Package: systemd-boot
Version: 257.7-1
Severity: normal
Dear Maintainer,
I've installed systemd-boot on a number of systems, following the
instructions from the Debian wiki [1]. On one system, I already had systemd-boot-efi installed (from before the -signed version and
necessary changes to shim were accepted into the archive). This lead to
a system which didn't boot, since the unsigned systemd binary wasn't
replaced with the signed one. In addition, several messages that were
printed by systemd-boot during installation were pretty misleading.
Here's a console session showing some of the confusion:
$ sha256sum /boot/efi/EFI/Boot/BOOTX64.efi /boot/efi/EFI/debian/shimx64.efi 10b44fae69b1e2bb92484095ad0d140a66f8d8bcc960edbc46abb1a68f65fc26 /boot/efi/EFI/Boot/BOOTX64.efi
10b44fae69b1e2bb92484095ad0d140a66f8d8bcc960edbc46abb1a68f65fc26 /boot/efi/EFI/debian/shimx64.efi
$ dpkg --purge --force-depends systemd-boot systemd-boot-efi-amd64-signed systemd-boot-tools
...
$ apt install systemd-boot systemd-boot-tools systemd-boot-efi-amd64-signed
...
Skipping "/boot/efi/EFI/systemd/systemd-bootx64.efi", same boot loader version in place already.
Skipping "/boot/efi/EFI/BOOT/BOOTX64.EFI", it's owned by another boot loader (no version info found).
...
$ dpkg --purge --force-depends systemd-boot systemd-boot-efi-amd64-signed systemd-boot-tools
...
$ rm /boot/efi/EFI/systemd/systemd-bootx64.efi
$ apt install systemd-boot systemd-boot-tools systemd-boot-efi-amd64-signed
...
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed" to "/boot/efi/EFI/systemd/systemd-bootx64.efi".
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed" to "/boot/efi/EFI/BOOT/BOOTX64.EFI".
...
$ sha256sum /boot/efi/EFI/Boot/BOOTX64.efi 10b44fae69b1e2bb92484095ad0d140a66f8d8bcc960edbc46abb1a68f65fc26 /boot/efi/EFI/Boot/BOOTX64.efi
NOTE: /boot/efi/EFI/BOOT/BOOTX64.EFI is treated differently depending on whether /boot/efi/EFI/systemd/systemd-bootx64.efi exists. Also, the
message about /boot/efi/EFI/BOOT/BOOTX64.EFI being replaced in the
second installation appears to be incorrect.
$ dpkg --purge --force-depends systemd-boot systemd-boot-efi systemd-boot-tools systemd-boot-efi-amd64-signed
...
$ rm /boot/efi/EFI/systemd/systemd-bootx64.efi
$ apt install systemd-boot systemd-boot-tools systemd-boot-efi
...
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/efi/EFI/systemd/systemd-bootx64.efi".
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/efi/EFI/BOOT/BOOTX64.EFI".
...
$ sha256sum /boot/efi/EFI/Boot/BOOTX64.efi 20621b2b38b1c33adb6e7d7b51f1a94f241f4495b2102f9f35c591629f044303 /boot/efi/EFI/Boot/BOOTX64.efi
NOTE: Now /boot/efi/EFI/BOOT/BOOTX64.EFI was actually replaced?
$ apt install systemd-boot-efi-amd64-signed
...
$ sha256sum /boot/efi/EFI/Boot/BOOTX64.efi /boot/efi/EFI/systemd/systemd-bootx64.efi /usr/lib/systemd/boot/efi/systemd*
20621b2b38b1c33adb6e7d7b51f1a94f241f4495b2102f9f35c591629f044303 /boot/efi/EFI/Boot/BOOTX64.efi
20621b2b38b1c33adb6e7d7b51f1a94f241f4495b2102f9f35c591629f044303 /boot/efi/EFI/systemd/systemd-bootx64.efi
20621b2b38b1c33adb6e7d7b51f1a94f241f4495b2102f9f35c591629f044303 /usr/lib/systemd/boot/efi/systemd-bootx64.efi
1c988ad7f8589e47140eddae0e88e8b954193ee512cc7417d57e8458019ddbe8 /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed
NOTE: The signed version has not been used to replace the unsigned one
on the EFI partition.
$ efibootmgr -u | grep systemd
Boot0001* Linux Boot Manager HD(2,GPT,46f010bb-33fd-453f-98ee-ed72b1beb98e,0x186000,0x225800)/File(\EFI\systemd\systemd-bootx64.efi)
NOTE: And no suitable EFI boot entry was created.
