Package: systemd-boot Version: 257.7-1 Severity: normal Dear Maintainer,
I've installed systemd-boot on a number of systems, following the instructions from the Debian wiki [1]. On one system, I already had systemd-boot-efi installed (from before the -signed version and necessary changes to shim were accepted into the archive). This lead to a system which didn't boot, since the unsigned systemd binary wasn't replaced with the signed one. In addition, several messages that were printed by systemd-boot during installation were pretty misleading. Here's a console session showing some of the confusion: $ sha256sum /boot/efi/EFI/Boot/BOOTX64.efi /boot/efi/EFI/debian/shimx64.efi 10b44fae69b1e2bb92484095ad0d140a66f8d8bcc960edbc46abb1a68f65fc26 /boot/efi/EFI/Boot/BOOTX64.efi 10b44fae69b1e2bb92484095ad0d140a66f8d8bcc960edbc46abb1a68f65fc26 /boot/efi/EFI/debian/shimx64.efi $ dpkg --purge --force-depends systemd-boot systemd-boot-efi-amd64-signed systemd-boot-tools ... $ apt install systemd-boot systemd-boot-tools systemd-boot-efi-amd64-signed ... Skipping "/boot/efi/EFI/systemd/systemd-bootx64.efi", same boot loader version in place already. Skipping "/boot/efi/EFI/BOOT/BOOTX64.EFI", it's owned by another boot loader (no version info found). ... $ dpkg --purge --force-depends systemd-boot systemd-boot-efi-amd64-signed systemd-boot-tools ... $ rm /boot/efi/EFI/systemd/systemd-bootx64.efi $ apt install systemd-boot systemd-boot-tools systemd-boot-efi-amd64-signed ... Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed" to "/boot/efi/EFI/systemd/systemd-bootx64.efi". Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed" to "/boot/efi/EFI/BOOT/BOOTX64.EFI". ... $ sha256sum /boot/efi/EFI/Boot/BOOTX64.efi 10b44fae69b1e2bb92484095ad0d140a66f8d8bcc960edbc46abb1a68f65fc26 /boot/efi/EFI/Boot/BOOTX64.efi NOTE: /boot/efi/EFI/BOOT/BOOTX64.EFI is treated differently depending on whether /boot/efi/EFI/systemd/systemd-bootx64.efi exists. Also, the message about /boot/efi/EFI/BOOT/BOOTX64.EFI being replaced in the second installation appears to be incorrect. $ dpkg --purge --force-depends systemd-boot systemd-boot-efi systemd-boot-tools systemd-boot-efi-amd64-signed ... $ rm /boot/efi/EFI/systemd/systemd-bootx64.efi $ apt install systemd-boot systemd-boot-tools systemd-boot-efi ... Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/efi/EFI/systemd/systemd-bootx64.efi". Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/efi/EFI/BOOT/BOOTX64.EFI". ... $ sha256sum /boot/efi/EFI/Boot/BOOTX64.efi 20621b2b38b1c33adb6e7d7b51f1a94f241f4495b2102f9f35c591629f044303 /boot/efi/EFI/Boot/BOOTX64.efi NOTE: Now /boot/efi/EFI/BOOT/BOOTX64.EFI was actually replaced? $ apt install systemd-boot-efi-amd64-signed ... $ sha256sum /boot/efi/EFI/Boot/BOOTX64.efi /boot/efi/EFI/systemd/systemd-bootx64.efi /usr/lib/systemd/boot/efi/systemd* 20621b2b38b1c33adb6e7d7b51f1a94f241f4495b2102f9f35c591629f044303 /boot/efi/EFI/Boot/BOOTX64.efi 20621b2b38b1c33adb6e7d7b51f1a94f241f4495b2102f9f35c591629f044303 /boot/efi/EFI/systemd/systemd-bootx64.efi 20621b2b38b1c33adb6e7d7b51f1a94f241f4495b2102f9f35c591629f044303 /usr/lib/systemd/boot/efi/systemd-bootx64.efi 1c988ad7f8589e47140eddae0e88e8b954193ee512cc7417d57e8458019ddbe8 /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed NOTE: The signed version has not been used to replace the unsigned one on the EFI partition. $ efibootmgr -u | grep systemd Boot0001* Linux Boot Manager HD(2,GPT,46f010bb-33fd-453f-98ee-ed72b1beb98e,0x186000,0x225800)/File(\EFI\systemd\systemd-bootx64.efi) NOTE: And no suitable