Package: debian-installer
Severity: minor
Boot method: USB stick
Image version: debian-bookworm-DI-rc1-amd64-netinst.iso
Boot mode: UEFI
When secure boot is disabled, GRUB displays the menu in graphic mode as
expected.
When secure boot is enabled, GRUB briefly displays error messages:
prohibited by secure boot policy
no video mode activated
and displays the menu in text mode.
This is caused by loadfont failing in /boot/grub/grub.cfg:
if loadfont $prefix/font.pf2 ; then
set gfxmode=800x600
set gfxpayload=keep
insmod efi_gop
insmod efi_uga
insmod video_bochs
insmod video_cirrus
insmod gfxterm
insmod png
terminal_output gfxterm
fi
A recent change in grub prohibits loading fonts from outside the signed
image, so loadfont was adapted to try and load the requested font from
the embedded memdisk first instead of $prefix.
If I understand correctly, loadfont allows two types of arguments:
- a radix, which is expanded into $prefix/fonts/<radix>.pf2
- a pathname starting with / or (
The "magic" looking up (memdisk) first instead of $prefix works only
with a radix whereas grub.cfg uses a full pathname. Also, it tries to
load font.pf2 whereas the embedded font file is unicode.pf2.
I tested to replace "$prefix/font.pf2" with "unicode" or
"(memdisk)/fonts/unicode.pf2" in /boot/grub/grub.cfg and the graphical
menu was back. Actually, if I remove the loadfont command and the 'if'
condition, as far as I can see the graphical menu is displayed
correctly, except the border frame replaced by "?" in the menu entry
editor, so maybe the condition could be removed.
PS: Maybe the issue also exists in live images ? Didn't check.
