mirror of
https://github.com/systemd/systemd.git
synced 2024-12-04 15:53:41 +08:00
a1d46e3078
This allows loading the X.509 certificate from an OpenSSL provider instead of a file system path. This allows loading certficates directly from hardware tokens instead of having to export them to a file on disk first.
706 lines
36 KiB
XML
706 lines
36 KiB
XML
<?xml version='1.0'?> <!--*-nxml-*-->
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
|
|
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
|
|
|
|
<refentry id="bootctl"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude">
|
|
<refentryinfo>
|
|
<title>bootctl</title>
|
|
<productname>systemd</productname>
|
|
</refentryinfo>
|
|
|
|
<refmeta>
|
|
<refentrytitle>bootctl</refentrytitle>
|
|
<manvolnum>1</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>bootctl</refname>
|
|
<refpurpose>Control EFI firmware boot settings and manage boot loader</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>bootctl</command>
|
|
<arg choice="opt" rep="repeat">OPTIONS</arg>
|
|
<arg choice="req">COMMAND</arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para><command>bootctl</command> can check the EFI firmware and boot loader status, list and manage
|
|
available boot loaders and boot loader entries, and install, update, or remove the
|
|
<citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry> boot
|
|
loader on the current system.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Generic EFI Firmware/Boot Loader Commands</title>
|
|
|
|
<para>These commands are available on any EFI system, regardless of the boot loader used.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><option>status</option></term>
|
|
|
|
<listitem><para>Shows brief information about the system firmware, the boot loader that was used to
|
|
boot the system, the boot loaders currently available in the ESP, the boot loaders listed in the
|
|
firmware's list of boot loaders and the current default boot loader entry. If no command is
|
|
specified, this is the implied default.</para>
|
|
|
|
<para>See the example below for details of the output.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>reboot-to-firmware</option> <optional><replaceable>BOOL</replaceable></optional></term>
|
|
|
|
<listitem><para>Query or set the "Reboot-Into-Firmware-Setup" flag of the EFI firmware. Takes a
|
|
boolean argument which controls whether to show the firmware setup on next system reboot. If the
|
|
argument is omitted shows the current status of the flag, or whether the flag is supported. This
|
|
controls the same flag as <command>systemctl reboot --firmware-setup</command>, but is more low-level
|
|
and allows setting the flag independently from actually requesting a reboot.</para>
|
|
|
|
<para>Hint: use <command>systemctl reboot --firmware-setup</command> to reboot into firmware setup
|
|
once. See
|
|
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
|
for details.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v251"/></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Boot Loader Specification Commands</title>
|
|
|
|
<para>These commands are available for all boot loaders that
|
|
implement the <ulink
|
|
url="https://uapi-group.org/specifications/specs/boot_loader_specification">Boot
|
|
Loader Specification</ulink>, such as
|
|
<command>systemd-boot</command>.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><option>list</option></term>
|
|
|
|
<listitem><para>Shows all available boot loader entries implementing the <ulink
|
|
url="https://uapi-group.org/specifications/specs/boot_loader_specification">Boot Loader Specification</ulink>, as well as any
|
|
other entries discovered or automatically generated by a boot loader implementing the <ulink
|
|
url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface</ulink>.
