Automatic EFI entries for direct UKI boot

Ask Fedora
, ,
1

Hi guys!

I’ve migrated from grub to direct UKI boot and everything works fine (though it’s long forced trip here after update but I like it even more without boot-loader). One thing that I haven’t figured out yet is how to automatically update EFI entries on kernel update/delete/install. I created kernel postinstall hook to update entries with efibootmgr and it’s working OK for my needs. But after some investigation turns out needed logic is already there in /usr/lib/kernel/install.d/99-uki-uefi-setup.install provided by uki-direct package! Looking closely I didn’t find anything that wold prevent this hook to invoke kernel-bootcfg and modify my EFI entries. Looking forward for some clues, thanks!

My script in /etc/kernel/install.d/91-uki-efibootmgr.instal:

# /etc/kernel/install.d/91-uki-efibootmgr.install
# Automatically manages UEFI boot entries for UKI images

set -euo pipefail

COMMAND="$1"
KERNEL_VERSION="$2"


ESP_MOUNT=$(findmnt -n -o TARGET /boot/efi 2>/dev/null \
         || findmnt -n -o TARGET /efi 2>/dev/null \
         || { echo "uki-efibootmgr: ERROR: Cannot find ESP mount point" >&2; exit 1; })

ESP_DEV=$(findmnt -n -o SOURCE "$ESP_MOUNT")
DISK=$(lsblk -no PKNAME "$ESP_DEV")
PART_NUM=$(cat /sys/class/block/"$(basename "$ESP_DEV")"/partition)


ENTRY_TOKEN=$(cat /etc/kernel/entry-token 2>/dev/null \
           || cat /etc/machine-id)


UKI_ABS="${ESP_MOUNT}/EFI/Linux/${ENTRY_TOKEN}-${KERNEL_VERSION}.efi"
UKI_EFI="\\EFI\\Linux\\${ENTRY_TOKEN}-${KERNEL_VERSION}.efi"  # backslashes for UEFI
LABEL="Linux ${KERNEL_VERSION}"


remove_existing_entries() {
    for num in $(efibootmgr | grep -F "$LABEL" | grep -oP 'Boot\K[0-9A-Fa-f]+'); do
        echo "uki-efibootmgr: Removing old UEFI entry Boot${num} ($LABEL)"
        efibootmgr --delete-bootnum --bootnum "$num" --quiet
    done
}

case "$COMMAND" in

  add)
    if [[ ! -f "$UKI_ABS" ]]; then
        echo "uki-efibootmgr: UKI not found at $UKI_ABS — skipping" >&2
        exit 0
    fi

    remove_existing_entries

    efibootmgr \
        --create \
        --disk    "/dev/${DISK}" \
        --part    "$PART_NUM" \
        --label   "$LABEL" \
        --loader  "$UKI_EFI" \
        --quiet

    echo "uki-efibootmgr: Added UEFI entry '$LABEL' → $UKI_EFI"
    ;;

  remove)
    if ! efibootmgr | grep -F --quiet "$LABEL"; then
        echo "uki-efibootmgr: No UEFI entry found for '$LABEL' — skipping"
        exit 0
    fi

    remove_existing_entries
    echo "uki-efibootmgr: Removed UEFI entry '$LABEL'"
    ;;

  *)
    exit 0
    ;;
esac

/etc/kernel/install.conf:

layout=uki
initrd_generator=dracut
uki_generator=dracut

/etc/dracut.conf.d/cmdline.conf:

kernel_cmdline="root=UUID=... ro resume=UUID=... acpi.ec_no_wakeup=1"

kernel-install inspect --verbose
layout=uki set via config
INITRD_GENERATOR (dracut) set via config.
UKI_GENERATOR (dracut) set via config.
Loaded config.
MACHINE_ID=... set via /etc/machine-id.
Found container virtualization none.
Directory "/boot" is not the root of the file system.
Couldn't find an XBOOTLDR partition.
Failed to check file system type of "/efi": No such file or directory
File system "/boot" is not a FAT EFI System Partition (ESP) file system.
Using EFI System Partition at /boot/efi as $BOOT_ROOT.
Using entry token: ...
kernel version (6.19.10-200.fc43.x86_64) set via command line.
kernel image file (/usr/lib/modules/6.19.10-200.fc43.x86_64/vmlinuz) set via command line.
Using ENTRY_DIR=/boot/efi/.../6.19.10-200.fc43.x86_64
Successfully forked off '(pager)' as PID 80526.
Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
Failed to execute 'pager', will try 'less' next: No such file or directory
Pager executable is "less", options "FRSXMK", quit_on_interrupt: yes
        Machine ID: ...
 Kernel Image Type: pe
            Layout: uki
         Boot Root: /boot/efi
  Entry Token Type: machine-id
       Entry Token: ...
   Entry Directory: /boot/efi/.../6.19.10-200.fc43.x86_64
    Kernel Version: 6.19.10-200.fc43.x86_64
            Kernel: /usr/lib/modules/6.19.10-200.fc43.x86_64/vmlinuz
           Initrds: (unset)
  Initrd Generator: dracut
     UKI Generator: dracut
           Plugins: /usr/lib/kernel/install.d/40-dkms.install
                    /usr/lib/kernel/install.d/50-depmod.install
                    /usr/lib/kernel/install.d/50-dracut.install
                    /usr/lib/kernel/install.d/51-dracut-rescue.install
                    /usr/lib/kernel/install.d/60-kdump.install
                    /usr/lib/kernel/install.d/90-loaderentry.install
                    /usr/lib/kernel/install.d/90-uki-copy.install
                    /etc/kernel/install.d/91-uki-efibootmgr.install
                    /usr/lib/kernel/install.d/92-crashkernel.install
                    /usr/lib/kernel/install.d/92-tuned.install
                    /usr/lib/kernel/install.d/99-uki-uefi-setup.install
Plugin Environment: LC_COLLATE=C.UTF-8
                    KERNEL_INSTALL_VERBOSE=1
                    KERNEL_INSTALL_IMAGE_TYPE=pe
                    KERNEL_INSTALL_MACHINE_ID=...
                    KERNEL_INSTALL_ENTRY_TOKEN=...
                    KERNEL_INSTALL_BOOT_ROOT=/boot/efi
                    KERNEL_INSTALL_LAYOUT=uki
                    KERNEL_INSTALL_INITRD_GENERATOR=dracut
                    KERNEL_INSTALL_UKI_GENERATOR=dracut
                    KERNEL_INSTALL_STAGING_AREA=/tmp/kernel-install.staging.XXXXXX
2

Ok, after more testing I found something:

  1. /usr/lib/kernel/install.d/99-uki-uefi-setup.install actually triggered but it will not add entry if there’s duplicate. And I have leftovers from grub-efi generating some entries I think?
  2. I removed all entries with efibootmgr, removed my script and rerun kernel-install. I have two kernels and /usr/lib/kernel/install.d/99-uki-uefi-setup.install added two new EFI entries as expected. But if I reboot to EFI UI to select boot option I see only one kernel. I can boot normally but where second option?

Another funny thing is that uefi-boot-menu allows me to switch between two entries and boot with correct one.

So the new question is: Why with my script using efibootmgr I can see two boot options in my EFI firmware UI but with 99-uki-uefi-setup.install and kernel-bootcfg I do not? Maybe it’s bugged firmware?