You are not logged in.
Pages: 1
German magazine ct states, translated by google:
... Systemd boot was taboo for a long time. However, those involved recently updated the questionnaire so that with Shim 15.8, boot processes with systemd boot are now explicitly permitted.
shim 15.8-1 is out to arch users - but I found no clue in the https://github.com/rhboot/shim, or in the arch wiki.
Has anyone already looked into this topic and give me a hint where and how to start ?
Offline
TLDR;
Install shim and system-d as usual, sign system-d efi binary and rename it to grubx64.efi (since this is hardcoded in shim apparently, see the note in [1]) and create a efibootmgr entry. There are some guides here:
- https://wiki.archlinux.org/title/Unifie … _Boot#shim
- https://wiki.archlinux.org/title/Systemd-boot
According to my research you would've to install shim as usual and simply sign the system-d boot files with your MOKs afterwards. It's a bit tricky because bootctl will override shim if you installed shim in ESP/EFI/boot/BOOTx64.efi (which is the suggested location in the arch wiki [2]) but there are some automation scripts via portage hooks in the Gentoo wiki: https://wiki.gentoo.org/wiki/Systemd/sy … rtage_hook (can probably be migrated to pacman/pamac as well).
I'm currently building a similar setup on Manjaro because I want to get Secure Boot working without having to replace the default SB keys, since this was reported to brick some lenovo laptops. I'll post my findings when I'm done.
[1] https://wiki.gentoo.org/wiki/Systemd/sy … ecure_Boot
[2] https://wiki.archlinux.org/title/Unifie … _Boot#shim
Offline
I managed to get this working by following the arch wiki for installing shim and systemd-boot. Instead of using bootctl install u need to manually copy the systemd-bootx64.efi file to /efi/EFI/boot/grubx64.efi since the installation via bootctl install (as stated in the arch wiki) would overwrite shim. This also applies to updates to systemd, so u have to take care of this manually. I created this pacman hook for system updates:
/usr/share/libalpm/hooks/95-systemd-boot.hook
[Trigger]
Type = Package
Operation = Upgrade
Target = systemd
[Action]
Description = Gracefully upgrading systemd-boot...
When = PostTransaction
Exec = /usr/bin/cp /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed /efi/EFI/boot/grubx64.efiinspired by https://wiki.archlinux.org/title/System … acman_hook. The hook essentially simply copies the updated efi files to a custom location, which u can't do with bootctl update (see https://github.com/systemd/systemd/issues/27234).
Note: Renaming systemd-bootx64.efi to grubx64.efi is required since this is hardcoded in shim and passing arguments to a custom location when creating a boot entry via efibootmgr (as mentioned in the systemd issue on github) didn't work for me (on a lenovo thinkpad t14 gen1).
Assuming u r using secure-boot, to automatically sign the systemd efi files I also created the following pacman hook:
/usr/share/libalpm/hooks/80-systemd-sign.hook
[Trigger]
Operation = Install
Operation = Upgrade
Type = Path
Target = usr/lib/systemd/boot/efi/systemd-boot*.efi
[Action]
Description = Signing systemd-boot EFI binary for Secure Boot
When = PostTransaction
Exec = /bin/sh -c 'while read -r i; do sbsign --key /path/to/MOK.key --cert /path/to/MOK.crt "$i"; done;'
Depends = sh
Depends = sbsigntools
NeedsTargetsOffline
Thanks very much !!!
That's a lot new stuff for me, I will try it out in my next vacation.
I will also pay attention to updates. systemd-boot-update.service is not activated here - I run it "manually" with my update script.
Offline
I have added the hint about the currently hard-coded filename "grubx64.efi" to the arch wiki.
Thanks for pointing this out.
While re-reading here and the wiki I noticed, shim-signed needs to be installed from AUR :-(
For security reason I try to minimize and avoid AUR as far as possible - using it for for a major system part is a no-go for me...
Offline
Pages: 1