|
|
JSON output may be requested with <option>--json=</option>.</para>
|
|
|
|
<para>See the example below for details of the output.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>unlink</option> <replaceable>ID</replaceable></term>
|
|
|
|
<listitem><para>Removes a boot loader entry including the files it refers to. Takes a single boot
|
|
loader entry ID string or a glob pattern as argument. Referenced files such as kernel or initrd are
|
|
only removed if no other entry refers to them.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v253"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>cleanup</option></term>
|
|
|
|
<listitem><para>Removes files from the ESP and XBOOTLDR partitions that belong to the entry token but
|
|
are not referenced in any boot loader entries.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v253"/></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Boot Loader Interface Commands</title>
|
|
|
|
<para>These commands are available for all boot loaders that implement the <ulink
|
|
url="https://uapi-group.org/specifications/specs/boot_loader_specification">Boot Loader Specification</ulink> and the <ulink
|
|
url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface</ulink>, such as
|
|
<command>systemd-boot</command>.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><option>set-default</option> <replaceable>ID</replaceable></term>
|
|
<term><option>set-oneshot</option> <replaceable>ID</replaceable></term>
|
|
|
|
<listitem><para>Sets the default boot loader entry. Takes a single boot loader entry ID string or a glob
|
|
pattern as argument. The <option>set-oneshot</option> command will set the default entry only for the next boot,
|
|
the <option>set-default</option> will set it persistently for all future boots.</para>
|
|
|
|
<para><command>bootctl list</command> can be used to list available boot loader entries and their
|
|
IDs.</para>
|
|
|
|
<para>In addition, the boot loader entry ID may be specified as one of: <option>@default</option>,
|
|
<option>@oneshot</option> or <option>@current</option>, which correspond to the current default boot loader
|
|
entry for all future boots, the current default boot loader entry for the next boot, and the currently booted
|
|
boot loader entry. These special IDs are resolved to the current values of the EFI variables
|
|
<varname>LoaderEntryDefault</varname>, <varname>LoaderEntryOneShot</varname> and <varname>LoaderEntrySelected</varname>,
|
|
see <ulink url="https://uapi-group.org/specifications/specs/boot_loader_specification">Boot Loader Specification</ulink> for details.
|
|
These special IDs are primarily useful as a quick way to persistently make the currently booted boot loader
|
|
entry the default choice, or to upgrade the default boot loader entry for the next boot to the default boot
|
|
loader entry for all future boots, but may be used for other operations too.</para>
|
|
|
|
<para>If set to <option>@saved</option> the chosen entry will be saved as an EFI variable
|
|
on every boot and automatically selected the next time the boot loader starts.</para>
|
|
|
|
<para>When an empty string ("") is specified as the ID, then the corresponding EFI variable will be
|
|
unset.</para>
|
|
|
|
<para>Hint: use <command>systemctl reboot --boot-loader-entry=<replaceable>ID</replaceable></command>
|
|
to reboot into a specific boot entry and
|
|
<command>systemctl reboot --boot-loader-menu=<replaceable>timeout</replaceable></command>
|
|
to reboot into the boot loader menu once. See
|
|
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
|
for details.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v240"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>set-timeout</option> <replaceable>TIMEOUT</replaceable></term>
|
|
<term><option>set-timeout-oneshot</option> <replaceable>TIMEOUT</replaceable></term>
|
|
|
|
<listitem><para>Sets the boot loader menu timeout in seconds. The <option>set-timeout-oneshot</option>
|
|
command will set the timeout only for the next boot. See
|
|
<citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
|
for details about the syntax of time spans.</para>
|
|
|
|
<para>If this is set to <option>menu-disabled</option> or <option>menu-hidden</option> or
|
|
<option>0</option>, no menu is shown and the default entry will be booted immediately, while
|
|
setting this to <option>menu-force</option> disables the timeout while always showing the menu.
|
|
When an empty string ("") is specified the bootloader will revert to its default menu timeout.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v250"/></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title><command>systemd-boot</command> Commands</title>
|
|
|
|
<para>These commands manage the <command>systemd-boot</command> EFI boot loader, and do not work in
|
|
conjunction with other boot loaders.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><option>install</option></term>
|
|
|
|
<listitem><para>Installs <command>systemd-boot</command> into the EFI system partition. A copy of
|
|
<command>systemd-boot</command> will be stored as the EFI default/fallback loader at
|
|
<filename><replaceable>ESP</replaceable>/EFI/BOOT/BOOT*.EFI</filename>. The boot loader is then added
|
|
to the top of the firmware's boot loader list.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>update</option></term>
|
|
|
|
<listitem><para>Updates all installed versions of
|
|
<citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry>, if the
|
|
available version is newer than the version installed in the EFI system partition. This also includes the EFI
|
|
default/fallback loader at <filename><replaceable>ESP</replaceable>/EFI/BOOT/BOOT*.EFI</filename>. The boot
|
|
