After gummiboot has been integrated into systemd as systemd-boot, I
decided to give this new feature a try and installed a new machine
with systemd, not installing gummiboot or any other boot loader. The
machine is capable of booting an UEFI stub, so systemd-boot should be
able to handle this. However, with this approach the machine failed to
boot. Only after manually copying the kernel and initramfs from /boot
to /boot/efi, and manually setting up the relevant data structures in
/boot/efi the machine came up as expected.

It seems that integrating gummiboot into systemd is missing a critical
piece, that is the update-gummiboot script that copies the kernel
files. This script was installed in the postinst hook for kernels at
/etc/kernel/postinst.d/ but is absent in systemd.

Because of this omission new installs are broken, this is why I set
the severy of this bug report to "important".

Please add an equivalent of the update-gummiboot script to systemd.

br,
Thomas

Am 01.06.2016 um 22:25 schrieb Thomas Prokosch:

systemd-boot is not officially supported yet.
We install the systemd-boot related files so users can play with them,
but you are basically on your own.

Maybe it's better to remove them.

Martin, your thoughts?

Michael Biebl [2016-06-01 22:39 +0200]:

If someone wants to adopt systemd-boot, I'd be glad to review patches
(e. g. Julien seemed to be interested in this the other day).
Otherwise, if nobody wants to maintain this, I agree that we better
remove it, as shipping incomplete features will continue to cause bugs
like this.

Martin

Hi,

I just ran into this again and had a look around:
The systemd tool kernel-install(8) is already installed and appears to
be working just fine.

It's "add" mode copies debian's kernel/initrd to the esp and adds a
boot loader entry, which boots just fine.
It's "remove" mode cleans up the copied/created files from the "add" mode.

It appears there're just a few trivial /etc/kernel/?.d wrapper scripts missing?

Regards,
Andre

Yes. Well, not missing, but rather left out by purpose. systemd
can't just start installing bootloader _integration_, that would
be weird.

I wrote sicherboot, which is a nice integration with systemd-boot,
but does not allow using the existing kernel images - it combines
the kernel and the initramfs into one image which it installs into
the ESP so UEFI can verify both parts (somewhat useful to reduce
the chance someone tampered with your device if you are running
full disk encryption). That said, it also works without secure
boot - just don't do the enrollment steps.

I wish we could combine things in a way to verify both signatures
- the original kernel one, and a combined one. That would be nice. Or
well, just verification of the initramfs.

kernel-install also is a fairly primitive tool that is not very
flexible and only supports very simple use cases (sicherboot as
well for now, but open for further features - like multiple ESPs
for RAID-1 mirror booting).

I'm not sure I follow.

What I'm looking for is just the same basic integration for debian as
gummiboot once had.

Of course the missing scripts I mentioned cannot blindly call
kernel-install, they'll have to check if systemd-bootd is
installed/used and bail out accordingly. It doesn't make much sense
otherwise. Is that what you mean? With that in mind I don't see why
systemd shouldn't do boot loader integration, all the pieces are
already there.

Regards,
Andre

sicherboot offers the same level of integration, but some more
features related to (abusing) secure boot. As the former gummiboot
maintainer, it is basically the next version of the script there.

It handles upgrades of systemd-boot, and installation of new kernels
just like my gummiboot scripts used to (we never used kernel-install
for gummiboot either).

I don't think there's much interest in the systemd team to maintain
a bootloader integration themselves, and I am interested in something
that works somewhat reasonably with full disk encryption.

You just have to
# apt install sicherboot
# sicherboot setup
(and ignore the steps about enrolling keys...)

and you are ready to go with a fully integrated systemd-boot
experience :)

Blind detection would conflict with sicherboot, and is not
neccessarily possible. Explicit opt-in seems like the best
choice.

I also like to essentially uncouple the bootloader configuration
from systemd itself. I mean, it's sort of a spec for bootloaders,
and not systemd-specific configs we are generating here.

Just as a reference, maybe it's of some use to others:

I'm using the attached scripts as:
/etc/kernel/postinst.d/zz-systemd-bootd
/etc/kernel/postrm.d/zz-systemd-bootd

They're very basic, but worked for me just fine for the kernel updates
of the past +2 month.

That's the kind of distribution<->systemd-bootd integration I was
looking for,

Regards,
Andre

Here are the scripts I've been using. I've arranged for the initramfs
post-update script to run kernel-install in the usual case; the kernel
postinst script will only do so if the kernel doesn't use an initrd.

The kernel postrm script runs kernel-install in either case.

