bootctl: install with shim

[lnussel]

Component

bootctl

Is your feature request related to a problem? Please describe

Systemd-boot right now installs itself (bootctl install) like this in the
ESP (star marks boot entry):

\EFI\BOOT\BOOTX64.EFI    <-- systemd-boot
\EFI\systemd\systemd-bootx64.efi  *

To make systemd-boot usable on real hardware with secure boot enabled, it would have to be signed by the MS 3rd party CA. That's probably not going to happen so the way to do that would be make sd-boot bootable by shim.

Describe the solution you'd like

Assuming systemd-boot is signed with a vendor certificate, the
way to install both shim and systemd-boot would be what is outlined
in https://github.com/rhboot/shim/blob/main/README.fallback

for removable media:

\EFI\BOOT\BOOTX64.EFI    <-- shim
\EFI\BOOT\MokManager.efi
\EFI\BOOT\grubx64.efi    <-- systemd-boot

for an installed system:

\EFI\BOOT\BOOTX64.EFI    <-- shim
\EFI\BOOT\MokManager.efi
\EFI\BOOT\fallback.efi
\EFI\vendor\BOOT.CSV
\EFI\vendor\shim.efi     *
\EFI\vendor\MokManager.efi
\EFI\vendor\grubx64.efi  <-- systemd-boot

(Yeah, for now systemd-boot would have to name itself after grub as
that's hardcoded in shim).

So my question is would you accept patches to bootctl that (eg via
build time option) installs systemd-boot as outlined above if shim
is installed?

If so, a way would be to eg have the shim package symlink it's files
into /usr/lib/systemd/boot/efi/. Bootctl already installs *.efi from
there. We'd need a hack to the systemd-boot -> grub renaming though.

The other alternative would be to either not use bootctl install
at all, or have some script mangle what it did to retrofit shim.

Thoughts? :-)

Describe alternatives you've considered

No response

The systemd version you checked that didn't have the feature you are asking for

No response

[YHNdnzj]

IMO this should not be handled by bootctl. The use of shim (and where it gets installed) is distinct across distros, and thus they shall provide their own tools to tackle with this.

[Yukigamine]

IMO this should not be handled by bootctl. The use of shim (and where it gets installed) is distinct across distros, and thus they shall provide their own tools to tackle with this.

If you can point me to a tool in Arch that will automatically stick a copy of systemd-boot64.efi into grubx64.efi, I'm all ears.

I ended up here looking for exactly the kind of solution that OP proposed. Because shim is hardcoded to look for grubx64.efi and PreLoader is hardcoded to look for loader.efi there are limited options when it comes to automating updates.

If bootctl supported specifying additional paths/names as an optional parameter, it would be a reasonably clean solution.

[YHNdnzj]

If you can point me to a tool in Arch that will automatically stick a copy of systemd-boot64.efi into grubx64.efi, I'm all ears.

Well, bootctl install basically does two things: install the boot loader to esp/EFI/systemd/ and esp/EFI/BOOT/, plus adding an EFI boot entry. Since you're using shim/preloader, you don't need sd-boot to be installed to the mentioned destinations nor the boot entry since it's chainloaded by shim. So a simple cp will work for you IIUC?

[YHNdnzj]

If bootctl supported specifying additional paths/names as an optional parameter, it would be a reasonably clean solution.

I actually think this makes more sense than adding a build option. It has more use cases, for both end users and distro maintainers, while still retaining the default behavior of installing to the aforementioned places.

[lnussel]

Command line options are not useful for the distro unless there's also support for a global config file to enable the settings by default. So just calling bootctl install works out of the box.

With shim the EFI boot entry must not point to sd-boot but shim. So bootctl install would need to know what path to put.
Regarding distro differences that's why I had the idea to symlink shim files into /usr/lib/systemd/boot/efi/ so bootctl can just pick them up and do the right thing.

Anyway another idea that came to my mind was to have a script eg /usr/lib/systemd/boot/install (or even scripts in .d) that when present gets executed by bootctl install instead of the builtin code. bootctl could pass some env vars with settings, like mount point of the efi partition. That script could be shipped by the shim package. So if no shim is installed, bootctl would just use it's built in code.

[alexojegu]

A configuration file would be great, something like /etc/systemd/boot.conf:

[Boot]
shim=yes

So that bootctl update has the same behavior as now, but renaming systemd-boot64.efi to grubx64.efi. To bootctl install I see two options:

• Create EFI boot entry pointing to grubx64.efi (It would be the same behavior as now).
• Create EFI boot entry pointing to shimx64.efi (It could be simplified but it would be more risky).

About the path, just keep using the same one as now /ESP/EFI/systemd/ (At least in Arch Linux, I don't know if it is a build option). For more exotic configurations the user or distribution will be responsible.

[Nowa-Ammerlaan]

You don't actually have to rename systemd-boot to grub, shim loads the efi file it is given as an argument before it loads the hardcoded grubx64.efi. Like this:

nowa@nowa-gentoo-pc ~ % efibootmgr -u
BootCurrent: 0000
Timeout: 0 seconds
BootOrder: 0000,0006,0004,0008,0007
Boot0000* Linux Boot Manager    HD(1,GPT,7ae430c6-07e8-3b4e-a796-b2a28706b3fb,0x800,0x100800)/\EFI\SYSTEMD\SHIMX64.EFI\EFI\systemd\systemd-bootx64.efi
...

This I think is much cleaner.

[alexojegu]

Thanks @Nowa-Ammerlaan, I tried it but don't work with my hardware (It is 8 years old).

BootCurrent: 0003
Timeout: 1 seconds
BootOrder: 0003,0001,0002,0000
Boot0000* Linux Secure Boot	HD(1,GPT,ad9b31dc-84c8-417f-b634-0cfd86589be8,0x800,0x300000)/\EFI\Systemd\shimx64.efi\EFI\Systemd\systemd-bootx64.efi
...

https://wiki.gentoo.org/wiki/Shim#systemd-boot

... if the firmware supports it ...