loader is then added to end of the firmware's boot loader list if missing.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>remove</option></term>
|
|
|
|
<listitem><para>Removes all installed versions of <command>systemd-boot</command> from the EFI system partition
|
|
and the firmware's boot loader list.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v239"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>is-installed</option></term>
|
|
|
|
<listitem><para>Checks whether <command>systemd-boot</command> is installed in the ESP. Note that a
|
|
single ESP might host multiple boot loaders; this hence checks whether
|
|
<command>systemd-boot</command> is one (of possibly many) installed boot loaders — and neither
|
|
whether it is the default nor whether it is registered in any EFI variables.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v243"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>random-seed</option></term>
|
|
|
|
<listitem><para>Generates a random seed and stores it in the EFI System Partition (ESP), for use by
|
|
the <command>systemd-boot</command> boot loader. If a random seed already exists in the ESP it is
|
|
refreshed. Also generates a random 'system token' and stores it persistently as an EFI variable, if
|
|
one has not been set before. If the boot loader finds the random seed in the ESP and the system token
|
|
in the EFI variable it will derive a random seed to pass to the OS and a new seed to store in the ESP
|
|
from the combination of both. The random seed passed to the OS is credited to the kernel's entropy
|
|
pool by the system manager during early boot, and permits userspace to boot up with an entropy pool
|
|
fully initialized very early on. Also see
|
|
<citerefentry><refentrytitle>systemd-boot-random-seed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
|
|
|
|
<para>See <ulink url="https://systemd.io/RANDOM_SEEDS">Random Seeds</ulink> for further
|
|
information.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v243"/></listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Kernel Image Commands</title>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><option>kernel-identify</option> <replaceable>kernel</replaceable></term>
|
|
|
|
<listitem><para>Takes a kernel image as argument. Checks what kind of kernel the image is. Returns
|
|
one of <literal>uki</literal>, <literal>addon</literal>, <literal>pe</literal>, and
|
|
<literal>unknown</literal>.
|
|
</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v253"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>kernel-inspect</option> <replaceable>kernel</replaceable></term>
|
|
|
|
<listitem><para>Takes a kernel image as argument. Prints details about the image.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v253"/></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Options</title>
|
|
<para>The following options are understood:</para>
|
|
|
|
<variablelist>
|
|
<xi:include href="standard-options.xml" xpointer="esp-path"/>
|
|
<xi:include href="standard-options.xml" xpointer="boot-path"/>
|
|
|
|
<varlistentry>
|
|
<term><option>--root=<replaceable>root</replaceable></option></term>
|
|
<listitem><para>Takes a directory path as an argument. All
|
|
paths will be prefixed with the given alternate
|
|
<replaceable>root</replaceable> path, including config search
|
|
paths. </para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--image=<replaceable>image</replaceable></option></term>
|
|
|
|
<listitem><para>Takes a path to a disk image file or block device node. If specified, all operations
|
|
are applied to file system in the indicated disk image. This option is similar to
|
|
<option>--root=</option>, but operates on file systems stored in disk images or block devices. The
|
|
disk image should either contain just a file system or a set of file systems within a GPT partition
|
|
table, following the <ulink url="https://uapi-group.org/specifications/specs/discoverable_partitions_specification">Discoverable Partitions
|
|
Specification</ulink>. For further information on supported disk images, see
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
|
|
switch of the same name.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
|
|
</varlistentry>
|
|
|
|
<xi:include href="standard-options.xml" xpointer="image-policy-open" />
|
|
|
|
<varlistentry>
|
|
<term><option>--install-source=</option></term>
|
|
<listitem><para>When installing binaries with <option>--root=</option> or
|
|
<option>--image=</option>, selects where to source them from. Takes one of <literal>auto</literal>
|
|
(the default), <literal>image</literal> or <literal>host</literal>. With <literal>auto</literal>
|
|
binaries will be picked from the specified directory or image, and if not found they will be picked
|
|
from the host. With <literal>image</literal> or <literal>host</literal> no fallback search will be
|
|
performed if the binaries are not found in the selected source.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>-p</option></term>
|
|
<term><option>--print-esp-path</option></term>
|
|
<listitem><para>This option modifies the behaviour of <command>status</command>. Only prints the path
|
|
to the EFI System Partition (ESP) to standard output and exits.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v236"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>-x</option></term>
|
|
<term><option>--print-boot-path</option></term>
|
|
<listitem><para>This option modifies the behaviour of <command>status</command>. Only prints the path
|
|
to the Extended Boot Loader partition if it exists, and the path to the ESP otherwise to standard
|
|
output and exit. This command is useful to determine where to place boot loader entries, as they are
|
|
preferably placed in the Extended Boot Loader partition if it exists and in the ESP otherwise.</para>
