Bug#1115304: systemd-boot: EFI layout with secure-boot shim is not supported with fwupd

Norbert Lange nolange79 at gmail.com
Mon Sep 15 13:16:43 BST 2025 

Package: systemd-boot
Version: 257.8-1~deb13u2
Severity: normal

Dear Maintainer,

fwupd expects the boot-files to reside in one directory, the content currently is:

-----
/efi/EFI/debian/BOOTX64.CSV
/efi/EFI/debian/fbx64.efi
/efi/EFI/debian/mmx64.efi
/efi/EFI/debian/shimx64.efi

/efi/EFI/systemd/systemd-bootx64.efi
-----

A pending UEFI Firmware Update will use `/efi/EFI/systemd/fw`for its payload,
and will try to add an Boot-Entry with a shim.
It expects the shim at /efi/EFI/systemd/shimx64.efi, which is not where debian
puts it.

Debian should place everything in a single directory, the mere existence
of the /efi/EFI/systemd folder will cause fwupd to expect the shim there.

See fwupd report: https://github.com/fwupd/fwupd/issues/9249


The commands used to end up with that, is a clean (re-)installation of the bootloader:

-----
apt purge grub-common grub2-common mtools systemd-boot shim-unsigned shim-signed shim-signed-common shim-helpers-amd64-signed systemd-boot-efi-amd64-signed
apt autoremove
# should be empty now
rm -rf /efi/EFI

apt install --no-install-recommends efibootmgr systemd-boot-efi-amd64-signed systemd-boot shim-signed

# remove all UEFI entries
for b in $(efibootmgr | grep -v auto_created_boot_option | sed -n 's,^Boot\([0-9A-F][0-9A-F]*\)*.*,\1,p'); do efibootmgr -B -b $b; done
-----


-- System Information:
Debian Release: 13.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.12.43+deb13-amd64 (SMP w/32 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages systemd-boot depends on:
ii  libc6                                                    2.41-12
ii  libsystemd-shared                                        257.8-1~deb13u2
ii  systemd                                                  257.8-1~deb13u2
ii  systemd-boot-efi-amd64-signed [systemd-boot-efi-signed]  257.8-1~deb13u2
ii  systemd-boot-tools                                       257.8-1~deb13u2

Versions of packages systemd-boot recommends:
ii  efibootmgr   18-2
ii  shim-signed  1.47+15.8-1

Versions of packages systemd-boot suggests:
pn  systemd-ukify  <none>

-- no debconf information

More information about the Pkg-systemd-maintainers mailing list