With Secure Boot enabled, and if you are generating your own GRUB image, with a manual grub-install invocation, you must include the "peimage" module. This is included with the default setup installed by the packaging.
On Wed, Feb 11, 2026 at 1:37 PM horsey_guy <[email protected]> wrote: > > On Wednesday, February 11th, 2026 at 2:17 AM, Mate Kukri > <[email protected]> wrote: > > > Can you provide more information about the system this runs on? > `uname -a`: > ``` > Linux horsey-guy-debian-lenovo 6.19-amd64 #1 SMP PREEMPT_DYNAMIC Debian > 6.19~rc8-1~exp1 (2026-02-02) x86_64 GNU/Linux > ``` > > Secure boot was enabled the whole time. > > `lsblk -o NAME,FSTYPE,FSVER,LABEL,MOUNTPOINTS`: > ``` > NAME FSTYPE FSVER LABEL MOUNTPOINTS > sda > > ├─sda1 exfat 1.0 Ventoy > > ├─sda2 vfat FAT16 VTOYEFI > > └─sda3 crypto_LUKS 2 > > zram0 swap 1 [SWAP] > nvme0n1 > > ├─nvme0n1p1 vfat FAT32 SYSTEM_DRV /boot/efi > ├─nvme0n1p2 crypto_LUKS 2 Debian > > │ └─debian_crypt btrfs debian /var/log > │ /var/lib/libvirt > │ /opt > │ /home > │ /boot > │ / > └─nvme0n1p3 crypto_LUKS 2 > > └─cryptswap swap 1 cryptswap [SWAP] > > ``` > `/etc/default/grub` (UUID was replaced with angle brackets and their > descriptions): > ``` > # If you change this file, run 'update-grub' afterwards to update > # /boot/grub/grub.cfg. > # For full documentation of the options in this file, see: > # info -f grub -n 'Simple configuration' > > GRUB_DEFAULT=0 > GRUB_TIMEOUT=5 > GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian` > #GRUB_CMDLINE_LINUX_DEFAULT="intel_iommu=on iommu=pt efi=runtime > i915.enable_guc=2 xe.force_probe='a7a1' i915.force_probe='!a7a1' xe.max_vfs=7 > i915.max_vfs=7" > > GRUB_CMDLINE_LINUX_DEFAULT="" > > GRUB_CMDLINE_LINUX="cryptdevice=UUID=<LUKS2 encrypted partition's > UUID>:debian_crypt root=UUID=</dev/mapper/debian_crypt's UUID> > rd.luks.name=</dev/mapper/debian_crypt's UUID>=debian_crypt > rd.luks.options=</dev/mapper/debian_crypt's > UUID>=tpm2-device=auto,password-echo=no,tries=1 rootflags=rw,subvol=@rootfs > intel_iommu=on iommu=pt efi=runtime i915.enable_guc=2 zswap.enabled=0" > > # If your computer has multiple operating systems installed, then you > # probably want to run os-prober. However, if your computer is a host > # for guest OSes installed via LVM or raw disk devices, running > # os-prober can cause damage to those guest OSes as it mounts > # filesystems to look for things. > #GRUB_DISABLE_OS_PROBER=false > > # Uncomment to enable BadRAM filtering, modify to suit your needs > # This works with Linux (no patch required) and with any kernel that obtains > # the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...) > #GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef" > > # Uncomment to disable graphical terminal > #GRUB_TERMINAL=console > > # The resolution used on graphical terminal > # note that you can use only modes which your graphic card supports via VBE > # you can see them in real GRUB with the command `vbeinfo' > GRUB_GFXMODE=1920x1080,auto > > # Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux > #GRUB_DISABLE_LINUX_UUID=true > > # Uncomment to disable generation of recovery mode menu entries > #GRUB_DISABLE_RECOVERY="true" > > # Uncomment to get a beep at grub start > #GRUB_INIT_TUNE="480 440 1" > > # Specify theme directory > GRUB_THEME="/boot/grub/themes/vimix/theme.txt" > > # Enable cryptodisk in case it is needed > GRUB_ENABLE_CRYPTODISK=y > > GRUB_PRELOAD_MODULES="part_gpt btrfs cryptodisk luks2" > ``` > > > Additionally what image was this installation derived from? And how > > did you install the GRUB2 binary? > What image do you mean? The Linux kernel is version 6.19. > > The command to install GRUB2 was `grub-install --uefi-secure-boot > --boot-directory=/boot --efi-directory=/boot/efi > --directory=/usr/lib/grub/x86_64-efi --themes=vimix --modules="luks2 > gcry_sha512 gcry_sha256 pbkdf2 cryptodisk argon2" --target=x86_64-efi > --bootloader-id=debian /dev/nvme0n1p1 --recheck`
