mirror of
https://github.com/systemd/systemd.git
synced 2024-10-30 06:25:37 +03:00
12caf72716
if /usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed exists install that instead of /usr/lib/systemd/boot/efi/systemd-bootx64.efi the idea is that SecureBoot tooling can create the efi.signed file whenever /usr/lib/systemd/boot/efi/systemd-bootx64.efi from the package is updated.
322 lines
17 KiB
XML
322 lines
17 KiB
XML
<?xml version='1.0'?> <!--*-nxml-*-->
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
|
|
|
|
<refentry id="bootctl" conditional='ENABLE_EFI'
|
|
xmlns:xi="http://www.w3.org/2001/XInclude">
|
|
<refentryinfo>
|
|
<title>bootctl</title>
|
|
<productname>systemd</productname>
|
|
</refentryinfo>
|
|
|
|
<refmeta>
|
|
<refentrytitle>bootctl</refentrytitle>
|
|
<manvolnum>1</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>bootctl</refname>
|
|
<refpurpose>Control EFI firmware boot settings and manage boot loader</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>bootctl</command>
|
|
<arg choice="opt" rep="repeat">OPTIONS</arg>
|
|
<arg choice="req">COMMAND</arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para><command>bootctl</command> can check the EFI firmware and boot loader status, list and manage
|
|
available boot loaders and boot loader entries, and install, update, or remove the
|
|
<citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry> boot
|
|
loader on the current system.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Generic EFI Firmware/Boot Loader Commands</title>
|
|
|
|
<para>These commands are available on any EFI system, regardless of the boot loader used.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><option>status</option></term>
|
|
|
|
<listitem><para>Shows brief information about the system firmware, the boot loader that was used to boot the
|
|
system, the boot loaders currently available in the ESP, the boot loaders listed in the firmware's list of boot
|
|
loaders and the current default boot loader entry. If no command is specified, this is the implied
|
|
default.</para></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<varlistentry>
|
|
<term><option>reboot-to-firmware</option> <optional><replaceable>BOOL</replaceable></optional></term>
|
|
|
|
<listitem><para>Query or set the "Reboot-Into-Firmware-Setup" flag of the EFI firmware. Takes a
|
|
boolean argument which controls whether to show the firmware setup on next system reboot. If the
|
|
argument is omitted shows the current status of the flag, or whether the flag is supported. This
|
|
controls the same flag as <command>systemctl reboot --firmware-setup</command>, but is more
|
|
low-level and allows setting the flag independently from actually requesting a
|
|
reboot.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>systemd-efi-options</option> <optional><replaceable>STRING</replaceable></optional></term>
|
|
|
|
<listitem><para>When called without the optional argument, prints the current value of the
|
|
<literal>SystemdOptions</literal> EFI variable. When called with an argument, sets the
|
|
variable to that value. See
|
|
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
|
for the meaning of that variable.</para></listitem>
|
|
</varlistentry>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Boot Loader Specification Commands</title>
|
|
|
|
<para>These commands are available for all boot loaders that implement the <ulink
|
|
url="https://systemd.io/BOOT_LOADER_SPECIFICATION">Boot Loader Specification</ulink> and/or the <ulink
|
|
url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface</ulink>, such as
|
|
<command>systemd-boot</command>.</para>
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
<term><option>list</option></term>
|
|
|
|
<listitem><para>Shows all available boot loader entries implementing the <ulink
|
|
url="https://systemd.io/BOOT_LOADER_SPECIFICATION">Boot Loader Specification</ulink>, as well as any
|
|
other entries discovered or automatically generated by a boot loader implementing the <ulink
|
|
url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader
|
|
Interface</ulink>.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>set-default</option> <replaceable>ID</replaceable></term>
|
|
<term><option>set-oneshot</option> <replaceable>ID</replaceable></term>
|
|
|
|
<listitem><para>Sets the default boot loader entry. Takes a single boot loader entry ID string or a glob
|
|
pattern as argument. The <option>set-oneshot</option> command will set the default entry only for the next boot,
|
|
the <option>set-default</option> will set it persistently for all future boots.</para></listitem>
|
|
|
|
<listitem><para>Optionally, the boot loader entry ID may be specified as one of: <option>@default</option>,
|
|
<option>@oneshot</option> or <option>@current</option>, which correspond to the current default boot loader
|
|
entry for all future boots, the current default boot loader entry for the next boot, and the currently booted
|
|
boot loader entry. These special IDs are resolved to the current values of the EFI variables
|
|
<varname>LoaderEntryDefault</varname>, <varname>LoaderEntryOneShot</varname> and <varname>LoaderEntrySelected</varname>,
|
|
see <ulink url="https://systemd.io/BOOT_LOADER_SPECIFICATION">Boot Loader Specification</ulink> for details.
