Systemd-boot

Jump to: navigation, search

systemd-boot is a simple UEFI boot manager. It provides a textual menu to select the entry to boot and an editor for the kernel command line. systemd-boot supports systems with UEFI firmware only.

Basic Installation

It is possible to use systemd-boot with just upstream features. This will however lack integration and support for btrfs snapshots. So the following instructions are for explanation or use on non-btrfs systems.

By default a fresh installation with yast will suggest creating an EFI partition with 500MB and install grub. That's just fine and will do.

Edit LOADER_TYPE in /etc/sysconfig/bootloader to an empty value to make sure other scripts don't get into the way later.

Install systemd-boot. Note that it will overwrite /EFI/BOOT/BOOTX64.EFI on the efi partition. Keep that in mind if the system contains other installations as well. 

   # bootctl --make-machine-id-directory=yes install
   Created "/boot/efi/EFI/systemd".
   Created "/boot/efi/loader".
   Created "/boot/efi/loader/entries".
   Created "/boot/efi/EFI/Linux".
   Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/efi/EFI/systemd/systemd-bootx64.efi".
   Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/efi/EFI/BOOT/BOOTX64.EFI".
   Created "/boot/efi/6626acc518bd42bcbf374199a45a6fb3".
   Random seed file /boot/efi/loader/random-seed successfully written (512 bytes).
   Not installing system token, since we are running in a virtualized environment.
   Created EFI boot entry "Linux Boot Manager".

Verify systemd-boot is active: 

   # tree /boot/efi/
   /boot/efi/
   β”œβ”€β”€ 6626acc518bd42bcbf374199a45a6fb3
   β”œβ”€β”€ EFI
   β”‚   β”œβ”€β”€ Linux
   β”‚   β”œβ”€β”€ boot
   β”‚   β”‚   β”œβ”€β”€ BOOTX64.EFI
   β”‚   β”‚   β”œβ”€β”€ MokManager.efi
   β”‚   β”‚   └── fallback.efi
   β”‚   β”œβ”€β”€ opensuse
   β”‚   β”‚   β”œβ”€β”€ MokManager.efi
   β”‚   β”‚   β”œβ”€β”€ boot.csv
   β”‚   β”‚   β”œβ”€β”€ grub.cfg
   β”‚   β”‚   β”œβ”€β”€ grub.efi
   β”‚   β”‚   β”œβ”€β”€ grubx64.efi
   β”‚   β”‚   └── shim.efi
   β”‚   └── systemd
   β”‚       └── systemd-bootx64.efi
   └── loader
       β”œβ”€β”€ entries
       β”œβ”€β”€ loader.conf
       └── random-seed
   
   8 directories, 12 files
   # efibootmgr -v
   BootCurrent: 0003
   Timeout: 0 seconds
   BootOrder: 0001,0003,0002,0000
   Boot0000* UiApp FvVol(7cb8bdc9-f8eb-4f34-aaea-3ee4af6516a1)/FvFile(462caa21-7614-4503-836e-8ab6f4662331)
   Boot0001* Linux Boot Manager    HD(1,GPT,bc0eb5a4-6f31-485f-8d6b-581c60653263,0x800,0x100000)/File(\EFI\systemd\systemd-bootx64.efi)
   Boot0002* UEFI Misc Device      PciRoot(0x0)/Pci(0x2,0x3)/Pci(0x0,0x0)N.....YM....R,Y.
   Boot0003* opensuse-secureboot   HD(1,GPT,bc0eb5a4-6f31-485f-8d6b-581c60653263,0x800,0x100000)/File(\EFI\opensuse\shim.efi)

Secure Boot

If secure boot is enabled, shim needs to be installed manually. As shim only reads grub.efi, systemd-boot needs to be renamed to pretend it's grub: 

   # mokutil --sb-state
   SecureBoot enabled
   # mv /boot/efi/EFI/systemd/systemd-bootx64.efi /boot/efi/EFI/systemd/grub.efi
   # cp /usr/share/efi/x86_64/shim.efi /boot/efi/EFI/systemd/shim.efi
   # cp /usr/share/efi/x86_64/MokManager.efi /boot/efi/EFI/systemd/MokManager.efi

The steps have to be repeated after every `bootctl install`

Installation with full BTRFS snapshot and secure boot support

In order to integrate systemd-boot with btrfs snapshots, some extra tooling is required. Upstream does not support it at this point (but is WIP). How the extra tooling works is explained in this Document.

Icon-warning.png
Warning: Systemd-boot support is experimental. Don't do this in production unless you know how to recover from boot failures!
On MicroOS execute the commands in a transactional shell transactional-update --no-selfupdate --continue shell

If /etc/sysconfig/bootloader exists, make sure to change LOADER_TYPE to an empty value: LOADER_TYPE="" so other tools do not accidentally run scripts for a different bootloader.

Remove traces of grub: 

   # efibootmgr --delete --label opensuse-secureboot
   # efibootmgr --delete --label "openSUSE Boot Manager"
   # rm -r /boot/efi/EFI/opensuse

Install systemd-boot utilities. Accept removing grub2: 

   # zypper in sdbootutil-snapper sdbootutil-rpm-scriptlets

Install systemd-boot and add entries for all kernels: 

   # sdbootutil install
   # sdbootutil add-all-kernels

Known issues/missing features

  • systemd-boot will not update itself in the EFI partition
  • no KMP weak module support
  • no custom package certificate enrollment via MOK
  • First boot with systemd-boot may select wrong snapshot. Workaround by holding the spacebar on first boot and select the correct snapshot from the menu. Then press 'd' to set it as default. In the running system you may also use sdbootutil set-default-snapshot $NUMBER to boot the correct one. Upstream issue
  • dracut installs unreferenced initrds into the EFI partition. Will be fixed, use bootctl cleanup to remove dangling files (Bugzilla, Dracut upstream issue)
  • kdump is not supported

Pre-built Appliances

There are pre-built images with systemd-boot for use in qemu for MicroOS as well as Tumbleweed

The images need to be booted using UEFI firmware and won't work with Legacy MBR VMs.

In addition to supporting systemd-boot with snapshots and rollback the images also encrypt themselves on first boot when booted interactively. If a TPM or FIDO2 key is detected, the firstboot wizard will then offer to use either to unlock the disk. Using the TPM leads to unattended boot as long as boot files were not modified. FIDO2 will require to press a button on the token.

  • Bootloader

  • Encryption

  • Firstboot Wizard

  • Root password

  • Can use root password as encryption password

  • First boot shows recovery key

References

Retrieved from "https://en.opensuse.org/index.php?title=Systemd-boot&oldid=185601"