Bug#1110177: systemd-boot postinst fails if ESP is not mounted

Fabian Grünbichler f.gruenbichler at proxmox.com
Thu Jul 31 08:42:58 BST 2025 

Package: systemd-boot
Version: 257.7-1
Severity: normal
X-Debbugs-Cc: f.gruenbichler at proxmox.com

Hi!

on a system with systemd-boot-efi installed (and not it's signed counterpart),
but shim-signed installed, systemd-boot's postinst will fail every other time
if the ESP is not mounted.

I used reinstalling shim-signed as trigger here:

Log started: 2025-07-31  03:09:11
Preparing to unpack .../shim-signed_1.46+15.8-1_amd64.deb ...
Unpacking shim-signed:amd64 (1.46+15.8-1) over (1.46+15.8-1) ...
Setting up shim-signed:amd64 (1.46+15.8-1) ...
No DKMS packages installed: not changing Secure Boot validation state.
Processing triggers for systemd-boot (257.7-1) ...
[1mdpkg:[0m error processing package systemd-boot (--configure):
 installed systemd-boot package post-installation script subprocess returned error exit status 1
Errors were encountered while processing:
 systemd-boot
Log ended: 2025-07-31  03:09:12

Log started: 2025-07-31  03:09:14
Preparing to unpack .../shim-signed_1.46+15.8-1_amd64.deb ...
Unpacking shim-signed:amd64 (1.46+15.8-1) over (1.46+15.8-1) ...
Setting up shim-signed:amd64 (1.46+15.8-1) ...
No DKMS packages installed: not changing Secure Boot validation state.
Setting up systemd-boot (257.7-1) ...
Log ended: 2025-07-31  03:09:14


The culprit is the invocation of

    esp_path="$(bootctl --quiet --print-esp-path 2>/dev/null)"

in remove_shim() in systemd-boot's postinst, combined with `set -e`.

Executing this command exits with exit code 1 if no ESP can be found.

I understand this is a bit of an exotic setup, but I don't think having this
particular combination of packages installed without a currently mounted ESP is
in some way forbidden, and there might be valid reasons like manually managing
multiple ESPs, or robustness concerns about having the ESP mounted all the
time, that make it likely to trigger in practice.

I think the fix is quite simple - gracefully handle no ESP being mounted, which
seems to already be the intention. E.g., the invocation could be extended with
a final `|| true` to make it infallible.

-- System Information:
Debian Release: 13.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.38+deb13-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages systemd-boot depends on:
ii  libc6               2.41-11
ii  libsystemd-shared   257.7-1
ii  systemd             257.7-1
ii  systemd-boot-efi    257.7-1
ii  systemd-boot-tools  257.7-1

Versions of packages systemd-boot recommends:
ii  efibootmgr   18-2
ii  shim-signed  1.46+15.8-1

Versions of packages systemd-boot suggests:
pn  systemd-ukify  <none>

-- no debconf information

More information about the Pkg-systemd-maintainers mailing list