systemd-boot
Related articles
systemd-boot (previously called gummiboot), is a simple UEFI boot manager which executes configured EFI images. The default entry is selected by a configured pattern (glob) or an on-screen menu. It is included with systemd since systemd 220-2.
It is simple to configure, but can only start EFI executables, such as the Linux kernel EFISTUB, UEFI Shell, GRUB, the Windows Boot Manager, and such.
Installation
EFI boot
First, make sure you are booted in UEFI mode, your EFI variables are accessible, your EFI System Partition is properly mounted and your kernel and initramfs are copied onto that ESP as systemd-boot cannot load EFI binaries from other partitions. It is therefore strongly recommended to mount your ESP to /boot
. See #Updating for more information and work-around, in case you want to separate /boot
from the ESP.
Finally, type the following command to copy the systemd-boot binary to your EFI System Partition and add systemd-boot itself as the default EFI application (default boot entry) loaded by the EFI Boot Manager. If you are not booted in UEFI mode and your EFI variables are not accessible, creating the boot entry will fail. You should however still be able to boot systemd-boot as it copies the binary to the default EFI binary location on your ESP ($esp/EFI/boot/systemd-bootx64.efi
on x64 systems) unless a non-systemd-boot EFI application is already present as the same filename.
# bootctl --path=$esp install
Legacy boot
You can also successfully install systemd-boot if booted with a legacy OS. However, this requires that you later on tell your firmware to launch systemd-boot's EFI file on boot:
- you either have a working EFI shell somewhere;
- or your firmware interface provides you with a way of properly setting the EFI file that will be loaded at boot time.
If you can do so, the installation is easier: go into your EFI shell or your firmware configuration interface, and change your machine's default EFI file to /$esp/EFI/boot/systemd-bootx64.efi
(systemd-bootia32.efi
on i686 systems).
Updating
systemd-boot (bootctl(1), systemd-efi-boot-generator(8)) assumes that your EFI System Partition is mounted on /boot
. Unlike the previous separate gummiboot package, which updated automatically on a new package release with a post_install
script, updates of new systemd-boot versions are now handled manually by the user:
# bootctl update
If the ESP is not mounted on /boot
, the --path=
option can pass it. For example:
# bootctl --path=/boot/$esp update
Configuration
Basic configuration
The basic configuration is kept in $esp/loader/loader.conf
, with just two possible configuration options:
-
default
– default entry to select (without the.conf
suffix); can be a wildcard likearch-*
-
timeout
– menu timeout in seconds. If this is not set, the menu will only be shown when you hold the space key while booting.
Example:
$esp/loader/loader.conf
default arch timeout 4
Note that both options can be changed in the boot menu itself, which will store them as EFI variables.
Adding boot entries
bootctl searches for boot menu items in $esp/loader/entries/*.conf
– each file found must contain exactly one boot entry. The possible options are:
-
title
– operating system name. Required.
-
version
– kernel version, shown only when multiple entries with same title exist. Optional.
-
machine-id
– machine identifier from/etc/machine-id
, shown only when multiple entries with same title and version exist. Optional.
-
efi
– EFI program to start, relative to your ESP ($esp
); e.g./vmlinuz-linux
. Either this orlinux
(see below) is required.
-
options
– command line options to pass to the EFI program. Optional, but you will need at leastinitrd=efipath
androot=dev
if booting Linux.
For Linux, you can specify linux path-to-vmlinuz
and initrd path-to-initramfs
; this will be automatically translated to efi path
and options initrd=path
– this syntax is only supported for convenience and has no differences in function.
Standard root installations
Here is an example entry for a root partition without LVM or LUKS:
$esp/loader/entries/arch.conf
title Arch Linux linux /vmlinuz-linux initrd /initramfs-linux.img options root=PARTUUID=14420948-2cea-4de7-b042-40f67c618660 rw
Please note in the example above that PARTUUID/PARTLABEL identifies a GPT partition, and differs from UUID/LABEL, which identifies a filesystem. Using the PARTUUID/PARTLABEL is advantageous because it is invariant (i.e. unchanging) if you reformat the partition with another filesystem, or if the /dev/sd* mapping changed for some reason. It is also useful if you do not have a filesystem on the partition (or use LUKS, which does not support LABELs).
LVM root installations
Here is an example for a root partition using Logical Volume Management:
$esp/loader/entries/arch-lvm.conf
title Arch Linux (LVM) linux /vmlinuz-linux initrd /initramfs-linux.img options root=/dev/mapper/<VolumeGroup-LogicalVolume> rw
Replace <VolumeGroup-LogicalVolume>
with the actual VG and LV names (e.g. root=/dev/mapper/volgroup00-lvolroot
). Alternatively, it is also possible to use a UUID instead:
.... options root=UUID=<UUID identifier> rw
Note that root=UUID=
is used instead of root=PARTUUID=
, which is used for Root partitions without LVM or LUKS.