|
|
|
|
<para>Boot Loader Specification Type #1 entries should generally be placed in the directory
|
|
<literal>$(bootctl -x)/loader/entries/</literal>. Existence of that directory may also be used as
|
|
indication that boot loader entry support is available on the system. Similarly, Boot Loader
|
|
Specification Type #2 entries should be placed in the directory <literal>$(bootctl
|
|
-x)/EFI/Linux/</literal>.</para>
|
|
|
|
<para>Note that this option (similarly to the <option>--print-esp-path</option> option mentioned
|
|
above), is available independently from the boot loader used, i.e. also without
|
|
<command>systemd-boot</command> being installed.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v242"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--print-loader-path</option></term>
|
|
<listitem><para>This option modifies the behaviour of <command>status</command>: it shows the
|
|
absolute path to the boot loader EFI binary used for the current boot if this information is
|
|
available. Note that no attempt is made to verify whether the binary still exists.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--print-stub-path</option></term>
|
|
<listitem><para>This option modifies the behaviour of <command>status</command>: it shows the
|
|
absolute path to the UKI/stub EFI binary used for the current boot if this information is
|
|
available. Note that no attempt is made to verify whether the binary still exists.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>-R</option></term>
|
|
<term><option>--print-root-device</option></term>
|
|
|
|
<listitem><para>Print the path to the block device node backing the root file system of the local
|
|
OS. This prints a path such as <filename>/dev/nvme0n1p5</filename>. If the root file system is backed
|
|
by dm-crypt/LUKS or dm-verity the underlying block device is returned. If the root file system is
|
|
backed by multiple block devices (as supported by btrfs) the operation will fail. If the switch is
|
|
specified twice (i.e. <option>-RR</option>) and the discovered block device is a partition device the
|
|
"whole" block device it belongs to is determined and printed
|
|
(e.g. <filename>/dev/nvme0n1</filename>). If the root file system is <literal>tmpfs</literal> (or a
|
|
similar in-memory file system), the block device backing <filename>/usr/</filename> is returned if
|
|
applicable. If the root file system is a network file system (e.g. NFS, CIFS) the operation will
|
|
fail.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v254"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--no-variables</option></term>
|
|
<listitem><para>Do not touch the firmware's boot loader list stored in EFI variables.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v220"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--random-seed=yes|no</option></term>
|
|
<listitem><para>By default the <command>install</command> command initializes a random seed file in
|
|
the ESP. When creating an image it may be desirable to disable that in order to avoid having the
|
|
same seed in all instances.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--graceful</option></term>
|
|
<listitem><para>Ignore failure when the EFI System Partition cannot be found, when EFI variables
|
|
cannot be written, or a different or newer boot loader is already installed. Currently only applies
|
|
to <command>is-installed</command>, <command>update</command>, and <command>random-seed</command>
|
|
verbs.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v244"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>-q</option></term>
|
|
<term><option>--quiet</option></term>
|
|
|
|
<listitem><para>Suppress printing of the results of various commands and also the hints about ESP
|
|
being unavailable.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v251"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--make-entry-directory=yes|no</option></term>
|
|
<listitem><para>Controls creation and deletion of the <ulink
|
|
url="https://uapi-group.org/specifications/specs/boot_loader_specification">Boot Loader Specification</ulink> Type #1 entry
|
|
directory on the file system containing resources such as kernel and initrd images during
|
|
<option>install</option> and <option>remove</option>, respectively. The directory is named after the
|
|
entry token, as specified with <option>--entry-token=</option> parameter described below, and is
|
|
placed immediately below the <varname>$BOOT</varname> root directory (i.e. beneath the file system
|
|
returned by the <option>--print-boot-path</option> option, see above). Defaults to
|
|
<literal>no</literal>.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v251"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--entry-token=</option></term>
|
|
|
|
<listitem><para>Controls how to name and identify boot loader entries for this OS
|
|
installation. Accepted during <option>install</option>, and takes one of <literal>auto</literal>,
|
|
<literal>machine-id</literal>, <literal>os-id</literal>, <literal>os-image-id</literal> or an
|
|
arbitrary string prefixed by <literal>literal:</literal> as argument.</para>
|
|
|
|
<para>If set to <option>machine-id</option> the entries are named after the machine ID of the running
|
|
system (e.g. <literal>b0e793a9baf14b5fa13ecbe84ff637ac</literal>). See
|
|
<citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
|
|
details about the machine ID concept and file.</para>
|
|
|
|
<para>If set to <option>os-id</option> the entries are named after the OS ID of the running system,
|
|
i.e. the <varname>ID=</varname> field of
|
|
<citerefentry><refentrytitle>os-release</refentrytitle><manvolnum>5</manvolnum></citerefentry> (e.g.