$ dpkg-reconfigure systemd-boot
Skipping "/boot/efi/EFI/systemd/systemd-bootx64.efi", same boot loader version in place already.
Skipping "/boot/efi/EFI/BOOT/BOOTX64.EFI", same boot loader version in place already.
Skipping "/boot/efi/EFI/BOOT/BOOTX64.efi", same boot loader version in place already.
$ efibootmgr -u | grep systemd
Boot0001* Linux Boot Manager HD(2,GPT,46f010bb-33fd-453f-98ee-ed72b1beb98e,0x186000,0x225800)/File(\EFI\systemd\systemd-bootx64.efi)
Boot0004* Debian HD(2,GPT,46f010bb-33fd-453f-98ee-ed72b1beb98e,0x186000,0x225800)/File(EFI\debian\shimx64.efi)\EFI\systemd\systemd-bootx64.efi \0
$ sha256sum /boot/efi/EFI/Boot/BOOTX64.efi /boot/efi/EFI/systemd/systemd-bootx64.efi /usr/lib/systemd/boot/efi/systemd*
10b44fae69b1e2bb92484095ad0d140a66f8d8bcc960edbc46abb1a68f65fc26 /boot/efi/EFI/Boot/BOOTX64.efi
20621b2b38b1c33adb6e7d7b51f1a94f241f4495b2102f9f35c591629f044303 /boot/efi/EFI/systemd/systemd-bootx64.efi
20621b2b38b1c33adb6e7d7b51f1a94f241f4495b2102f9f35c591629f044303 /usr/lib/systemd/boot/efi/systemd-bootx64.efi
1c988ad7f8589e47140eddae0e88e8b954193ee512cc7417d57e8458019ddbe8 /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed
NOTE: reconfiguring systemd-boot created the boot entry, and despite the messages about skipping /boot/efi/EFI/systemd/systemd-bootx64.efi, it
was still replaced...?
$ dpkg --purge --force-depends systemd-boot systemd-boot-efi systemd-boot-tools systemd-boot-efi-amd64-signed
$ efibootmgr -b 0004 -B
$ rm /boot/efi/EFI/systemd/systemd-bootx64.efi
$ cp /boot/efi/EFI/debian/shimx64.efi /boot/efi/EFI/Boot/BOOTX64.efi
$ apt install systemd-boot systemd-boot-tools systemd-boot-efi-amd64-signed
...
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed" to "/boot/efi/EFI/systemd/systemd-bootx64.efi".
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed" to "/boot/efi/EFI/BOOT/BOOTX64.EFI".
Random seed file /boot/efi/loader/random-seed successfully refreshed (32 bytes).
Created EFI boot entry "Linux Boot Manager".
...
$ sha256sum /boot/efi/EFI/Boot/BOOTX64.efi /boot/efi/EFI/systemd/systemd-bootx64.efi /usr/lib/systemd/boot/efi/systemd*
10b44fae69b1e2bb92484095ad0d140a66f8d8bcc960edbc46abb1a68f65fc26 /boot/efi/EFI/Boot/BOOTX64.efi
1c988ad7f8589e47140eddae0e88e8b954193ee512cc7417d57e8458019ddbe8 /boot/efi/EFI/systemd/systemd-bootx64.efi
1c988ad7f8589e47140eddae0e88e8b954193ee512cc7417d57e8458019ddbe8 /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed
$ efibootmgr -u | grep systemd
Boot0001* Linux Boot Manager HD(2,GPT,46f010bb-33fd-453f-98ee-ed72b1beb98e,0x186000,0x225800)/File(\EFI\systemd\systemd-bootx64.efi)
Boot0004* Debian HD(2,GPT,46f010bb-33fd-453f-98ee-ed72b1beb98e,0x186000,0x225800)/File(EFI\debian\shimx64.efi)\EFI\systemd\systemd-bootx64.efi \0
NOTE: Creating a clean starting point and then installing only the
signed version of systemd-boot worked as expected.
[1]
https://wiki.debian.org/SecureBoot#Secure_Boot_setup_with_systemd-boot
-- System Information:
Debian Release: 13.0
APT prefers unstable
APT policy: (500, 'unstable'), (102, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.12.38+deb13-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages systemd-boot depends on:
ii libc6 2.41-10
ii libsystemd-shared 257.7-1
ii systemd 257.7-1
ii systemd-boot-efi-amd64-signed [systemd-boot-efi-signed] 257.7-1
ii systemd-boot-tools 257.7-1
Versions of packages systemd-boot recommends:
ii efibootmgr 18-2
ii shim-signed 1.46+15.8-1
Versions of packages systemd-boot suggests:
pn systemd-ukify <none>
-- no debconf information
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)