Encrypted Root Installations
Here is an example configuration file for an encrypted root partition (DM-Crypt / LUKS):
$esp/loader/entries/arch-encrypted.conf
title Arch Linux Encrypted linux /vmlinuz-linux initrd /initramfs-linux.img options cryptdevice=UUID=<UUID>:<mapped-name> root=UUID=<luks-UUID> quiet rw
UUID is used in this example; PARTUUID should be able to replace the UUID, if so desired. Note that <luks-UUID>
denotes the UUID of the actual decrypted root filesystem (the one under /dev/mapper/<mapped-name>
) and not the UUID of the device. See Dm-crypt/System configuration#Boot loader.
You can also add other EFI programs such as \EFI\arch\grub.efi
.
EFI Shells or other EFI apps
In case you installed EFI shells and other EFI application into the ESP, you can use the following snippets:
$esp/loader/entries/uefi-shell-v1-x86_64.conf
title UEFI Shell x86_64 v1 efi /EFI/shellx64_v1.efi
$esp/loader/entries/uefi-shell-v2-x86_64.conf
title UEFI Shell x86_64 v2 efi /EFI/shellx64_v2.efi
Add security
You have to note that the kernel command line parameters can be edited from systemd-boot's boot menu (see #Keys inside the boot menu) by pressing e
. This is a major security flaw since if you redefine the init=
kernel argument with init=/bin/bash
for example, this will boot your machine directly as root without any password, bypassing easily the root password that has been defined! Since systemd-boot does not currently have a password feature and has no ability to prevent kernel parameters changes, you need to make sure to define a password at hardware level (UEFI/BIOS) which prevents the computer to boot if the right password has not been entered.
Since security is made of several levels and physical access already breaks any security systems, maybe encrypting your disk with dm-crypt would come in handy especially if your machine is a laptop. But this is another concern not related to systemd-boot.
Support hibernation
The following keys are used inside the menu:
-
Up/Down
- select entry -
Enter
- boot the selected entry -
d
- select the default entry to boot (stored in a non-volatile EFI variable) -
-/T
- decrease the timeout (stored in a non-volatile EFI variable) -
+/t
- increase the timeout (stored in a non-volatile EFI variable) -
e
- edit the kernel command line -
v
- show the gummiboot and UEFI version -
Q
- quit -
P
- print the current configuration -
h/?
- help
These hotkeys will, when pressed inside the menu or during bootup, directly boot a specific entry:
-
l
- Linux -
w
- Windows -
a
- OS X -
s
- EFI Shell -
1-9
- number of entry
Troubleshooting
Manual entry using efibootmgr
If bootctl install
command failed, you can create a EFI boot entry manually using efibootmgr
utility:
# efibootmgr -c -d /dev/sdX -p Y -l /EFI/systemd/systemd-bootx64.efi -L "Linux Boot Manager"
where /dev/sdXY
is the EFISYS partition.
Menu does not appear after Windows upgrade
For example, if you upgraded from Windows 8 to Windows 8.1, and you no longer see a boot menu after the upgrade (i.e., Windows boots immediately):
- Make sure Secure Boot (UEFI setting) and Fast Startup (Windows power option setting) are both disabled.
- Make sure your UEFI prefers Linux Boot Manager over Windows Boot Manager (UEFI setting like Hard Drive Disk Priority).
To make Windows 8.X and above respect your boot order, you must enter a Windows group policy and have it execute a batch (.bat) file on startup. In Windows:
- Open a command prompt with admin privlages. Type in
bcdedit /enum firmware
- Find the Firmware Application that has "Linux" in the description, e.g. "Linux Boot Manager"
- Copy the Identifier, including the brackets, e.g.
{31d0d5f4-22ad-11e5-b30b-806e6f6e6963}
- Open gpedit and under Local Computer Policy > Computer Configuration > Windows Settings > Scripts(Startup/Shutdown), choose Startup. That should open a window named Startup Properties.
- Under the Scripts tab, choose the Add button
- Give your script a name, e.g.
bootorder.bat
. - Under Script Parameters, type
bcdedit /set {fwbootmgr} DEFAULT {identifier_copied_in_step_3}
(e.g.bcdedit /set {fwbootmgr} DEFAULT {31d0d5f4-22ad-11e5-b30b-806e6f6e6963}
).
If this does not work, create a batch file somewhere on your Windows system with the bcdedit /set {fwbootmgr} DEFAULT {identifier_copied_in_step_3}
line in it and go back to step 6 and Browse for that file.
Alternatively, you can make the default Windows boot loader load systemd-boot instead. In an administrator command prompt in Windows, one can change this entry as follows:
bcdedit /set {bootmgr} path \EFI\systemd\systemd-bootx64.efi