Systemd-boot Bad *.efi boot files (aarch64)

[iDigitalFlame]

systemd version the issue has been seen with

253.4-1

Used distribution

ArchLinux

Linux kernel version used

6.2.10-1-aarch64-ARCH

CPU architectures issue was seen on

aarch64

Component

bootctl, systemd-boot

Expected behaviour you didn't see

System was supposed to boot properly

Unexpected behaviour you saw

System failed to boot correctly and failed back to the UEFI screen.

Steps to reproduce the problem

Update systemd to the latest version and use "bootctl update" to update the EFI files.

For example my EFI directory is in "/boot/EFI"
"/boot/EFI/systemd/systemd-bootaa64.efi" sha256:6ca23dbe6272955df425b05c5a99354d50cc8fcbc4bab724491b1ba541788dd3 fails to boot and be detected by the firmware, while the previous version sha256:4b736db0f718da851df64fd3470dd0bf719bb0c1ab8b46aec5ddff9a22bc91b8 will work without issue.

To prove this, replacing "/boot/EFI/systemd/systemd-bootaa64.efi" and "/boot/EFI/BOOT/BOOTAA64.EFI" with the older efi file versions allows the system to boot normally.

Additional program output to the terminal or log subsystem illustrating the issue

No response

[YHNdnzj]

Might be a duplicate of #26951. Can you please try the latest main?

[iDigitalFlame]

Build with latest main resulted in

sha256:c000d8d79c37a4d1763be4c0473758c304ca2302c05baf408c0c2f4feabfb90e
systemd-bootaa64.efi: PE32+ executable (EFI application) Aarch64 (stripped to external PDB), for MS Windows, 9 sections

Replaced /boot/EFI/BOOT/BOOTAA64.EFI and /boot/EFI/systemd/systemd-bootaa64.efi with the new file, same issue (not booting).

Replacing the files with the older sha256:4b736db0f718da851df64fd3470dd0bf719bb0c1ab8b46aec5ddff9a22bc91b8 version fixes the issue and allows the system to boot normally.

Upon inspection of the different files (ones that work and don't)
Working: systemd-bootaa64.efi: PE32+ executable (EFI application) Aarch64 (stripped to external PDB), for MS Windows, 2 sections
Non-working: PE32+ executable (EFI application) Aarch64 (stripped to external PDB), for MS Windows, 9 sections

I'm not 100% sure if this is due to a crash as I cannot get the console output during the bootup period, but the device eventually falls to the EFI shell.

[medhefgo]

Please try latest main with -Db_sanitize=undefined passed to meson.

Also, please do a bisection to find the faulty commit.

[medhefgo]

Also, you can (re-)start sd-boot from the EFI shell directly. That might help you catch any console output (and echo %lasterror% gives you the return code).

[medhefgo]

Build with latest main resulted in

sha256:c000d8d79c37a4d1763be4c0473758c304ca2302c05baf408c0c2f4feabfb90e
systemd-bootaa64.efi: PE32+ executable (EFI application) Aarch64 (stripped to external PDB), for MS Windows, 9 sections

Replaced /boot/EFI/BOOT/BOOTAA64.EFI and /boot/EFI/systemd/systemd-bootaa64.efi with the new file, same issue (not booting).

I highly doubt you did it correctly. It works properly in my alarm vm I just set up.

This is https://sourceforge.net/p/gnu-efi/bugs/37/, which is fixed by rhboot/gnu-efi@9e6cb21. Nothing for us to do. Especially since we already nuked gnu-efi out of orbit anyways.

[alex-startengine]

@iDigitalFlame did you ever figure this out? I am confused because apparently sd-boot doesnt even use gnu-efi, but i still can't get past the firmware screen with systemd-boot. so are we not supposed to use the systemd-bootaa64.efi file anymore? because that's what my bootctl copies over.

[root@eos ~]# bootctl install
Created "/boot/EFI/systemd".
Created "/boot/EFI/BOOT".
Created "/boot/EFI/Linux".
Copied "/usr/lib/systemd/boot/efi/systemd-bootaa64.efi" to "/boot/EFI/systemd/systemd-bootaa64.efi".
Copied "/usr/lib/systemd/boot/efi/systemd-bootaa64.efi" to "/boot/EFI/BOOT/BOOTAA64.EFI".
Random seed file /boot/loader/random-seed successfully written (32 bytes).
Successfully initialized system token in EFI variable with 32 bytes.
Created EFI boot entry "Linux Boot Manager".

[root@eos efi]# bootctl --version
systemd 253 (253.5-2-arch)
+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT default-hierarchy=unified

[medhefgo]

That's still the stable systemd version using gnu-efi, which cannot work due to the linked bug. You need to build systemd-git from aur or do it manually and replace systemd-bootaa64.efi with the build result manually.