Bug#1109831: systemd-boot: Confusing interactions between systemd-boot-efi and systemd-boot-efi-amd64-signed

David Härdeman david at hardeman.nu
Thu Jul 24 16:01:25 BST 2025 

Package: systemd-boot
Version: 257.7-1
Severity: normal

Dear Maintainer,

I've installed systemd-boot on a number of systems, following the
instructions from the Debian wiki [1]. On one system, I already had
systemd-boot-efi installed (from before the -signed version and
necessary changes to shim were accepted into the archive). This lead to
a system which didn't boot, since the unsigned systemd binary wasn't
replaced with the signed one. In addition, several messages that were
printed by systemd-boot during installation were pretty misleading.

Here's a console session showing some of the confusion:

$ sha256sum /boot/efi/EFI/Boot/BOOTX64.efi /boot/efi/EFI/debian/shimx64.efi
10b44fae69b1e2bb92484095ad0d140a66f8d8bcc960edbc46abb1a68f65fc26 /boot/efi/EFI/Boot/BOOTX64.efi
10b44fae69b1e2bb92484095ad0d140a66f8d8bcc960edbc46abb1a68f65fc26 /boot/efi/EFI/debian/shimx64.efi
$ dpkg --purge --force-depends systemd-boot systemd-boot-efi-amd64-signed systemd-boot-tools
...
$ apt install systemd-boot systemd-boot-tools systemd-boot-efi-amd64-signed
...
Skipping "/boot/efi/EFI/systemd/systemd-bootx64.efi", same boot loader version in place already.
Skipping "/boot/efi/EFI/BOOT/BOOTX64.EFI", it's owned by another boot loader (no version info found).
...
$ dpkg --purge --force-depends systemd-boot systemd-boot-efi-amd64-signed systemd-boot-tools
...
$ rm /boot/efi/EFI/systemd/systemd-bootx64.efi
$ apt install systemd-boot systemd-boot-tools systemd-boot-efi-amd64-signed
...
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed" to "/boot/efi/EFI/systemd/systemd-bootx64.efi".
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed" to "/boot/efi/EFI/BOOT/BOOTX64.EFI".
...
$ sha256sum /boot/efi/EFI/Boot/BOOTX64.efi
10b44fae69b1e2bb92484095ad0d140a66f8d8bcc960edbc46abb1a68f65fc26 /boot/efi/EFI/Boot/BOOTX64.efi


NOTE: /boot/efi/EFI/BOOT/BOOTX64.EFI is treated differently depending on
whether /boot/efi/EFI/systemd/systemd-bootx64.efi exists. Also, the
message about /boot/efi/EFI/BOOT/BOOTX64.EFI being replaced in the
second installation appears to be incorrect.


$ dpkg --purge --force-depends systemd-boot systemd-boot-efi systemd-boot-tools systemd-boot-efi-amd64-signed
...
$ rm /boot/efi/EFI/systemd/systemd-bootx64.efi
$ apt install systemd-boot systemd-boot-tools systemd-boot-efi
...
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/efi/EFI/systemd/systemd-bootx64.efi".
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/efi/EFI/BOOT/BOOTX64.EFI".
...
$ sha256sum /boot/efi/EFI/Boot/BOOTX64.efi
20621b2b38b1c33adb6e7d7b51f1a94f241f4495b2102f9f35c591629f044303  /boot/efi/EFI/Boot/BOOTX64.efi


NOTE: Now /boot/efi/EFI/BOOT/BOOTX64.EFI was actually replaced?


$ apt install systemd-boot-efi-amd64-signed
...
$ sha256sum /boot/efi/EFI/Boot/BOOTX64.efi /boot/efi/EFI/systemd/systemd-bootx64.efi /usr/lib/systemd/boot/efi/systemd*
20621b2b38b1c33adb6e7d7b51f1a94f241f4495b2102f9f35c591629f044303  /boot/efi/EFI/Boot/BOOTX64.efi
20621b2b38b1c33adb6e7d7b51f1a94f241f4495b2102f9f35c591629f044303  /boot/efi/EFI/systemd/systemd-bootx64.efi
20621b2b38b1c33adb6e7d7b51f1a94f241f4495b2102f9f35c591629f044303  /usr/lib/systemd/boot/efi/systemd-bootx64.efi
1c988ad7f8589e47140eddae0e88e8b954193ee512cc7417d57e8458019ddbe8  /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed


NOTE: The signed version has not been used to replace the unsigned one
on the EFI partition.


$ efibootmgr -u | grep systemd
Boot0001* Linux Boot Manager	HD(2,GPT,46f010bb-33fd-453f-98ee-ed72b1beb98e,0x186000,0x225800)/File(\EFI\systemd\systemd-bootx64.efi)


NOTE: And no suitable EFI boot entry was created.


