Bug#1115304: systemd-boot: EFI layout with secure-boot shim is not supported with fwupd

Norbert Lange nolange79 at gmail.com
Fri Feb 27 09:51:40 GMT 2026 

On Mon, 15 Sep 2025 14:16:43 +0200 Norbert Lange <nolange79 at gmail.com> wrote:
> Package: systemd-boot
> Version: 257.8-1~deb13u2
> Severity: normal
>
> Dear Maintainer,
>
> fwupd expects the boot-files to reside in one directory, the content currently is:
>
> -----
> /efi/EFI/debian/BOOTX64.CSV
> /efi/EFI/debian/fbx64.efi
> /efi/EFI/debian/mmx64.efi
> /efi/EFI/debian/shimx64.efi
>
> /efi/EFI/systemd/systemd-bootx64.efi
> -----
>
> A pending UEFI Firmware Update will use `/efi/EFI/systemd/fw`for its payload,
> and will try to add an Boot-Entry with a shim.
> It expects the shim at /efi/EFI/systemd/shimx64.efi, which is not where debian
> puts it.
>
> Debian should place everything in a single directory, the mere existence
> of the /efi/EFI/systemd folder will cause fwupd to expect the shim there.
>
> See fwupd report: https://github.com/fwupd/fwupd/issues/9249
>
>
> The commands used to end up with that, is a clean (re-)installation of the bootloader:
>
> -----
> apt purge grub-common grub2-common mtools systemd-boot shim-unsigned shim-signed shim-signed-common shim-helpers-amd64-signed systemd-boot-efi-amd64-signed
> apt autoremove
> # should be empty now
> rm -rf /efi/EFI
>
> apt install --no-install-recommends efibootmgr systemd-boot-efi-amd64-signed systemd-boot shim-signed
>
> # remove all UEFI entries
> for b in $(efibootmgr | grep -v auto_created_boot_option | sed -n 's,^Boot\([0-9A-F][0-9A-F]*\)*.*,\1,p'); do efibootmgr -B -b $b; done
> -----
>
>
> -- System Information:
> Debian Release: 13.1
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 6.12.43+deb13-amd64 (SMP w/32 CPU threads; PREEMPT)
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/system)
> LSM: AppArmor: enabled
>
> Versions of packages systemd-boot depends on:
> ii  libc6                                                    2.41-12
> ii  libsystemd-shared                                        257.8-1~deb13u2
> ii  systemd                                                  257.8-1~deb13u2

This is Bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129186 ,
see https://github.com/fwupd/fwupd/pull/9251

Norbert

More information about the Pkg-systemd-maintainers mailing list