Bug#1131107: reportbug: systemd-boot 260 breaks SecureBoot setup on some machines
Markus Koller
markus at snafu.ch
Tue Mar 17 16:17:19 GMT 2026
Package: systemd-boot
Version: 260~rc4-1
Severity: important
Dear Maintainer,
After upgrading to systemd-boot 260~rc1 and later release candidates,
every time I reboot one of my machines the EFI boot order changes so
systemd-bootx64.efi comes first, rather than shimx64.efi, resulting in
a broken SecureBoot setup on the next boot.
Since this happens on reboot I assume it's systemd-boot or UEFI doing this,
rather than something in the kernel or userland.
The machine where I ran into this is an Intel NUC7i5BNKP, but I also checked
on an older Thinkpad X1C now. After upgrading all packages the boot order
was incorrect there too, so I swapped the order with `efibootmgr -o ...`.
But then after rebooting (and rebooting again for good measure) the order
stays the same, so this might be some weirdness with the UEFI on the NUC.
Boot loader section from `bootctl status` on the NUC:
```
Boot Loaders Listed in EFI Variables:
Title: Linux Boot Manager
ID: 0x0005
Status: active, boot-order
Partition: /dev/disk/by-partuuid/46fedc45-4e20-4b29-a0e7-eee2987a27d6
File: └─/boot/efi//EFI/systemd/systemd-bootx64.efi
Title: Debian
ID: 0x0004
Status: active, boot-order
Partition: /dev/disk/by-partuuid/46fedc45-4e20-4b29-a0e7-eee2987a27d6
File: └─/boot/efi/EFI/debian/shimx64.efi
```
Output of `efibootmgr`:
```
BootCurrent: 0004
Timeout: 2 seconds
BootOrder: 0005,0004,0002,0000,0001
Boot0000* Linux Boot Manager VenHw(99e275e7-75a0-4b37-a2e6-c5385e6c00cb)
Boot0001* Debian VenHw(99e275e7-75a0-4b37-a2e6-c5385e6c00cb)5c004500460049005c00730079007300740065006d0064005c00730079007300740065006d0064002d0062006f006f0074007800360034002e0065006600690020005c003000
Boot0002* Linux Boot Manager VenHw(99e275e7-75a0-4b37-a2e6-c5385e6c00cb)
Boot0003* INTEL SSDPEKKW256G7 : PART 0 : Boot Drive BBS(HD,,0x0)0000424f
Boot0004* Debian HD(1,GPT,46fedc45-4e20-4b29-a0e7-eee2987a27d6,0x800,0x100000)/EFI\debian\shimx64.efi5c004500460049005c00730079007300740065006d0064005c00730079007300740065006d0064002d0062006f006f0074007800360034002e0065006600690020005c003000
Boot0005* Linux Boot Manager HD(1,GPT,46fedc45-4e20-4b29-a0e7-eee2987a27d6,0x800,0x100000)/\EFI\systemd\systemd-bootx64.efi
```
I tried a few things without success:
- Removing the entry for systemd-bootx64.efi, but it gets recreated after
a reboot.
- Removing those other `Linux Boot Manager` entries with the `VenHW` UUIDs,
these keep getting added somehow (not sure when exactly, it's not after
every reboot).
- Recreating the EFI entries so the shim has a lower ID (originally it had
a higher ID)
- Running `apt reinstall systemd-boot`, this results in the correct order if
I remove the shim and systemd-boot entries first, but it doesn't reorder
the existing ones.
My workaround for now was to disable SecureBoot on this machine.
Cheers,
Markus
-- System Information:
Debian Release: forky/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.19.8+deb14-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages systemd-boot depends on:
ii efibootmgr 18-4.1
ii libc6 2.42-13
ii libsystemd-shared 260~rc4-1
ii systemd 260~rc4-1
ii systemd-boot-efi-amd64-signed [systemd-boot-efi-signed] 260~rc4-1
ii systemd-boot-tools 260~rc4-1
Versions of packages systemd-boot recommends:
ii shim-signed 1.47+15.8-1
Versions of packages systemd-boot suggests:
pn systemd-ukify <none>
-- no debconf information
More information about the Pkg-systemd-maintainers
mailing list