|
|
<literal>fedora</literal>). Similarly, if set to <option>os-image-id</option> the entries are named
|
|
after the OS image ID of the running system, i.e. the <varname>IMAGE_ID=</varname> field of
|
|
<filename>os-release</filename> (e.g. <literal>vendorx-cashier-system</literal>).</para>
|
|
|
|
<para>If set to <option>auto</option> (the default), the <filename>/etc/kernel/entry-token</filename>
|
|
file will be read if it exists, and the stored value used. Otherwise if the local machine ID is
|
|
initialized it is used. Otherwise <varname>IMAGE_ID=</varname> from <filename>os-release</filename>
|
|
will be used, if set. Otherwise, <varname>ID=</varname> from <filename>os-release</filename> will be
|
|
used, if set.</para>
|
|
|
|
<para>Unless set to <literal>machine-id</literal>, or when
|
|
<option>--make-entry-directory=yes</option> is used the selected token string is written to a file
|
|
<filename>/etc/kernel/entry-token</filename>, to ensure it will be used for future entries. This file
|
|
is also read by
|
|
<citerefentry><refentrytitle>kernel-install</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
|
in order to identify under which name to generate boot loader entries for newly installed kernels, or
|
|
to determine the entry names for removing old ones.</para>
|
|
|
|
<para>Using the machine ID for naming the entries is generally preferable, however there are cases
|
|
where using the other identifiers is a good option. Specifically: if the identification data that the
|
|
machine ID entails shall not be stored on the (unencrypted) <varname>$BOOT</varname> partition, or if
|
|
the ID shall be generated on first boot and is not known when the entries are prepared. Note that
|
|
using the machine ID has the benefit that multiple parallel installations of the same OS can coexist
|
|
on the same medium, and they can update their boot loader entries independently. When using another
|
|
identifier (such as the OS ID or the OS image ID), parallel installations of the same OS would try to
|
|
use the same entry name. To support parallel installations, the installer must use a different entry
|
|
token when adding a second installation.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v251"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--all-architectures</option></term>
|
|
<listitem><para>Install binaries for all supported EFI architectures (this implies <option>--no-variables</option>).</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--efi-boot-option-description=</option></term>
|
|
<listitem><para>Description of the entry added to the firmware's boot option list. Defaults to <literal>Linux
|
|
Boot Manager</literal>.</para>
|
|
|
|
<para>Using the default entry name <literal>Linux Boot Manager</literal> is generally preferable as only
|
|
one bootloader installed to a single ESP partition should be used to boot any number of OS installations
|
|
found on the various disks installed in the system. Specifically distributions should not use this flag
|
|
to install a branded entry in the boot option list. However in situations with multiple disks, each with
|
|
their own ESP partition, it can be beneficial to make it easier to identify the bootloader being used in
|
|
the firmware's boot option menu.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--dry-run</option></term>
|
|
<listitem><para>Dry run for <option>unlink</option> and <option>cleanup</option>.</para>
|
|
|
|
<para>In dry run mode, the unlink and cleanup operations only print the files that would get deleted
|
|
without actually deleting them.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v253"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--secure-boot-auto-enroll=yes|no</option></term>
|
|
<term><option>--private-key=<replaceable>PATH/URI</replaceable></option></term>
|
|
<term><option>--private-key-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
|
|
<term><option>--certificate=<replaceable>PATH</replaceable></option></term>
|
|
<term><option>--certificate-source=<replaceable>TYPE</replaceable>[:<replaceable>NAME</replaceable>]</option></term>
|
|
|
|
<listitem><para>Configure the ESP for secure boot auto-enrollment when invoking the
|
|
<command>install</command> command. Takes a boolean argument. Disabled by default. Enabling this
|
|
option will make <command>bootctl</command> populate the ESP with signed <literal>PK</literal>,
|
|
<literal>KEK</literal> and <literal>db</literal> signature databases, each containing the given
|
|
certificate in <literal>DER</literal> format as their only entry. These secure boot signature
|
|
databases will be picked up and enrolled by <command>systemd-boot</command> if secure boot is in
|
|
setup mode and secure boot auto-enrollment is enabled.</para>
|
|
|
|
<para>When specifying this option, a certificate and private key have to be provided as well using
|
|
the <option>--certificate=</option> and <option>--private-key=</option> options. The
|
|
<option>--certificate=</option> option takes a path to a PEM encoded X.509 certificate or a URI
|
|
that's passed to the OpenSSL provider configured with <option>--certificate-source</option> which
|
|
takes one of <literal>file</literal> or <literal>provider</literal>, with the latter being followed
|
|
by a specific provider identifier, separated with a colon, e.g. <literal>provider:pkcs11</literal>.
