Keep in mind that Micah Lee link from 2014 is for a BIOS/MBR install; UEFI/GPT is a different story.
Background -
On an UEFI-booted system, there is the EFI System Partition (ESP). This is a FAT32 partition that stores the EFI bootloaders (*.efi) for the installed operating system(s). When your computer boots, the UEFI BIOS will look for the ESP and execute the .efi file that is configured according to the boot order. The ESP is typically small and only contains .efi files. There is(or should be) only one ESP on a given disk.
The files actually needed to load the operating system are stored on a “boot” partition. In the case of Debian or typical linux distributions, the boot partition contains the linux kernel and initial ramdisk files at minimum. In the case of Qubes OS, the boot partition also contains the Xen hypervisor.
With Qubes R4.1, Qubes will install the GRUB2 bootloader as grubx64.efi
to the ESP. The GRUB2 EFI loader references the grub.cfg
file to figure out what to do next. grub.cfg
tells the loader where to find Qubes’ “boot” partition, and to load Xen, the linux kernel, and the initial ramdisk and execute them. Once the linux kernel executes, it relies on the initial ramdisk to unlock the big partition with all your encrypted data and subsequently mount the “root” filesystem to access all the rest of your programs and data.
Therefore a typical Qubes R4.1 install on an UEFI booted system with GRUB2 consists of:
- EFI System Partition (ESP): grubx64.efi, grub.cfg, other OS .efi files
- “boot” partition: Xen, kernel, initramfs/initrd
- “root” partition: most of your data, generally LUKS-encrypted
Assuming your system has booted up fully, the mountpoints look like this:
/ (root partition)
/boot (boot partition)
/boot/efi (ESP)
If you simply wanted to add another (GNU/Linux) operating system, you’d have another root partition, another boot partition, and an additional .efi bootloader file installed to the ESP. This would mean your disk would have 5 partitions, for example:
/dev/sda1 (ESP, Qubes' \EFI\qubes\grubx64.efi, Debian's \EFI\debian\grubx64.efi)
/dev/sda2 (Qubes OS boot partition)
/dev/sda3 (Qubes OS LUKS-encrypted root partition)
/dev/sda4 (Debian boot partition)
/dev/sda5 (Debian LUKS-encrypted root partition)
In theory, you could consolidate both boot partitions into one, but this is not recommended since you’d want to keep the different OS’s isolated as possible considering you’ve accepted the risk of dual booting. To reinforce, dual booting is not recommended because let’s say you run malware while Debian is up. It could overwrite anything in the ESP or Qubes’ boot partition, essentially performing an “evil maid” attack, capturing your disk passphrase. The same can be said for Qubes overwriting Debian, though the barrier is higher if the threat we’re talking about is “malware from the internet”, or “I ran a command under Debian but accidentally specified the wrong partition and now Qubes doesn’t boot”.
Once you have all the partitions and OS’s installed, you have to worry about how you boot each OS. UEFI makes this a lot easier as you can use efibootmgr
to install the correct entries into your UEFI BIOS nvram. As long as you have one entry pointing to Qubes’ grubx64.efi and another entry pointing to Debian’s grubx64.efi, make Qubes the default, and use your BIOS’ boot menu hotkey to run Debian.
You can get fancy and chainload the Debian GRUB2 .efi from Qubes’ GRUB menu, but I’ll leave that as an exercise for the reader since it gets into having one OS know about the other.