Bug#1109794: systemd-boot: cannot boot to systemd-boot 257-7.1 - maybe due to UEFI dbx

Alban Browaeys prahal at yahoo.com
Wed Jul 23 23:14:23 BST 2025 

Package: systemd-boot
Version: 257.7-1
Severity: important

Dear Maintainer,
Secure boot error "Image failed to verify with *ACCESS DENIED*.
Press any key to continue."
This when I boot to sytemd-boot.
When I boot to my grub shimx64.efi "secure boot" boot is fine.

I was booting via an EFI entry for grub beforehand and all was fine.
I did a "Load Optimized settings" from BIOS and afterwards I lost my EFI
custom entries and ended up booting in my systemd-boot setup, ie the
default (I have both systemd-boot and Grub). Then I had the above error.

I recreated the EFI entries for both grub and systemd-boot. I can secure
boot to grub but not systemd-boot.

Best regards
Alban

sudo bootctl 
System:
      Firmware: n/a (n/a)
 Firmware Arch: x64
   Secure Boot: enabled (user)
  TPM2 Support: no
  Measured UKI: no
  Boot into FW: supported

Random Seed:
 System Token: set
       Exists: yes

Available Boot Loaders on ESP:
          ESP: /boot/efi (/dev/disk/by-partuuid/26d7f74f-e953-4597-855a-2b0df3bedbb3)
         File: ├─/EFI/systemd/systemd-bootx64.efi (systemd-boot 257.7-1)
               ├─/EFI/BOOT/fallback.efi
               ├─/EFI/BOOT/LenovoBT.EFI
               └─/EFI/BOOT/bootx64.efi (systemd-boot 257.7-1)

Boot Loaders Listed in EFI Variables:
        Title: Debian Grub
           ID: 0x000D
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/26d7f74f-e953-4597-855a-2b0df3bedbb3
         File: └─/EFI/debian/shimx64.efi

        Title: Linux Boot Manager
           ID: 0x000C
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/26d7f74f-e953-4597-855a-2b0df3bedbb3
         File: └─/EFI/systemd/systemd-bootx64.efi

Boot Loader Entries:
        $BOOT: /boot/efi (/dev/disk/by-partuuid/26d7f74f-e953-4597-855a-2b0df3bedbb3)
        token: debian

Default Boot Loader Entry:
         type: Boot Loader Specification Type #1 (.conf)
        title: Debian GNU/Linux 13 (trixie) (6.12.35+deb13-amd64)
           id: 2b483dcbcecb6729df407c5b5382b0d1-6.12.35+deb13-amd64.conf
       source: /boot/efi//loader/entries/2b483dcbcecb6729df407c5b5382b0d1-6.12.35+deb13-amd64.conf (on the EFI System Partition)
     sort-key: debian
      version: 6.12.35+deb13-amd64
   machine-id: 2b483dcbcecb6729df407c5b5382b0d1
        linux: /boot/efi//2b483dcbcecb6729df407c5b5382b0d1/6.12.35+deb13-amd64/linux
       initrd: /boot/efi//2b483dcbcecb6729df407c5b5382b0d1/6.12.35+deb13-amd64/initrd.img-6.12.35+deb13-amd64
      options: root=LABEL=DEBIAN rootflags=subvol=@rootfs systemd.machine_id=2b483dcbcecb6729df407c5b5382b0d1


current boot entries:

sudo efibootmgr
BootCurrent: 000D
Timeout: 0 seconds
BootOrder: 000D,0000,0001,0002,0003,0006,0007,0008,0009,000A,000B,000C
Boot0000  Setup	FvFile(721c8b66-426c-4e86-8e99-3457c46ab0b9)
Boot0001  Boot Menu	FvFile(126a762d-5758-4fca-8531-201a7f57f850)
Boot0002  Diagnostic Splash Screen	FvFile(a7d8d9a6-6ab0-4aeb-ad9d-163e59a7a380)
Boot0003  Lenovo Diagnostics	FvFile(3f7e615b-0d45-4f80-88dc-26b234958560)
Boot0004  Startup Interrupt Menu	FvFile(f46ee6f4-4785-43a3-923d-7f786c3c8479)
Boot0005  Rescue and Recovery	FvFile(665d3f60-ad3e-4cad-8e26-db46eee9f1b5)
Boot0006* USB CD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,86701296aa5a7848b66cd49dd3ba6a55)
Boot0007* USB FDD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,6ff015a28830b543a8b8641009461e49)
Boot0008* ATA HDD0	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f600)
Boot0009* ATA HDD1	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,91af625956449f41a7b91f4f892ab0f601)
Boot000A* USB HDD	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,33e821aaaf33bc4789bd419f88c50803)
Boot000B* PCI LAN	VenMsg(bc7838d2-0f82-4d60-8316-c068ee79d25b,78a84aaf2b2afc4ea79cf5cc8f3d3803)
Boot000C* Linux Boot Manager	HD(1,GPT,26d7f74f-e953-4597-855a-2b0df3bedbb3,0x800,0x3e8000)/File(\EFI\systemd\systemd-bootx64.efi)
Boot000D* Debian Grub	HD(1,GPT,26d7f74f-e953-4597-855a-2b0df3bedbb3,0x800,0x3e8000)/File(\EFI\debian\shimx64.efi)



-- System Information:
Debian Release: 13.0
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'stable-debug'), (500, 'oldstable-debug'), (500, 'testing'), (500, 'stable'), (90, 'unstable-debug'), (90, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.35+deb13-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages systemd-boot depends on:
ii  libc6               2.41-10
ii  libsystemd-shared   257.7-1
ii  systemd             257.7-1
ii  systemd-boot-efi    257.7-1
ii  systemd-boot-tools  257.7-1

Versions of packages systemd-boot recommends:
ii  efibootmgr   18-2
ii  shim-signed  1.46+15.8-1

Versions of packages systemd-boot suggests:
pn  systemd-ukify  <none>

-- no debconf information

More information about the Pkg-systemd-maintainers mailing list