#1131107 reportbug: systemd-boot 260 breaks SecureBoot setup on some machines

Package:
systemd-boot
Source:
systemd-boot
Description:
simple UEFI boot manager - tools and services
Submitter:
Markus Koller
Date:
2026-03-17 16:29:02 UTC
Severity:
normal
#1131107#5
Date:
2026-03-17 16:17:19 UTC
From:
To:
Dear Maintainer,

After upgrading to systemd-boot 260~rc1 and later release candidates,
every time I reboot one of my machines the EFI boot order changes so
systemd-bootx64.efi comes first, rather than shimx64.efi, resulting in
a broken SecureBoot setup on the next boot.

Since this happens on reboot I assume it's systemd-boot or UEFI doing this,
rather than something in the kernel or userland.

The machine where I ran into this is an Intel NUC7i5BNKP, but I also checked
on an older Thinkpad X1C now. After upgrading all packages the boot order
was incorrect there too, so I swapped the order with `efibootmgr -o ...`.
But then after rebooting (and rebooting again for good measure) the order
stays the same, so this might be some weirdness with the UEFI on the NUC.

Boot loader section from `bootctl status` on the NUC:

```
Boot Loaders Listed in EFI Variables:
        Title: Linux Boot Manager
           ID: 0x0005
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/46fedc45-4e20-4b29-a0e7-eee2987a27d6
         File: └─/boot/efi//EFI/systemd/systemd-bootx64.efi

        Title: Debian
           ID: 0x0004
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/46fedc45-4e20-4b29-a0e7-eee2987a27d6
         File: └─/boot/efi/EFI/debian/shimx64.efi
```

Output of `efibootmgr`:

```
BootCurrent: 0004
Timeout: 2 seconds
BootOrder: 0005,0004,0002,0000,0001
Boot0000* Linux Boot Manager	VenHw(99e275e7-75a0-4b37-a2e6-c5385e6c00cb)
Boot0001* Debian	VenHw(99e275e7-75a0-4b37-a2e6-c5385e6c00cb)5c004500460049005c00730079007300740065006d0064005c00730079007300740065006d0064002d0062006f006f0074007800360034002e0065006600690020005c003000
Boot0002* Linux Boot Manager	VenHw(99e275e7-75a0-4b37-a2e6-c5385e6c00cb)
Boot0003* INTEL SSDPEKKW256G7 : PART 0 : Boot Drive	BBS(HD,,0x0)0000424f
Boot0004* Debian	HD(1,GPT,46fedc45-4e20-4b29-a0e7-eee2987a27d6,0x800,0x100000)/EFI\debian\shimx64.efi5c004500460049005c00730079007300740065006d0064005c00730079007300740065006d0064002d0062006f006f0074007800360034002e0065006600690020005c003000
Boot0005* Linux Boot Manager	HD(1,GPT,46fedc45-4e20-4b29-a0e7-eee2987a27d6,0x800,0x100000)/\EFI\systemd\systemd-bootx64.efi
```

I tried a few things without success:

- Removing the entry for systemd-bootx64.efi, but it gets recreated after
  a reboot.
- Removing those other `Linux Boot Manager` entries with the `VenHW` UUIDs,
  these keep getting added somehow (not sure when exactly, it's not after
  every reboot).
- Recreating the EFI entries so the shim has a lower ID (originally it had
  a higher ID)
- Running `apt reinstall systemd-boot`, this results in the correct order if
  I remove the shim and systemd-boot entries first, but it doesn't reorder
  the existing ones.

My workaround for now was to disable SecureBoot on this machine.

Cheers,
Markus