|
|
The <option>--private-key=</option> option can take a path or a URI that will be passed to the
|
|
OpenSSL engine or provider, as specified by <option>--private-key-source=</option> as a
|
|
<literal>type:name</literal> tuple, such as <literal>engine:pkcs11</literal>. The specified OpenSSL
|
|
signing engine or provider will be used to sign the EFI signature lists.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v257"/></listitem>
|
|
</varlistentry>
|
|
|
|
<xi:include href="standard-options.xml" xpointer="no-pager"/>
|
|
<xi:include href="standard-options.xml" xpointer="json" />
|
|
<xi:include href="standard-options.xml" xpointer="help"/>
|
|
<xi:include href="standard-options.xml" xpointer="version"/>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Signed .efi files</title>
|
|
<para><command>bootctl</command> <option>install</option> and <option>update</option> will look for a
|
|
<command>systemd-boot</command> file ending with the <literal>.efi.signed</literal> suffix first, and copy
|
|
that instead of the normal <literal>.efi</literal> file. This allows distributions or end-users to provide
|
|
signed images for UEFI SecureBoot.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Exit status</title>
|
|
<para>On success, 0 is returned, a non-zero failure code otherwise. <command>bootctl
|
|
--print-root-device</command> returns exit status 80 in case the root file system is not backed by single
|
|
block device, and other non-zero exit statuses on other errors.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Environment</title>
|
|
<para>If <varname>$SYSTEMD_RELAX_ESP_CHECKS=1</varname> is set the validation checks for the ESP are
|
|
relaxed, and the path specified with <option>--esp-path=</option> may refer to any kind of file system on
|
|
any kind of partition.</para>
|
|
|
|
<para>Similarly, <varname>$SYSTEMD_RELAX_XBOOTLDR_CHECKS=1</varname> turns off some validation checks for
|
|
the Extended Boot Loader partition.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Examples</title>
|
|
|
|
<example>
|
|
<title>Output from <command>status</command> and <command>list</command></title>
|
|
|
|
<programlisting>$ <command>bootctl status</command>
|
|
System:
|
|
Firmware: UEFI 2.40 (<replaceable>firmware-version</replaceable>) ← firmware vendor and version
|
|
Secure Boot: disabled (setup) ← Secure Boot status
|
|
TPM2 Support: yes
|
|
Boot into FW: supported ← does the firmware support booting into itself
|
|
|
|
Current Boot Loader: ← details about sd-boot or another boot loader
|
|
Product: systemd-boot <replaceable>version</replaceable> implementing the <ulink
|
|
url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface</ulink>
|
|
Features: ✓ Boot counting
|
|
✓ Menu timeout control
|
|
✓ One-shot menu timeout control
|
|
✓ Default entry control
|
|
✓ One-shot entry control
|
|
✓ Support for XBOOTLDR partition
|
|
✓ Support for passing random seed to OS
|
|
✓ Load drop-in drivers
|
|
✓ Boot loader sets ESP information
|
|
✓ Menu can be disabled
|
|
ESP: /dev/disk/by-partuuid/01234567-89ab-cdef-dead-beef00000000
|
|
File: └─/EFI/systemd/systemd-bootx64.efi
|
|
|
|
Random Seed: ← random seed used for entropy in early boot
|
|
Passed to OS: yes
|
|
System Token: set
|
|
Exists: yes
|
|
|
|
Available Boot Loaders on ESP:
|
|
ESP: /boot/efi (/dev/disk/by-partuuid/01234567-89ab-cdef-dead-beef00000000)
|