$ dpkg-reconfigure systemd-boot
Skipping "/boot/efi/EFI/systemd/systemd-bootx64.efi", same boot loader version in place already.
Skipping "/boot/efi/EFI/BOOT/BOOTX64.EFI", same boot loader version in place already.
Skipping "/boot/efi/EFI/BOOT/BOOTX64.efi", same boot loader version in place already.
$ efibootmgr -u | grep systemd
Boot0001* Linux Boot Manager	HD(2,GPT,46f010bb-33fd-453f-98ee-ed72b1beb98e,0x186000,0x225800)/File(\EFI\systemd\systemd-bootx64.efi)
Boot0004* Debian	HD(2,GPT,46f010bb-33fd-453f-98ee-ed72b1beb98e,0x186000,0x225800)/File(EFI\debian\shimx64.efi)\EFI\systemd\systemd-bootx64.efi \0
$ sha256sum /boot/efi/EFI/Boot/BOOTX64.efi /boot/efi/EFI/systemd/systemd-bootx64.efi /usr/lib/systemd/boot/efi/systemd*
10b44fae69b1e2bb92484095ad0d140a66f8d8bcc960edbc46abb1a68f65fc26  /boot/efi/EFI/Boot/BOOTX64.efi
20621b2b38b1c33adb6e7d7b51f1a94f241f4495b2102f9f35c591629f044303  /boot/efi/EFI/systemd/systemd-bootx64.efi
20621b2b38b1c33adb6e7d7b51f1a94f241f4495b2102f9f35c591629f044303  /usr/lib/systemd/boot/efi/systemd-bootx64.efi
1c988ad7f8589e47140eddae0e88e8b954193ee512cc7417d57e8458019ddbe8  /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed


NOTE: reconfiguring systemd-boot created the boot entry, and despite the
messages about skipping /boot/efi/EFI/systemd/systemd-bootx64.efi, it
was still replaced...?


$ dpkg --purge --force-depends systemd-boot systemd-boot-efi systemd-boot-tools systemd-boot-efi-amd64-signed
$ efibootmgr -b 0004 -B
$ rm /boot/efi/EFI/systemd/systemd-bootx64.efi 
$ cp /boot/efi/EFI/debian/shimx64.efi /boot/efi/EFI/Boot/BOOTX64.efi
$ apt install systemd-boot systemd-boot-tools systemd-boot-efi-amd64-signed
...
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed" to "/boot/efi/EFI/systemd/systemd-bootx64.efi".
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed" to "/boot/efi/EFI/BOOT/BOOTX64.EFI".
Random seed file /boot/efi/loader/random-seed successfully refreshed (32 bytes).
Created EFI boot entry "Linux Boot Manager".
...
$ sha256sum /boot/efi/EFI/Boot/BOOTX64.efi /boot/efi/EFI/systemd/systemd-bootx64.efi /usr/lib/systemd/boot/efi/systemd*
10b44fae69b1e2bb92484095ad0d140a66f8d8bcc960edbc46abb1a68f65fc26  /boot/efi/EFI/Boot/BOOTX64.efi
1c988ad7f8589e47140eddae0e88e8b954193ee512cc7417d57e8458019ddbe8  /boot/efi/EFI/systemd/systemd-bootx64.efi
1c988ad7f8589e47140eddae0e88e8b954193ee512cc7417d57e8458019ddbe8  /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed
$ efibootmgr -u | grep systemd
Boot0001* Linux Boot Manager	HD(2,GPT,46f010bb-33fd-453f-98ee-ed72b1beb98e,0x186000,0x225800)/File(\EFI\systemd\systemd-bootx64.efi)
Boot0004* Debian	HD(2,GPT,46f010bb-33fd-453f-98ee-ed72b1beb98e,0x186000,0x225800)/File(EFI\debian\shimx64.efi)\EFI\systemd\systemd-bootx64.efi \0


NOTE: Creating a clean starting point and then installing only the
signed version of systemd-boot worked as expected.


[1] https://wiki.debian.org/SecureBoot#Secure_Boot_setup_with_systemd-boot

-- System Information:
Debian Release: 13.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (102, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.38+deb13-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages systemd-boot depends on:
ii  libc6                                                    2.41-10
ii  libsystemd-shared                                        257.7-1
ii  systemd                                                  257.7-1
ii  systemd-boot-efi-amd64-signed [systemd-boot-efi-signed]  257.7-1
ii  systemd-boot-tools                                       257.7-1

Versions of packages systemd-boot recommends:
ii  efibootmgr   18-2
ii  shim-signed  1.46+15.8-1

Versions of packages systemd-boot suggests:
pn  systemd-ukify  <none>

-- no debconf information

More information about the Pkg-systemd-maintainers mailing list