You are not logged in.

Pages: 1

#1 2023-03-31 06:27:52

luser
Member
Registered: 2016-08-27
Posts: 114

systemd-bootx64.efi not updating as desired

I recently changed my boot configuration. I was mounting the EFI partition to /boot, and now I'm mounting it at /efi. I'm running with secure boot enabled and using the sbupdate-git package to create a signed Unified Kernel Image, and while the UKI part is working perfectly now, a copy of the systemd-bootx64.efi file is not being signed and placed in the correct folder. Actually, it is being signed in /usr/lib/systemd/boot/efi/, but the signed file is copied to the same folder with ".signed" appended to the file name without anything being copied to /efi/EFI/systemd.

This is my /etc/sbupdate.conf

#KEY_DIR="/etc/efi-keys"
ESP_DIR="/efi"
#OUT_DIR="EFI/Arch"
#SPLASH="/usr/share/systemd/bootctl/splash-arch.bmp"
#BACKUP=1
EXTRA_SIGN=('/efi/EFI/Boot/bootx64.efi' '/efi/EFI/systemd/systemd-bootx64.efi')
CMDLINE_DEFAULT="root=UUID=0f40ba5a-170b-421f-a458-c955c35c142d rw resume=UUID=0fbbc034-a4eb-43c8-b8f7-994e93b6e819 quiet loglevel=3 rd.systemd.show_status=auto rd.udev.log_level=3 fbcon=nodefer scsi_mod.use_blk_mq=1 ipv6.disable_ipv6=1"

I am using the recommended hook at /etc/pacman.d/hooks/95-systemd-boot.hook

[Trigger]
Type = Package
Operation = Upgrade
Target = systemd

[Action]
Description = Gracefully upgrading systemd-boot...
When = PostTransaction
Exec = /usr/bin/systemctl restart systemd-boot-update.service

This is the output from running "pacman -S systemd":

resolving dependencies...
looking for conflicting packages...

Packages (1) systemd-253.2-1

Total Installed Size:  28.28 MiB
Net Upgrade Size:       0.01 MiB

:: Proceed with installation? [Y/n] 
(1/1) checking keys in keyring                                      [######################################] 100%
(1/1) checking package integrity                                    [######################################] 100%
(1/1) loading package files                                         [######################################] 100%
(1/1) checking for file conflicts                                   [######################################] 100%
(1/1) checking available disk space                                 [######################################] 100%
:: Processing package changes...
(1/1) upgrading systemd                                             [######################################] 100%
:: Running post-transaction hooks...
( 1/14) Creating system user accounts...
( 2/14) Updating journal message catalog...
( 3/14) Reloading system manager configuration...
( 4/14) Updating udev hardware database...
( 5/14) Applying kernel sysctl settings...
( 6/14) Creating temporary files...
( 7/14) Reloading device manager configuration...
( 8/14) Arming ConditionNeedsUpdate...
( 9/14) Signing UEFI executables...
Signing systemd-bootx64.efi
Signing Unsigned original image
(10/14) Updating linux initcpios...
==> Building image from preset: /etc/mkinitcpio.d/linux-zen.preset: 'default'
  -> -k /boot/vmlinuz-linux-zen -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-zen.img
==> Starting build: '6.2.8-zen1-1-zen'
  -> Running build hook: [systemd]
  -> Running build hook: [autodetect]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux-zen.img'
==> Image generation successful
==> Building image from preset: /etc/mkinitcpio.d/linux-zen.preset: 'fallback'
  -> -k /boot/vmlinuz-linux-zen -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-zen-fallback.img -S autodetect
==> Starting build: '6.2.8-zen1-1-zen'
  -> Running build hook: [systemd]
  -> Running build hook: [modconf]
  -> Running build hook: [block]
==> WARNING: Possibly missing firmware for module: 'qed'
==> WARNING: Possibly missing firmware for module: 'qla2xxx'
==> WARNING: Possibly missing firmware for module: 'qla1280'
==> WARNING: Possibly missing firmware for module: 'bfa'
==> Generating module dependencies
==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux-zen-fallback.img'
==> Image generation successful
(11/14) Refreshing PackageKit...
(12/14) Updating UEFI kernel images...
Generating and signing linux-zen-signed.efi
Signing Unsigned original image
Skipping already signed file /efi/EFI/Boot/bootx64.efi
Skipping already signed file /efi/EFI/systemd/systemd-bootx64.efi
(13/14) Gracefully upgrading systemd-boot...
(14/14) Reloading system bus configuration...

Where it says:

Signing systemd-bootx64.efi
Signing Unsigned original image

I think that's when sbupdate signs the file in /usr/lib/systemd/boot/efi/. I wonder whether sbupdate is doing the signing, or could something else be involved?

Where it says:

Skipping already signed file /efi/EFI/systemd/systemd-bootx64.efi

It's because the older file was already manually signed.

I'd really like to not have to manually move and sign systemd-bootx64.efi whenever it's updated. I'm pretty confident that if the file is copied to the correct location after being updated without being signed, then sbupdate will take care of signing it. In fact, after manually overwriting the file in /efi/EFI/systemd with an unsigned copy and running sbupdate, the file was signed.

Perhaps someone could help with a hook that does exactly that when systemd is updated. I'm a little out of my depth here, so any valid insight will be appreciated. It's late and I'm tired now, but perhaps I can take a stab at writing a hook to copy the file over. I'm afraid to run one, but if I post it, hopefully someone can help me get it right before I actually use it.

Last edited by luser (2023-03-31 06:42:52)

luser: an epithet applied by Windows users to linux users

Offline

#2 2023-03-31 08:46:27

luser
Member
Registered: 2016-08-27
Posts: 114

Re: systemd-bootx64.efi not updating as desired

OK, I couldn't resist running this as simple as it is:

[Trigger]
Type = Package
Operation = Upgrade
Target = systemd

[Action]
Description = Copy systemd-bootx64.efi to /efi/EFI/systemd...
When = PostTransaction
Exec = /usr/bin/cp /usr/lib/systemd/boot/efi/systemd-bootx64.efi /efi/EFI/systemd

It nearly works, but unfortunately, it copies the file over AFTER sbupdate has run, so the file isn't signed.

LATER. . .
By changing the Exec line to calling /usr/bin/sbsign with the appropriate parameters instead of /usr/bin/cp, the file is signed and copied with one call. This actually works, so the essential problem has been worked around. However, looking at the following output from updating systemd. . .

==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux-zen-fallback.img'
==> Image generation successful
(10/13) Refreshing PackageKit...
(11/13) Updating UEFI kernel images...
Generating and signing linux-zen-signed.efi
Signing Unsigned original image
Skipping already signed file /efi/EFI/Boot/bootx64.efi
No signature table present
warning: failed to verify /efi/EFI/systemd/systemd-bootx64.efi
(12/13) Sign systemd-bootx64.efi and copy to /efi/EFI/systemd...
Signing Unsigned original image
(13/13) Reloading system bus configuration...

There's something odd about the way sbupdate is running, because the lines:

No signature table present
warning: failed to verify /efi/EFI/systemd/systemd-bootx64.efi

indicate to me that sbupdate is detecting that the file is not signed and refusing to sign it because of that. That doesn't make sense to me. I thought that not being signed should cause it to sign the file and only skip signing when the file is already signed.
Comments?

Last edited by luser (2023-03-31 21:24:47)

luser: an epithet applied by Windows users to linux users

Offline

Pages: 1

Board footer

Powered by FluxBB