- -- Package-specific info:

- -- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (550, 'stable-updates'), (550, 'stable-debug'), (550, 'stable'), (530, 'testing'), (520, 'unstable-debug'), (520, 'unstable'), (510, 'experimental-debug'), (510, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: arm64

Kernel: Linux 4.9.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages systemd depends on:
ii  adduser         3.115
ii  libacl1         2.2.52-3+b1
ii  libapparmor1    2.11.0-3
ii  libaudit1       1:2.6.7-2
ii  libblkid1       2.29.2-1
ii  libc6           2.24-11+deb9u1
ii  libcap2         1:2.25-1
ii  libcryptsetup4  2:1.7.3-4
ii  libgcrypt20     1.7.6-2+deb9u2
ii  libgpg-error0   1.26-2
ii  libidn11        1.33-1
ii  libip4tc0       1.6.0+snapshot20161117-6
ii  libkmod2        23-2
ii  liblz4-1        0.0~r131-2+b1
ii  liblzma5        5.2.2-1.2+b1
ii  libmount1       2.29.2-1
ii  libpam0g        1.1.8-3.6
ii  libseccomp2     2.3.1-2.1
ii  libselinux1     2.6-3+b3
ii  libsystemd0     232-25+deb9u1
ii  mount           2.29.2-1
ii  procps          2:3.3.12-3
ii  util-linux      2.29.2-1

Versions of packages systemd recommends:
ii  dbus            1.10.22-0+deb9u1
ii  libpam-systemd  232-25+deb9u1

Versions of packages systemd suggests:
ii  policykit-1        0.105-18
ii  systemd-container  232-25+deb9u1
pn  systemd-ui         <none>

Versions of packages systemd is related to:
pn  dracut           <none>
ii  initramfs-tools  0.130
ii  udev             232-25+deb9u1

- -- Configuration Files:
/etc/systemd/journald.conf changed [not included]

- -- no debconf information
-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEEyqqqGsppqDqJKxhV0gtCAlzaJ7kFAlnnmH4SHHNhbUByb2Jv
dHMub3JnLnVrAAoJENILQgJc2ie50MMP/Ao8FBd7/2OvVJISkUkjlW1Q1HjcLFtF
QMXVgZrRdlxTjEG97z+e9QBvzgST0MKCWN2iM+2C2/RqXfUWDbf6nC9pnPD6gp3d
cvf5FS5tVFdLJwAWElUgQbiMlO8ilDyLGzJS0fDjhLy3z0c6qztZ+RVPc36R/nkm
eKtdEv0mJkU7+KoiW4M/C9DKnfLvpGtc92bpn9C8WD67l1h8nOLz1l3Uh4gj6zJq
tJkw36b02wj8tYbh6FuXeEpZDK8HuCLrqCoTVysUNAiYZF2Of5VaLhsHI90mDpf7
+51xF5rUoV0R6w6LA3fEKbCkWLfsCWocCYBend8vZzH/Fifw2uUcpWAoesg0MdWk
25sZsds0T9mIlfNSWsSR6dDcbDyleJEms14ku9Ira+Qxf0mWvjb+ZUZKfkxwwwUx
LQ5RV/b7983ZXax72PslLEJxr/lTAl3YQAcY56A8l3SOybAqeS4KhNAJXv4KFmMz
VDr+oOFEoQhBWybgyOXPKVCIGuW0UIeyiKNcWKiiZPosax1e/MvWWxpJ6hgAPV8U
yBHbk5VGn/DW3mafsdAuYnPsuQzGY30xq+3EpHm/aCJVkc3MkwBoY7kHXeKyLc59
xaIciIMCKyesRXIjkmFQ6EZbbBzuqVm8OtHrHgnLqs+9qaL9e0BILwgZbmd/JJxV
XGmikfqafBdF
=jyNI
-----END PGP SIGNATURE-----

Just installed the scripts provided by Andre and they work like a charm,
with one minor issue:

I had to create the /efi/<Machine-ID> directory manually:
# mkdir "/efi/$(cat /etc/machine-id)"

Without the directory the configuration of the kernel packages fail. Therefore
I would suggest to extend the postinst.systemd-bootd script to create the
necessary directory if it does not exist.

May I also add that I would love to see this feature request eventually being
implemented. I do not see any disadvantages beside the occupation of ~41 MiB
per installed kernel on the ESP partition. On the other hand it makes the
presence of a dedicated bootmanager obsolete which in turn safes ~110 MiB on
the root partition in case of GRUB2.

For anyone interested, I've submitted
https://salsa.debian.org/systemd-team/systemd/-/merge_requests/138

Which also ships some very basic /etc/kernel hooks and a simplistic
postinst.

Would welcome feedback / follow-up fixes if needed.

Michael

That looks nice, thanks for working on this!