|
File: └─/EFI/systemd/systemd-bootx64.efi (systemd-boot 251
|
|
File: └─/EFI/BOOT/BOOTX64.EFI (systemd-boot 251
|
|
|
|
Boot Loaders Listed in EFI Variables:
|
|
Title: Linux Boot Manager
|
|
ID: 0x0001
|
|
Status: active, boot-order
|
|
Partition: /dev/disk/by-partuuid/…
|
|
File: └─/EFI/systemd/systemd-bootx64.efi
|
|
|
|
Title: Fedora
|
|
ID: 0x0000
|
|
Status: active, boot-order
|
|
Partition: /dev/disk/by-partuuid/…
|
|
File: └─/EFI/fedora/shimx64.efi
|
|
|
|
Title: Linux-Firmware-Updater
|
|
ID: 0x0002
|
|
Status: active, boot-order
|
|
Partition: /dev/disk/by-partuuid/…
|
|
File: └─/EFI/fedora/fwupdx64.efi
|
|
|
|
Boot Loader Entries:
|
|
$BOOT: /boot/efi (/dev/disk/by-partuuid/01234567-89ab-cdef-dead-beef00000000)
|
|
|
|
Default Boot Loader Entry:
|
|
type: Boot Loader Specification Type #1 (.conf)
|
|
title: Fedora Linux 36 (Workstation Edition)
|
|
id: …
|
|
source: /boot/efi/loader/entries/<replaceable>entry-token</replaceable>-<replaceable>kernel-version</replaceable>.conf
|
|
version: <replaceable>kernel-version</replaceable>
|
|
machine-id: …
|
|
linux: /<replaceable>entry-token</replaceable>/<replaceable>kernel-version</replaceable>/linux
|
|
initrd: /<replaceable>entry-token</replaceable>/<replaceable>kernel-version</replaceable>/initrd
|
|
options: root=…
|
|
</programlisting>
|
|
|
|
<programlisting>$ <command>bootctl list</command>
|
|
Boot Loader Entries:
|
|
type: Boot Loader Specification Type #1 (.conf)
|
|
title: Fedora Linux 36 (Workstation Edition) (default) (selected)
|
|
id: …
|
|
source: /boot/efi/loader/entries/<replaceable>entry-token</replaceable>-<replaceable>kernel-version</replaceable>.conf
|
|
version: <replaceable>kernel-version</replaceable>
|
|
machine-id: …
|
|
linux: /<replaceable>entry-token</replaceable>/<replaceable>kernel-version</replaceable>/linux
|
|
initrd: /<replaceable>entry-token</replaceable>/<replaceable>kernel-version</replaceable>/initrd
|
|
options: root=…
|
|
|
|
type: Boot Loader Specification Type #2 (.efi)
|
|
title: Fedora Linux 35 (Workstation Edition)
|
|
id: …
|
|
source: /boot/efi/EFI/Linux/fedora-<replaceable>kernel-version</replaceable>.efi
|
|
version: <replaceable>kernel-version</replaceable>
|
|
machine-id: …
|
|
linux: /EFI/Linux/fedora-<replaceable>kernel-version</replaceable>.efi
|
|
options: root=…
|
|
|
|
type: Automatic
|
|
title: Reboot Into Firmware Interface
|
|
id: auto-reboot-to-firmware-setup
|
|
source: /sys/firmware/efi/efivars/LoaderEntries-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f
|
|
</programlisting>
|
|
|
|
<para>In the listing, <literal>(default)</literal> specifies the entry that will be
|
|
used by default, and <literal>(selected)</literal> specifies the entry that was
|
|
selected the last time (i.e. is currently running).</para>
|
|
</example>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See Also</title>
|
|
<para><simplelist type="inline">
|
|
<member><citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
|
|
<member><ulink url="https://uapi-group.org/specifications/specs/boot_loader_specification">Boot Loader Specification</ulink></member>
|
|
<member><ulink url="https://systemd.io/BOOT_LOADER_INTERFACE">Boot Loader Interface</ulink></member>
|
|
<member><citerefentry><refentrytitle>systemd-boot-random-seed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
|
|
</simplelist></para>
|
|
</refsect1>
|
|
</refentry>
|