Systemd-boot
systemd-boot is a simple UEFI boot manager. It provides a textual menu to select the entry to boot and an editor for the kernel command line. systemd-boot supports systems with UEFI firmware only.
Basic Installation
By default a fresh installation with yast will suggest creating an EFI partition with 500MB and install grub. That's just fine and will do.
Edit LOADER_TYPE in /etc/sysconfig/bootloader to an empty value to make sure other scripts don't get into the way later.
Install systemd-boot. Note that it will overwrite /EFI/BOOT/BOOTX64.EFI on the efi partition. Keep that in mind if the system contains other installations as well.
# bootctl --make-machine-id-directory=yes install Created "/boot/efi/EFI/systemd". Created "/boot/efi/loader". Created "/boot/efi/loader/entries". Created "/boot/efi/EFI/Linux". Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/efi/EFI/systemd/systemd-bootx64.efi". Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi" to "/boot/efi/EFI/BOOT/BOOTX64.EFI". Created "/boot/efi/6626acc518bd42bcbf374199a45a6fb3". Random seed file /boot/efi/loader/random-seed successfully written (512 bytes). Not installing system token, since we are running in a virtualized environment. Created EFI boot entry "Linux Boot Manager".
Verify systemd-boot is active:
# tree /boot/efi/
/boot/efi/
βββ 6626acc518bd42bcbf374199a45a6fb3
βββ EFI
β βββ Linux
β βββ boot
β β βββ BOOTX64.EFI
β β βββ MokManager.efi
β β βββ fallback.efi
β βββ opensuse
β β βββ MokManager.efi
β β βββ boot.csv
β β βββ grub.cfg
β β βββ grub.efi
β β βββ grubx64.efi
β β βββ shim.efi
β βββ systemd
β βββ systemd-bootx64.efi
βββ loader
βββ entries
βββ loader.conf
βββ random-seed
8 directories, 12 files
# efibootmgr -v
BootCurrent: 0003
Timeout: 0 seconds
BootOrder: 0001,0003,0002,0000
Boot0000* UiApp FvVol(7cb8bdc9-f8eb-4f34-aaea-3ee4af6516a1)/FvFile(462caa21-7614-4503-836e-8ab6f4662331)
Boot0001* Linux Boot Manager HD(1,GPT,bc0eb5a4-6f31-485f-8d6b-581c60653263,0x800,0x100000)/File(\EFI\systemd\systemd-bootx64.efi)
Boot0002* UEFI Misc Device PciRoot(0x0)/Pci(0x2,0x3)/Pci(0x0,0x0)N.....YM....R,Y.
Boot0003* opensuse-secureboot HD(1,GPT,bc0eb5a4-6f31-485f-8d6b-581c60653263,0x800,0x100000)/File(\EFI\opensuse\shim.efi)
Secure Boot
If secure boot is enabled, shim needs to be installed manually. As shim only reads grub.efi, systemd-boot needs to be renamed to pretend it's grub:
# mokutil --sb-state SecureBoot enabled # mv /boot/efi/EFI/systemd/systemd-bootx64.efi /boot/efi/EFI/systemd/grub.efi # cp /usr/share/efi/x86_64/shim.efi /boot/efi/EFI/systemd/shim.efi # cp /usr/share/efi/x86_64/MokManager.efi /boot/efi/EFI/systemd/MokManager.efi
The steps have to be repeated after every `bootctl install`
Installation with full BTRFS snapshot and secure boot support
In order to integrate systemd-boot with btrfs snapshots, some extra tooling is required. Upstream does not support it at this point (but is WIP). How the extra tooling works is explained in this Document.
transactional-update --no-selfupdate --continue shell If /etc/sysconfig/bootloader exists, make sure to change LOADER_TYPE to an empty value: LOADER_TYPE="" so other tools do not accidentally run scripts for a different bootloader.
Remove traces of grub:
# efibootmgr --delete --label opensuse-secureboot # efibootmgr --delete --label "openSUSE Boot Manager" # rm -r /boot/efi/EFI/opensuse
Install systemd-boot utilities. Accept removing grub2:
# zypper in sdbootutil-snapper sdbootutil-rpm-scriptlets
Exit from the transactional-update shell and install systemd-boot and add entries for all kernels:
# exit # sdbootutil install # sdbootutil add-all-kernels
Known issues/missing features
- systemd-boot will not update itself in the EFI partition (update it via "sdbootutil update")
- First boot with systemd-boot may select wrong snapshot. Workaround by holding the spacebar on first boot and select the correct snapshot from the menu. Then press 'd' to set it as default. In the running system you may also use sdbootutil set-default-snapshot $NUMBER to boot the correct one. Upstream issue
Repair / reinstall systemd-boot via chroot
If for some reason you have destroyed your systemd-boot and the system no longer boots, you can repair it via chroot.
The first step is to boot any life iso of linux, this does not necessarily have to be openSUSE.
Mount the root partition or logical volume to /mnt:
# mount /dev/<device name> /mnt
Mount the esp partition to /mnt/boot/efi:
# mount /dev/<device name> /mnt/boot/efi
Once mounted use the following for-loop to rbind the virtual file systems:
# for i in proc sys dev run; do mount --rbind /$i /mnt/$i ; done
After the root file system and virtual file systems are mounted run this command to chroot in:
# chroot /mnt
After chrooted in it is a best-practice to run this command to make sure all other necessary partitions are also mounted:
# mount -a
Now you can reinstall systemd-boot:
# sudo sdbootutil install # sudo sdbootutil add-all-kernels
You can exit with `exit` and restart the system. Systemd-boot should work again as usual.
Pre-built Appliances
There are pre-built images with systemd-boot for use in qemu for MicroOS as well as Tumbleweed
The images need to be booted using UEFI firmware and won't work with Legacy MBR VMs.
In addition to supporting systemd-boot with snapshots and rollback the images also encrypt themselves on first boot when booted interactively. If a TPM or FIDO2 key is detected, the firstboot wizard will then offer to use either to unlock the disk. Using the TPM leads to unattended boot as long as boot files were not modified. FIDO2 will require to press a button on the token.
Bootloader
Encryption
Firstboot Wizard
Root password
Can use root password as encryption password
First boot shows recovery key
References
- All Systems Go! talk about Systemd-boot integration in openSUSE
- systemd-boot man page
- kernel-install man page
- How to Chroot in Rescue Mode - suse