Bug#1109864: systemd-boot: postinst fails when EFI variables cannot be written

Sofus Albert Høgsbro Rose debianbug at sofusrose.com
Fri Jul 25 10:30:39 BST 2025 

Package: systemd-boot
Version: 257.7-1
Severity: normal
X-Debbugs-Cc: debianbug at sofusrose.com

Dear Maintainer,

I'm preparing a bootable `trixie` ISO with two partitions, intended to be booted using `systemd-boot`:
- A FAT32 `/boot` EFI partition.
- An ext4 `/` partition.

The standard `chroot`-qemu-aarch64-from-x86 approach works very well, until the `postinst` script of `systemd-boot` runs:
```bash
$ sudo chroot "$MOUNTED_ROOT_DIR" /usr/bin/qemu-aarch64-static /bin/bash <<EOF
apt update
apt install --yes systemd-boot  ## Minimal failing example on minbase, after locales
EOF

...
Failed to write 'LoaderSystemToken' EFI variable: No such file or directory
...
```

>From my own testing, I'm relatively certain that this error originates with `bootctl install`. This tracks with the documentation of that option.

Now, obviously, in this context, it's quite a good thing that writing an EFI variable fails while still on the host (indeed, success would be worrying!).  What makes this a package bug is that `dpkg` escalates this to a `postinst` failure.

The workarounds I have been able to devise before making this report all have significant downsides:
- One can make do the `systemd-boot-efi` (and `*-tools`), and manually use `bootctl --no-variables install`. This comes at the cost of all the nice things that the `systemd-boot` ships with - the `kernel-install` invocations in `/etc/kernel/*` and `/etc/initramfs`, services and sockets for ex. updating the random seed on boot, and much more. These must all essentially be copied from the `systemd-boot` package.
    - I should mention that a lack of `systemd-boot` means `kernel-install` isn't invoked; what makes this confusing is #1095646 (I think), which causes `dracut` to run, giving the impression that a boot should be possible (it isn't, since there are no entries generated).
- One could try to manually patch in `--no-variables` in the `postinst` scripts, for the duration of the chroot session only, then also make sure to queue a first-boot to set those EFI variables. The cost of this is having to mess with downloaded `dpkg` `postinst` files. I'm also unsure whether `systemd-boot` will set the desired EFI variables at all, ever.

I have the following concepts of how this might be fixed:
- Errors related to EFI variables could be caught and turned into warnings instead. This runs the risk of `dpkg` improperly succeeding in the "standard case" where users do want EFI variables written.
- The write to EFI variables on the firmware could be outsourced to a very simple package that `systemd-boot` recommends. Then, the `postinst` of this package could default to `--no-variables` (it should be harmless to run `bootctl` twice, but perhaps this could be checked). That "very simple extra package" could even have a variant that sets EFI variables on (first?) boot.

I hope this bug report is helpful and thorough. I am not so familiar with the conventions here, so I apologize if my "ideas" are starkly against the way things are done; in any case, I am happy to help with more information / anything else.

Thank you for your time!

Kindest Regards,
Sofus



Related (upstream):
- `--no-variables` has been replaced "soon": https://github.com/poettering/systemd/commit/7db417bda6a98e86b6a02abe964e657f3d4ec689

Possibly related (arch/upstream):
- https://github.com/archlinux/archinstall/pull/3396
- https://github.com/systemd/systemd/issues/36174
- https://github.com/systemd/systemd/issues/35005

NOTE: My host machine is a Ubuntu machine, but just to be clear, the error happens inside a Debian system that is to be booted directly. The `chroot` is just a way to run commands within that not-yet-booted system. Therefore, it would surprise me if it mattered that the host is Ubuntu based.

For clarity, the Debian system is prepared with the script below.

```bash
DEBIAN_VARIANT="minbase"
DEBIAN_ARCH="arm64"
DEBIAN_RELEASE="trixie"
DEBIAN_ARCHIVES="main contrib non-free non-free-firmware"
DEBIAN_MIRROR_URL="http://deb.debian.org/debian"
DEBIAN_BOOTSTRAP_PKGS="locales"
sudo mmdebstrap \
	--variant=$DEBIAN_VARIANT \
	--arch=$DEBIAN_ARCH \
	--components="$DEBIAN_ARCHIVES" \
	--include="$DEBIAN_BOOTSTRAP_PKGS" \
	$DEBIAN_RELEASE \
	"$ROOT_DIR" \
	"$DEBIAN_MIRROR_URL"
```


-- System Information:
Debian Release: bookworm/sid
  APT prefers jammy-updates
  APT policy: (500, 'jammy-updates'), (500, 'jammy-security'), (500, 'jammy'), (100, 'jammy-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.12-x64v3-xanmod1 (SMP w/32 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

More information about the Pkg-systemd-maintainers mailing list