From 7f15543f1c3932a8f29c78243768556b6763f663 Mon Sep 17 00:00:00 2001 From: Daniel Maksymilian Syrnicki Date: Mon, 13 Apr 2026 23:57:54 +0200 Subject: [PATCH] docs: capture UEFI + Secure Boot gotchas in iso/README.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit These two cost us real time tonight — SeaBIOS failing at ldlinux.c32, then OVMF rejecting our unsigned GRUB with "Access Denied" until we disabled Secure Boot in the firmware setup menu. Also flagged the silent browser-upload truncation and the two known drive-list bugs surfaced during the first live boot. Co-Authored-By: Claude Opus 4.6 (1M context) --- iso/README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/iso/README.md b/iso/README.md index 764178c..6ba2fdd 100644 --- a/iso/README.md +++ b/iso/README.md @@ -34,9 +34,11 @@ mDNS (`proksi.local`) via avahi is installed but not yet wired. First milestone ## Test flow 1. Build: `./iso/build.sh` -2. Copy the ISO to your Proxmox host's ISO storage (typically `/var/lib/vz/template/iso/`) +2. Copy the ISO to your Proxmox host's ISO storage (typically `/var/lib/vz/template/iso/`). Browser uploads of 1.5 GB truncate silently — prefer `scp` over the Proxmox WebUI. 3. Create a VM with: - 2 vCPU, 4 GB RAM, 20 GB disk (empty) + - **BIOS: OVMF (UEFI)**, add EFI Disk on `local-lvm`. SeaBIOS fails to load `ldlinux.c32` from our ISO; only the UEFI path works reliably. + - **Secure Boot disabled**. Our GRUB isn't signed, so Secure Boot rejects it with `Access Denied`. Either boot into OVMF setup (Esc during boot) → Device Manager → Secure Boot Configuration → Attempt Secure Boot [ ] → F10 → reboot. Or remove the EFI Disk and re-add it with "Pre-Enroll keys" unchecked. - CD-ROM attached with the Furtka ISO - Boot order: CD before disk - Network: same bridge as your LAN, DHCP @@ -50,3 +52,5 @@ mDNS (`proksi.local`) via avahi is installed but not yet wired. First milestone - **Flask `/` route** returns "Hello World" instead of redirecting to `/install/step1`. Harmless but surprising; will be cleaned up when we wire up screens 4–8. - **No HTTPS yet**. The Furtka plan is "local CA + green padlock on `https://proksi.local`" — that's a later milestone. For now, plain HTTP. - **archinstall is not invoked**. The wizard collects input but doesn't write to disk yet. Still a walking skeleton, not an installer. +- **Drive list includes `/dev/loop0` and `/dev/sr0`**. `/dev/loop0` is the live ISO's own squashfs mounted in RAM; `/dev/sr0` is the CD-ROM itself. Both appear as install targets, which is wrong. Filter lives in `webinstaller/drives.py` and hasn't been added yet. +- **GRUB menu still says "Arch Linux install medium"**. We inherit releng's bootloader config. Cosmetic, fix when we care about end-user polish.