install_aem: Update instructions for Legacy & UEFI support

philipanda · philipanda · commit 539988c50ce1 · 2025-04-04T17:48:55.000+02:00
Signed-off-by: Filip Gołaś &lt;filip.golas@3mdeb.com&gt;
diff --git a/docs/user-docs/install_aem.md b/docs/user-docs/install_aem.md
@@ -42,11 +42,13 @@ potentially in newer versions, those must be temporarily disabled during
 invocation of `qubes-dom0-update`, as shown in the following commands. If any
 of the packages that are part of AEM are updated in standard repos, you will
 have to choose between using new versions or having working AEM, at least until
-new AEM release is published or the code gets merged upstream. If you decide to
+new AEM release is published, or the code gets merged upstream. If you decide to
 restore AEM after an update broke it, you will have to repeat the installation
 of overwritten package with `--action=reinstall` added to `qubes-dom0-update`,
 if it wasn’t present before.
 
+#### Qubes repository dependencies
+
 Start by installing prerequisite packages. Those are not part of newly added
 repository, but `qubes-dom0-current-testing`:
 
@@ -60,18 +62,35 @@ sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing \
     tpm-tools
 ```
 
+#### AEM repository dependencies
+
 Next set of new packages comes from AEM repository, to avoid conflicts other
 repositories are disabled for this call:
 
 ```bash
 sudo qubes-dom0-update --disablerepo="*" --enablerepo=aem \
-    grub2-tools-extra \
+    grub2-tools-extra
+```
+
+##### AMD systems dependencies
+
+This package is only needed on AMD systems:
+
+```bash
+sudo qubes-dom0-update --disablerepo="*" --enablerepo=aem \
     secure-kernel-loader
 ```
 
-This is followed by reinstalling additional packages. A reinstall is required
+#### AEM repository dependencies to reinstall
+
+This is followed by reinstalling additional packages. A reinstallation is required
 because currently installed version is equal (or it may be higher in the future)
-than those provided by AEM.
+than those provided by AEM. A couple of GRUB packages differ slightly
+depending on whether you use a legacy or UEFI BIOS:
+
+##### Legacy Systems
+
+If your system has a legacy BIOS, reinstall these packages:
 
 ```bash
 sudo qubes-dom0-update --disablerepo="*" --enablerepo=aem --action=reinstall \
@@ -88,18 +107,45 @@ sudo qubes-dom0-update --disablerepo="*" --enablerepo=aem --action=reinstall \
     grub2-tools-minimal
 ```
 
-### Updating GRUB
+###### Updating GRUB on legacy systems
+
+Booting on legacy systems requires manual installation of GRUB2 to the MBR
+of disk where Qubes OS is stored. In the example below it is `/dev/sda`,
+yours may be different.
 
-Booting on legacy systems (AEM currently doesn’t support UEFI) requires manual
-installation of GRUB2 to the MBR of disk where Qubes OS is stored. In the
-example below it is `/dev/sda`, yours may be different. Remember that GRUB2
-must be installed on disk and not on partition, so don’t use `sda1`, `nvme0n1p1`
-etc.
+To check on which partition is your OS installed run:
+
+```bash
+df --output=source /
+```
+
+Remember that GRUB2 must be installed on disk and
+not on partition, so don’t use `sda1`, `nvme0n1p1` etc. This step should be
+skipped on UEFI systems.
 
 ```bash
 sudo grub2-install /dev/sda
 ```
 
+##### UEFI Systems
+
+If your system has an UEFI BIOS, install these packages instead:
+
+```bash
+sudo qubes-dom0-update --disablerepo="*" --enablerepo=aem --action=reinstall \
+    python3-xen \
+    xen \
+    xen-hypervisor \
+    xen-libs \
+    xen-licenses \
+    xen-runtime \
+    grub2-common \
+    grub2-efi-x64 \
+    grub2-efi-x64-modules \
+    grub2-tools \
+    grub2-tools-minimal
+```
+
 ### Installing main AEM package
 
 Finally, `anti-evil-maid` package may be installed:
@@ -134,7 +180,14 @@ again.
 Now all that's left is proper installation of AEM. There are different options,
 refer to `anti-evil-maid-install -h` for examples. In the simplest case, AEM is
 installed on boot partition (not disk, i.e. `sda1` instead of `sda` etc.) of
-Qubes OS. This can be done with a simple command:
+Qubes OS. Run this command to find out where your boot partition is installed:
+
+```bash
+df --output=source /boot
+```
+
+Assuming that your boot partition is installed on `/dev/sda1`, the
+installation can be done with a simple command:
 
 ```bash
 sudo anti-evil-maid-install /dev/sda1