I'm still using the very same scripts I posted above, it's still working
like a charm after 5 years with all the kernel updates and whatnot :)

I haven't tested your PR, and I lack the confirmed account on salsa to
comment there, so I'll add it here, including answers to questions over
there:

- removing sd-boot from the root fs won't render the system unbootable,
since sd-boot needs to be installed to the efi partition. There's
`bootctl remove` for that

- likewise with updating it. `bootctl status` reports "systemd-boot
247.9-4" here, while the systemd package is already at 250.3-2, I'd have
to `bootctl update` it to update it to that version

- checking if sd-boot is used can be checked via bootctl and should
probably be used by the containing scripts instead of test -d /boot/efi:
$ bootctl is-installed; echo $?
yes
0

- contrary to the comments on salsa `kernel-install` is not part of your
new package and I think it makes sense to move there. While it's using
the "Boot Loader Specification", it's only used for stuff that's already
part of this package. Even if there's a need for it without using
sd-boot, one can install the sd-boot package without actually using it
for booting the box (assuming the package scripts don't enforce it)

Regards,
Andre

Hello,

Bug #826045 in systemd reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/systemd-team/systemd/-/commit/9a6d87f1c6f7fbde8ff8e7beab30973944221244
------------------------------------------------------------------------
sd-boot: add initramfs hook

Closes: #826045
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/826045

We believe that the bug you reported is fixed in the latest version of
systemd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 826045@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Biebl <biebl@debian.org> (supplier of updated systemd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Tue, 28 Jun 2022 14:33:37 +0200
Source: systemd
Architecture: source
Version: 251.2-7
Distribution: unstable
Urgency: medium
Maintainer: Debian systemd Maintainers <pkg-systemd-maintainers@lists.alioth.debian.org>
Changed-By: Michael Biebl <biebl@debian.org>
Closes: 826045 1013967
Changes:
 systemd (251.2-7) unstable; urgency=medium
 .
   [ Luca Boccassi ]
   * sd-boot: add kernel hooks scripts
 .
   [ Andrea Pappacoda ]
   * sd-boot: add initramfs hook (Closes: #826045)
 .
   [ Michael Biebl ]
   * sd-boot: exit early in initramfs and kernel hook scripts if package is
     removed but not purged
   * Do not fail with older binutils.
     Test if the linker supports --no-warn-execstack and --no-warn-rwx-segments
     before using those flags. (Closes: #1013967)
Checksums-Sha1:
 749a3c68191fb9765fa471423b7fcf3a5c9a14a5 6141 systemd_251.2-7.dsc
 ecab514b8889f00788e93f878dd530620b379b35 172532 systemd_251.2-7.debian.tar.xz
 acaebbaa74ca277d641ab93f7febaf6ca52eeb2f 10511 systemd_251.2-7_source.buildinfo
Checksums-Sha256:
 8dbe26f249f03e2e4688ea0003350c5c15614d898ad25d7d568bb831c7e249d1 6141 systemd_251.2-7.dsc
 f5507719a5fe9612e305686f2395318bf1add72beda493c4717485a286e78445 172532 systemd_251.2-7.debian.tar.xz
 e5eb55f7bd514b272747da1354de8cdb95575bfe0abd2afdd7585f4f477c78a9 10511 systemd_251.2-7_source.buildinfo
Files:
 95f43f9eb5e74f66a6cab4893d4004ad 6141 admin optional systemd_251.2-7.dsc
 715525137ee8b0ff46049cd9b965e6ff 172532 admin optional systemd_251.2-7.debian.tar.xz
 1614ded4f7d243557feb71155359a417 10511 admin optional systemd_251.2-7_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEECbOsLssWnJBDRcxUauHfDWCPItwFAmK6+D8ACgkQauHfDWCP
ItwLlA//ZeVclzQeUaL68bIRxHyXd5FhCdIB7Rr46XGw/Qy0gLppA7qhTPEcu70O
Ycr+ZjSdnyUIafFtX62nFwMi6XARSMKEyAHFpKvJRBqnwxPMmnWhDUFNFysPDAn9
GCiUvQi57tXRubKcKB1ieRkl8IG3BsLXrrxZQl3OqEXFri85sUjT0WGI4RMV4x7f
Voiewx9nV+itqFUOJXA3twwS28l3xI9Njng5SoeNJydbBbOsrz4xgOEyxaZnfN4+
4YDNgMr1VP7IrdxraDeI/3w+/1xHPfqau/96DEgjtFD6f4DgqDI9AG1Qwk7d8YsI
A5UyForczzsomEyMKTYeGF69XgwWFegy0+J/t7PC6QzYc+1zrfbi+CQnWsSAAvhK
kQX2LE+pjHH467ULVBx8Vpx9T/DunGkXmHeT9IwhHe1D8vbucLeGm6CY+Cl61RYZ
GJuc/KO+qrgjfzAcrupiMTZ6L//AgCBhJJSlBYs7Vt38v/iAVUKqJIOgJnfsi3pD
PJCNZ7YfFECJd/Qyaw2qYx290bqVJge/BzrZ8oz6KJ8kSnaGNSUYjxHiAA0sXnvK
8jq4c1g1FKZnr4cOItFQPo2caTPiQGlGWbsV6lUynePiZo23iPDOJ9xTbEn8Zt+H
TnKzv5p14z0sQmNVxun18bdDHvwh5jLIq0Qy3FezYg0hYHnLohM=
=KLvJ
-----END PGP SIGNATURE-----