This is similar to a “normal” Fedora installation and pretty straight forward.
Before you try this make sure you have a backup of any data before you
start. Playing with the boot loader can bring you very easily in the situation
that your PC refuses to start. Of course you also should have a rescue USB
stick ready so you can do fixes when it really comes to this.
I just want to keep a note here in case anyone comes up with the same
question: how can I get rid of grub?
To be one the safe side first thing I did was to replace all symbolic
links in /boot with copy of the corresponding files.
Then make a tarball of the content of /boot and safe this somewhere
(e.g. in /root).
Next step is to format the partitions which where /boot and /boot/efi
with vfat (mkfs.vfat). The original efi partition which has been /boot/efi
will no longer be used.
You should not forget to check in /dev/disk/by-uuid for your new uuid
of /boot. You can copy your /boot/efi entry in /etc/fstab and change
/boot/efi to /boot and put your new UUID for /boot there. Comment out
your original /boot/efi entry and also you original /boot entry.
So you will have a new boot entry with vfat and the new UUID and no
/boot/efi entry any longer.
Now you should use parted or fdisk to unset the boot flag on the original
efi partiion and set in on the boot partition. You can also change the names
if you like. As already said the original efi partition will no longer be used.
Back in you /boot partition untar your saved boot tar file so you have
all your files back in /boot.
It is very important that you now move your efi directory. In the original
layout in was placed in /boot/efi/EFI because /boot/efi was a mount point.
mv efi efi.x
mv efi.x/EFI .
rm -rf efi.x
All EFI stuff is now in /boot/EFI.
Now we have a vfat formatted boot partition without any extra efi partition.
This also means that the kernel and the initial ramdisk are on a vfat
partition which is readable by your UEFI.
For a test you can boot your PC now and grub will come up. After the
described steps I got an error message and the hint I should press a key.
Press any key and the installation will start up will continue.
Next step is to install systemd-boot. This is done simply by
All relevant EFI stuff is now in /boot/EFI/systemd.
If you boot your PC at this point you will have to disable Secure boot
because systemd-boot cannot handle signed binaries as it is able with grub.
This is due to the fact that the kernel is started by the UEFI directly.
In order to fix that we need to apply the secure boot system of the
Linux Foundation which was presented in Februrary 2013 by James Bottomley.
Download PreLoader.efi and HashTool.efi and put them into
mv systemd-bootx64.efi loader.efi
cp PreLoader.efi systemd-bootx64.efi
As you can see from this PreLoader.efi will act as systemd-bootx64.efi.
Then loader.efi (the original systemd-bootx64.efi) is loaded.
PreLoader.efi is signed by Microsoft and will start with Secure Boot.
Now you can start your PC. You will see a “blue screen” telling you
that you need to do hash enrollment. First you have to sign loader.efi.
After this you have to sign your kernel (/boot/ostree/fedora-…/vmlinuz-…).
For each new kernel you will get you have to repeat this and do the
enrollment with HashTool.
BTW: if you for some reason want to remove your MokList you can enter
and EFI shell and do
dmpstore -d MokList
This solution still does not deal with signed binaries like grub but
since you manually have to add a hash into the MokList with the HashTool
you prevent your systems to startup binaries you have not agreed to.
Nobody who has not physical access to your system can use your HashTool.
Of course it is a matter of taste but I prefer to see the boot menu
and also have a timeout so you can activate the correspondent lines
Booting now will even work with activated Secure Boot.
This seems to me much simpler than all these complicated grub configurations
with several stages.