Bug#1134708: grub-common: 30_uefi-firmware runs on BIOS/MBR systems producing unbootable configuration

Donald Teed donald.teed at gmail.com
Thu Apr 23 14:21:19 BST 2026 

Package: grub-common
Version: 2.12-9+deb13u1
Severity: important

Dear Maintainer,

During an in-place upgrade from Debian 12 (bookworm) to Debian 13 (trixie)
on a Hyper-V Generation 1 virtual machine (BIOS/MBR, no EFI firmware),
the system was rendered unbootable after grub-common was upgraded and
update-grub was run as part of the post-install process.

The root cause is that /etc/grub.d/30_uefi-firmware is installed executable
by grub-common and is unconditionally executed by grub-mkconfig regardless
of whether the running system has UEFI firmware. On this BIOS/MBR system,
the script generated a "UEFI Firmware Settings" entry in grub.cfg which
caused the boot process to stall after the GRUB banner, leaving the system
unbootable.

I expect this is reproducible on any BIOS/MBR system where grub-common is
installed,
including legacy-mode virtual machines and older physical hardware, whenever
update-grub is run.

The script /etc/grub.d/30_uefi-firmware contains a check for $grub_platform
being "efi", however this is a GRUB environment variable evaluated at boot
time, not at config-generation time. It therefore does not prevent the
problematic menu entry from being written into grub.cfg on BIOS systems.

The fix is straightforward — add an OS-level guard as the first line of
/etc/grub.d/30_uefi-firmware:

  [ -d /sys/firmware/efi ] || exit 0

This check is evaluated when grub-mkconfig runs, which is the correct
moment. If /sys/firmware/efi does not exist, the system is not UEFI and
the script should take no action.

Workaround applied on the affected system:

  chmod -x /etc/grub.d/30_uefi-firmware

Further to the workaround... to prevent future grub-common upgrades from
restoring the execute bit and
reintroducing the problem, the following apt hook was also added:

  echo 'DPkg::Post-Invoke {"chmod -x /etc/grub.d/30_uefi-firmware ||
true;";};' \
    > /etc/apt/apt.conf.d/99-disable-uefi-grub-entry

Note: This bug is distinct from #1058818, which concerns fwsetup
--is-supported not being recognised by older GRUB binaries on UEFI systems.
This bug concerns the script running at all on non-UEFI systems during
config generation.

-- System Information:
Debian Release: 13 (trixie)
Architecture: amd64
Kernel: Linux 6.12.74+deb13+1-amd64
Hypervisor: Microsoft Hyper-V Generation 1 (BIOS/MBR, no EFI)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-grub-devel/attachments/20260423/1a910ab9/attachment.htm>

More information about the Pkg-grub-devel mailing list