|
|
These special IDs are primarily useful as a quick way to persistently make the currently booted boot loader
|
|
entry the default choice, or to upgrade the default boot loader entry for the next boot to the default boot
|
|
loader entry for all future boots, but may be used for other operations too.</para>
|
|
|
|
<para>If set to <option>@saved</option> the chosen entry will be saved as an EFI variable
|
|
on every boot and automatically selected the next time the boot loader starts.</para>
|
|
|
|
<para>When an empty string ("") is specified as an ID, then the corresponding EFI variable will be unset.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>set-timeout</option> <replaceable>TIMEOUT</replaceable></term>
|
|
<term><option>set-timeout-oneshot</option> <replaceable>TIMEOUT</replaceable></term>
|
|
|
|
<listitem><para>Sets the boot loader menu timeout in seconds. The <option>set-timeout-oneshot</option>
|
|
command will set the timeout only for the next boot. See
|
|
<citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
for details about the syntax of time spans.</para>
|
|
|
|
<para>If this is set to <option>menu-hidden</option> or <option>0</option> no menu is shown and
|
|
the default entry will be booted immediately, while setting this to <option>menu-force</option>
|
|
disables the timeout while always showing the menu. When an empty string ("") is specified the
|
|
bootloader will revert to its default menu timeout.</para></listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title><command>systemd-boot</command> Commands</title>
|
|
|
|
<para>These commands manage the <command>systemd-boot</command> EFI boot loader, and do not work in
|
|
conjunction with other boot loaders.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><option>install</option></term>
|
|
|
|
<listitem><para>Installs <command>systemd-boot</command> into the EFI system partition. A copy of
|
|
<command>systemd-boot</command> will be stored as the EFI default/fallback loader at
|
|
<filename><replaceable>ESP</replaceable>/EFI/BOOT/BOOT*.EFI</filename>. The boot loader is then added
|
|
to the top of the firmware's boot loader list.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>update</option></term>
|
|
|
|
<listitem><para>Updates all installed versions of
|
|
<citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry>, if the
|
|
available version is newer than the version installed in the EFI system partition. This also includes the EFI
|
|
default/fallback loader at <filename><replaceable>ESP</replaceable>/EFI/BOOT/BOOT*.EFI</filename>. The boot
|
|
loader is then added to end of the firmware's boot loader list if missing.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>remove</option></term>
|
|
|
|
<listitem><para>Removes all installed versions of <command>systemd-boot</command> from the EFI system partition
|
|
and the firmware's boot loader list.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>is-installed</option></term>
|
|
|
|
<listitem><para>Checks whether <command>systemd-boot</command> is installed in the ESP. Note that a
|
|
single ESP might host multiple boot loaders; this hence checks whether
|
|
<command>systemd-boot</command> is one (of possibly many) installed boot loaders — and neither
|
|
whether it is the default nor whether it is registered in any EFI variables.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>random-seed</option></term>
|
|
|
|
<listitem><para>Generates a random seed and stores it in the EFI System Partition, for use by the
|
|
<command>systemd-boot</command> boot loader. Also, generates a random 'system token' and stores it
|
|
persistently as an EFI variable, if one has not been set before. If the boot loader finds the random
|
|
seed in the ESP and the system token in the EFI variable it will derive a random seed to pass to the
|
|
OS and a new seed to store in the ESP from the combination of both. The random seed passed to the OS
|
|
is credited to the kernel's entropy pool by the system manager during early boot, and permits
|
|
userspace to boot up with an entropy pool fully initialized very early on. Also see
|
|
<citerefentry><refentrytitle>systemd-boot-system-token.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
|
|
|
|
<para>See <ulink url="https://systemd.io/RANDOM_SEEDS">Random Seeds</ulink> for further
|
|
information.</para></listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Options</title>
|
|
<para>The following options are understood:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><option>--esp-path=</option></term>
|
|
<listitem><para>Path to the EFI System Partition (ESP). If not specified, <filename>/efi/</filename>,
|
|
<filename>/boot/</filename>, and <filename>/boot/efi/</filename> are checked in turn. It is
|
|
recommended to mount the ESP to <filename>/efi/</filename>, if possible.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--boot-path=</option></term>
|
|
<listitem><para>Path to the Extended Boot Loader partition, as defined in the <ulink
|
|
url="https://systemd.io/BOOT_LOADER_SPECIFICATION">Boot Loader Specification</ulink>. If not
|
|
specified, <filename>/boot/</filename> is checked. It is recommended to mount the Extended Boot
|
|
Loader partition to <filename>/boot/</filename>, if possible.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>-p</option></term>
