Locally built UKI not cleaned up upon kernel removal

xdbob · May 2, 2026, 9:46am

To accommodate my custom secure boot keyring, I generate/install UKIs with the following /etc/kernel/install.conf

layout=uki
uki_generator=ukify
initrd_generator=dracut

For some time now, the UKIs are not cleaned up anymore and I need to clean them up manually (mostly when I get an update error because ESP is full).

$ rpm -qa | grep kernel-core
kernel-core-6.19.8-200.fc43.x86_64
kernel-core-6.19.14-200.fc43.x86_64
$ ll /boot/efi/EFI/Linux
total 223M
-rwx------. 1 root root 45M Feb 22 15:37 993c50bdbcda40e99cb20463ec6ff289-6.18.12-200.fc43.x86_64.efi*
-rwx------. 1 root root 45M Mar  1 23:00 993c50bdbcda40e99cb20463ec6ff289-6.18.13-200.fc43.x86_64.efi*
-rwx------. 1 root root 45M Feb  3 17:55 993c50bdbcda40e99cb20463ec6ff289-6.18.7-200.fc43.x86_64.efi*
-rwx------. 1 root root 45M May  1 14:04 993c50bdbcda40e99cb20463ec6ff289-6.19.14-200.fc43.x86_64.efi*
-rwx------. 1 root root 45M Mar 23 08:45 993c50bdbcda40e99cb20463ec6ff289-6.19.8-200.fc43.x86_64.efi*

I have dug a bit through the kernel spec files and It forces the --entry-type type1 argument to the kernel-install remove in it’s pre-uninstall hook for non-uki packages.

What would be the best way to make my use-case work ? Does this merit a proper bugzilla issue ?

vekruse · May 2, 2026, 10:43am

Your analysis is spot on, and if you want it to be fixed, a bugzilla report may be needed, or perhaps directly to the system project at https://github.com/systemd/systemd.git.

Or perhaps it should be reported to the kernel bugzilla as it is unclear why the install script added the entry-type argument.

vekruse · May 2, 2026, 5:17pm

You can make a local fix like this

copy /usr/lib/kernel/install.d/90-uki-copy.install to /etc/kernel/install.d/90-uki-copy.install
edit /etc/kernel/install.d/90-uki-copy.install and delete the lines that is reading

        if [ "$KERNEL_INSTALL_BOOT_ENTRY_TYPE" = "type1" ]; then
            [ "$KERNEL_INSTALL_VERBOSE" -gt 0 ] && \
                echo "BOOT_ENTRY_TYPE=type1, not removing UKI related."
            exit 0
        fi

Remember that is a local modification, and it may at some point in time be adjusted for changes in the original file.

Topic		Replies	Views
Kernel-uki-virt failing to clean after itself Ask Fedora	0	263	February 8, 2024
Old kernels not removed from `/boot/efi` Ask Fedora f39 , server	15	7940	May 4, 2024
Automatic EFI entries for direct UKI boot Ask Fedora efibootmgr , boot , f43	1	93	April 4, 2026
Dnf error removing old kernel pkg: rm: cannot remove /efi/.../6.8.10-200.fc39.x86_64/ is a directory (no grub) Ask Fedora efibootmgr , uefi , dnf , kernel , f39 , f40 , systemd-boot	16	896	June 27, 2024
Sudo dnf update gives %posttrans scriptlet error: kernel-modules-0:6.17.10-100.fc41.x86_64 Ask Fedora boot , dnf , kernel , f41	25	433	December 20, 2025

Locally built UKI not cleaned up upon kernel removal

Related topics