitions; ESP, system and swap. I could not find any boot from file function in my UEFI. There is the UEFI Shell, but I am unsure how to use it to manually boot grub. Next, I guess I will try to boot a rescue shell and re-add the boot entries to the UEFI boot manager, after having unlocked the drive.

Edit: I successfully launched shim from UEFI shell after unlocking the drive. It did it's thing and got Debian up and running. Now I know that it works and that it's just the UEFI boot menu not showing/generating the entry for some reason.