|
|
<term><option>--print-esp-path</option></term>
|
|
<listitem><para>This option modifies the behaviour of <command>status</command>. Only prints the path
|
|
to the EFI System Partition (ESP) to standard output and exits.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>-x</option></term>
|
|
<term><option>--print-boot-path</option></term>
|
|
<listitem><para>This option modifies the behaviour of <command>status</command>. Only prints the path
|
|
to the Extended Boot Loader partition if it exists, and the path to the ESP otherwise to standard
|
|
output and exit. This command is useful to determine where to place boot loader entries, as they are
|
|
preferably placed in the Extended Boot Loader partition if it exists and in the ESP otherwise.</para>
|
|
|
|
<para>Boot Loader Specification Type #1 entries should generally be placed in the directory
|
|
<literal>$(bootctl -x)/loader/entries/</literal>. Existence of that directory may also be used as
|
|
indication that boot loader entry support is available on the system. Similarly, Boot Loader
|
|
Specification Type #2 entries should be placed in the directory <literal>$(bootctl
|
|
-x)/EFI/Linux/</literal>.</para>
|
|
|
|
<para>Note that this option (similar to the <option>--print-booth-path</option> option mentioned
|
|
above), is available independently from the boot loader used, i.e. also without
|
|
<command>systemd-boot</command> being installed.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--no-variables</option></term>
|
|
<listitem><para>Do not touch the firmware's boot loader list stored in EFI variables.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--graceful</option></term>
|
|
<listitem><para>Ignore failure when the EFI System Partition cannot be found, when EFI variables
|
|
cannot be written, or a different or newer boot loader is already installed. Currently only applies
|
|
to random seed and update operations.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--make-machine-id-directory=yes|no|auto</option></term>
|
|
<listitem><para>Control creation and deletion of the top-level machine ID directory on the file
|
|
system containing boot loader entries (i.e. beneath the file system returned by the
|
|
<option>--print-boot-path</option> option, see above) during <option>install</option> and
|
|
<option>remove</option>, respectively. <literal>auto</literal> is equivalent to
|
|
<literal>yes</literal> if <filename>/etc/machine-id</filename> resides on a filesystem other than
|
|
tmpfs and <literal>no</literal> otherwise (in the latter case the machine ID is likely transient and
|
|
hence should not be used persistently in the ESP). Defaults to <literal>auto</literal>. See
|
|
<citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
|
|
details about the machine ID concept and file.</para>
|
|
|
|
<para>Overriding this may be desirable to hide the machine ID from the (unencrypted) ESP, configure a
|
|
<citerefentry><refentrytitle>kernel-install</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
script, or, conversely, commit a transient machine ID.</para>
|
|
|
|
<para>The top-level machine ID directory is useful to allow smooth multi-boot installations: each
|
|
installed OS instance will have a different machine ID and thus a separate directory to place its
|
|
boot-time resources in. If this feature is turned off with this option, care needs to be taken that
|
|
multiple OS instances do not place conflicting files on the shared ESP and Extended Boot Loader
|
|
Partitions, or that multiple OS instances are not possible.</para></listitem>
|
|
</varlistentry>
|
|
|
|
<xi:include href="standard-options.xml" xpointer="no-pager"/>
|
|
<xi:include href="standard-options.xml" xpointer="help"/>
|
|
<xi:include href="standard-options.xml" xpointer="version"/>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Signed .efi files</title>
|
|
<para><command>bootctl</command> <option>install</option> and <option>update</option> will look for a
|
|
<command>systemd-boot</command> file ending with the <literal>.efi.signed</literal> suffix first, and copy
|
|
that instead of the normal <literal>.efi</literal> file. This allows distributions or end-users to provide
|
|
signed images for UEFI SecureBoot.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Exit status</title>
|
|
<para>On success, 0 is returned, a non-zero failure code otherwise.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Environment</title>
|
|
<para>If <varname>$SYSTEMD_RELAX_ESP_CHECKS=1</varname> is set the validation checks for the ESP are
|
|
relaxed, and the path specified with <option>--esp-path=</option> may refer to any kind of file system on
|
|
any kind of partition.</para>
|
|
|
|
<para>Similarly, <varname>$SYSTEMD_RELAX_XBOOTLDR_CHECKS=1</varname> turns off some validation checks for
|
|
the Extended Boot Loader partition.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See Also</title>
|
|
<para>
|
|
<citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
|
|
<ulink url="https://systemd.io/BOOT_LOADER_SPECIFICATION">Boot Loader Specification</ulink>,
|
|
<ulink url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface</ulink>,
|
|
<citerefentry><refentrytitle>systemd-boot-system-token.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
|
</para>
|
|
</refsect1>
|
|
</refentry>
|