EFI boot entry was created. $ dpkg-reconfigure systemd-boot Skipping "/boot/efi/EFI/systemd/systemd-bootx64.efi", same boot loader version in place already. Skipping "/boot/efi/EFI/BOOT/BOOTX64.EFI", same boot loader version in place already. Skipping "/boot/efi/EFI/BOOT/BOOTX64.efi", same boot loader version in place already. $ efibootmgr -u | grep systemd Boot0001* Linux Boot Manager HD(2,GPT,46f010bb-33fd-453f-98ee-ed72b1beb98e,0x186000,0x225800)/File(\EFI\systemd\systemd-bootx64.efi) Boot0004* Debian HD(2,GPT,46f010bb-33fd-453f-98ee-ed72b1beb98e,0x186000,0x225800)/File(EFI\debian\shimx64.efi)\EFI\systemd\systemd-bootx64.efi \0 $ sha256sum /boot/efi/EFI/Boot/BOOTX64.efi /boot/efi/EFI/systemd/systemd-bootx64.efi /usr/lib/systemd/boot/efi/systemd* 10b44fae69b1e2bb92484095ad0d140a66f8d8bcc960edbc46abb1a68f65fc26 /boot/efi/EFI/Boot/BOOTX64.efi 20621b2b38b1c33adb6e7d7b51f1a94f241f4495b2102f9f35c591629f044303 /boot/efi/EFI/systemd/systemd-bootx64.efi 20621b2b38b1c33adb6e7d7b51f1a94f241f4495b2102f9f35c591629f044303 /usr/lib/systemd/boot/efi/systemd-bootx64.efi 1c988ad7f8589e47140eddae0e88e8b954193ee512cc7417d57e8458019ddbe8 /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed NOTE: reconfiguring systemd-boot created the boot entry, and despite the messages about skipping /boot/efi/EFI/systemd/systemd-bootx64.efi, it was still replaced...? $ dpkg --purge --force-depends systemd-boot systemd-boot-efi systemd-boot-tools systemd-boot-efi-amd64-signed $ efibootmgr -b 0004 -B $ rm /boot/efi/EFI/systemd/systemd-bootx64.efi $ cp /boot/efi/EFI/debian/shimx64.efi /boot/efi/EFI/Boot/BOOTX64.efi $ apt install systemd-boot systemd-boot-tools systemd-boot-efi-amd64-signed ... Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed" to "/boot/efi/EFI/systemd/systemd-bootx64.efi". Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed" to "/boot/efi/EFI/BOOT/BOOTX64.EFI". Random seed file /boot/efi/loader/random-seed successfully refreshed (32 bytes). Created EFI boot entry "Linux Boot Manager". ... $ sha256sum /boot/efi/EFI/Boot/BOOTX64.efi /boot/efi/EFI/systemd/systemd-bootx64.efi /usr/lib/systemd/boot/efi/systemd* 10b44fae69b1e2bb92484095ad0d140a66f8d8bcc960edbc46abb1a68f65fc26 /boot/efi/EFI/Boot/BOOTX64.efi 1c988ad7f8589e47140eddae0e88e8b954193ee512cc7417d57e8458019ddbe8 /boot/efi/EFI/systemd/systemd-bootx64.efi 1c988ad7f8589e47140eddae0e88e8b954193ee512cc7417d57e8458019ddbe8 /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed $ efibootmgr -u | grep systemd Boot0001* Linux Boot Manager HD(2,GPT,46f010bb-33fd-453f-98ee-ed72b1beb98e,0x186000,0x225800)/File(\EFI\systemd\systemd-bootx64.efi) Boot0004* Debian HD(2,GPT,46f010bb-33fd-453f-98ee-ed72b1beb98e,0x186000,0x225800)/File(EFI\debian\shimx64.efi)\EFI\systemd\systemd-bootx64.efi \0 NOTE: Creating a clean starting point and then installing only the signed version of systemd-boot worked as expected. [1] https://wiki.debian.org/SecureBoot#Secure_Boot_setup_with_systemd-boot -- System Information: Debian Release: 13.0 APT prefers unstable APT policy: (500, 'unstable'), (102, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.12.38+deb13-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages systemd-boot depends on: ii libc6 2.41-10 ii libsystemd-shared 257.7-1 ii systemd 257.7-1 ii systemd-boot-efi-amd64-signed [systemd-boot-efi-signed] 257.7-1 ii systemd-boot-tools 257.7-1 Versions of packages systemd-boot recommends: ii efibootmgr 18-2 ii shim-signed 1.46+15.8-1 Versions of packages systemd-boot suggests: pn systemd-ukify <none> -- no debconf information
