bash – Script to install Debian has UEFI issues, acts inconsistently across machines

Newer systems tend to have Secure Boot enabled by default, and grubx64.efi needs to be explicitly whitelisted if you want to boot it directly in systems with factory default configuration, as Debian’s grubx64.efi is not signed by either Microsoft or the system manufacturer.

When you go to BIOS settings and manually configure grubx64.efi to boot, the firmware might automatically whitelist it for you, as you have explicitly specified you wish to use it, in a direct user interaction that cannot be (easily) subverted by software.

You should probably change the line

apt install -y linux-image-amd64 grub-efi-amd64

to

apt install -y linux-image-amd64 grub-efi-amd64 grub-efi-amd64-signed shim-signed 

This will install a version of grubx64.efi that has all relevant GRUB modules built-in (since Secure Boot will prevent GRUB from loading any modules: GRUB modules are not PE-COFF binaries but ELF binaries, so the Secure Boot firmware cannot validate them) which is signed by Debian, and shimx64.efi which is signed by Microsoft. Both of those have been built as reproducible binaries, so if you wish, you can redo the build process yourself to get absolutely identical binaries, so you can verify there is no malware in their code.

If the -signed packages are installed, grub-install should automatically use them, but if you want to be sure, you can add the --uefi-secure-boot option for it to specify you explicitly want to use them.

When used in this way, you should change efi_file= to be \EFI\debian\shimx64.efi; it will check for Secure Boot, non-persistently add Debian’s Secure Boot certificate to the whitelist if necessary, and then load grubx64.efi automatically. If the system has Secure Boot disabled, it will just load grubx64.efi and run it.