Create custom boot entries in installer

os/layers/training-installer/includes.chroot/usr/local/bin/install-config

@@ -2,6 +2,60 @@
 
 set -eu
 
+# We preseed grub-installer/update-nvram to disable creation of
+# EFI boot entries by grub and instead do it ourselves here.
+#
+# The main reason why we do this is that with the grub-created boot entry,
+# Dell Latitude 7480 laptops no longer boot Debian from internal disk after
+# having booted from USB stick. This apparently happens because, when a bootable
+# USB stick is inserted, the firmware can no longer find the debian EFI file
+# (it's probably looking at the wrong EFI partition, the one on the USB stick),
+# and then enters boot option recovery, which finds the BOOTx64.EFI on the USB
+# stick, and then creates a boot entry for that and sets the bootorder to just
+# that new entry. After that, the debian boot entry is no longer in the
+# bootorder, so booting fails after removing the USB stick.
+# Additionally, it is convenient if laptops boot from USB stick automatically,
+# without needing to enter the boot menu.
+#
+# To solve these problems, we create a boot entry for USB sticks, which is tried
+# first, and one for Debian on the internal disk.
+# We create path-only boot entries, which apparently work more reliably than
+# entries which also specify the disk.
+# We use hardcoded entry numbers to avoid needing to find available numbers and
+# clean up old entries.
+
+# Try mounting efivarfs
+mountvirtfs () {
+	fstype="$1"
+	path="$2"
+	mkdir -p "$path"
+	if mount -t "$fstype" "$fstype" "$path"; then
+		trap "umount $path" HUP INT QUIT KILL PIPE TERM EXIT
+	fi
+}
+mountvirtfs efivarfs /sys/firmware/efi/efivars
+
+# Check if EFI boot is available
+if efibootmgr --quiet; then
+  efibootmgr --delete-bootorder || true
+  efibootmgr --bootnum 0150 --delete-bootnum || true
+  efibootmgr --bootnum 0151 --delete-bootnum || true
+
+  # efibootmgr --create-only --bootnum 0150 --label "Removable media" --file-dev-path --loader '\EFI\BOOT\BOOTx64.EFI'
+  # efibootmgr --create-only --bootnum 0151 --label "Debian" --file-dev-path --loader '\EFI\debian\shimx64.efi'
+
+  # The version of efibootmgr in bookworm does not support the --file-dev-path
+  # argument, so here are commands that directly write to efivarfs.
+  # When upgrading from bookworm to trixie, remove the commands below and
+  # uncomment the commands above.
+  echo "BwAAAAEAAAA0AFIAZQBtAG8AdgBhAGIAbABlACAAbQBlAGQAaQBhAAAABAQwAFwARQBGAEkAXABCAE8ATwBUAFwAQgBPAE8AVAB4ADYANAAuAEUARgBJAAAAf/8EAA==" | \
+    base64 --decode - > /sys/firmware/efi/efivars/Boot0150-8be4df61-93ca-11d2-aa0d-00e098032b8c
+  echo "BwAAAAEAAAA4AEQAZQBiAGkAYQBuAAAABAQ0AFwARQBGAEkAXABkAGUAYgBpAGEAbgBcAHMAaABpAG0AeAA2ADQALgBlAGYAaQAAAH//BAA=" | \
+    base64 --decode - > /sys/firmware/efi/efivars/Boot0151-8be4df61-93ca-11d2-aa0d-00e098032b8c
+
+  efibootmgr --bootorder 0150,0151
+fi
+
 # Set up apt lists.
 cp -rT /usr/local/share/target-sources /etc/apt/sources.list.d
 rm /etc/apt/sources.list

os/layers/training-installer/includes.installer/preseed.cfg

@@ -24,5 +24,6 @@ d-i partman/choose_partition select finish
 d-i apt-setup/use_mirror boolean false
 
 d-i grub-installer/only_debian boolean true
+d-i grub-installer/update-nvram boolean false
 
 d-i preseed/late_command string in-target /usr/local/bin/install-config

os/layers/training-installer/package-lists/training-installer.list.chroot

@@ -3,6 +3,9 @@ sudo
 # Make Secure Boot work
 grub-efi-amd64-signed
 
+# Tool for setting EFI boot variables during install
+efibootmgr
+
 # Firmware updates through gnome-software
 fwupd fwupd-signed