Kernel images fail to boot with Failed to execute / UEFI Load Error

I have been using Secure Boot with Unified Kernel Image and systemd-boot for a couple of years using the instructions from
https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
https://wiki.archlinux.org/title/Unified_kernel_image

This worked fine until a month ago or so with Garuda updates that no longer build a functional kernel. I receive the errors mentioned in the title when trying to run linux-zen-signed.efi, even with Secure Boot disabled. It fails early on, so the kernel doesn’t start at all, we don’t get to initrd or any of that, and the machine simply boots the next available OS or returns to firmware setup instead after showing the error.

This happened on two separate computers when rebooted after garuda-update, at different times this September, and with one having Intel and the other AMD hardware. I’ve tried looking up the error messages online to no avail, nobody else on the Internet seems to have this problem.

A kernel image that doesn’t load: https://zi.fi/linux-zen-signed.efi

The problem is beyond my skills (with objdump or other tooling), but if anyone wants to have a look at why this kernel doesn’t load up and to which part of the build might be causing issues here, I would highly appreciate it.

And while this problem is looming, I won’t be doing any garuda-update on my laptop that still boots up fine with the same Secure Boot setup. I can also get a kernel image from it for comparison if that is of any use.

Welcome to the forum
Can you provide your

garuda-inxi

as per the forum template

Cool, but if you read the post you’ll notice my two desktop machines don’t boot at all, so I cannot run that. Both have ASUS gaming motherboards, one is a Ryzen5 and the other a modern Intel build.

Hey vas, I haven’t used secure boot before so just giving some general advice based on what’s been happening on forum for a while.

1. Make sure that your device’s SATA controller is set to AHCI mode in your UEFI. Quite a few issues propped up on forum lately where people couldn’t boot anymore and this was the issue so kindly just ensure you have this ruled out.

2. Try to chroot from a live usb and try to use a different kernel such as mainline or lts kernel to rule out the possibility of this being a zen kernel bug. Quite a few people have been having issues with zen kernel lately.
   2.1 You can chroot from live usb using the command garuda-chroot -a which will automatically detect your disk to chroot into or if this fails (happens in ventoy)
   2.2 you can go the manual route following this guide How to chroot Garuda Linux. Please note this guide goes on to reinstall grub which you don’t need to do you can just use the pacman commands to download a new kernel (plus whatever other steps are required to ensure that secure boot works with the said kernel).

PS: you can provide the garuda-inxi from live iso as well it will help us know if there are any other issues identifiable.

I have rebuilt the unified efi file by using objcopy to extract sections linux, initrd and cmdline of the broken one and then rebuild with systemd-ukify.

objcopy linux-zen-signed.efi -O binary -j .linux linux
objcopy linux-zen-signed.efi -O binary -j .initrd initrd
objcopy linux-zen-signed.efi -O binary -j .cmdline cmdline
/usr/lib/systemd/ukify build --linux=linux --initrd=initrd --cmdline=cmdline

The produced linux.unsigned.efi boots fine. Still need to figure out what is wrong with pacman hooks that make the build. Also I didn’t sbsign the manually constructed image yet.

System:
  Kernel: 6.5.5-zen1-1-zen arch: x86_64 bits: 64 compiler: gcc v: 13.2.1
    clocksource: tsc available: hpet,acpi_pm
    parameters: root=UUID=06404964-fe2c-4696-a0f2-9f9c3f23c6ed rw
    rootflags=subvol=@ resume=/dev/nvme0n1p3 audit=0 rd.udev.log_priority=3
    vt.global_cursor_default=0 systemd.unified_cgroup_hierarchy=1
    libata.allow_tpm=1 loglevel=3
  Console: pty pts/1 Distro: Garuda Linux base: Arch Linux
Machine:
  Type: Desktop System: ASUS product: N/A v: N/A serial: N/A
  Mobo: ASUSTeK model: ROG STRIX B560-I GAMING WIFI v: Rev 1.xx
    serial: <filter> UEFI: American Megatrends v: 1007 date: 07/13/2021
Battery:
  ID-1: hidpp_battery_1 charge: 54% condition: N/A volts: 3.8 min: N/A
    model: Logitech G903 LIGHTSPEED Wireless Gaming Mouse w/ HERO type: N/A
    serial: <filter> status: N/A
  Device-1: hidpp_battery_0 model: Logitech MX Keys Wireless Keyboard
    serial: <filter> charge: 55% (should be ignored) rechargeable: yes
    status: discharging
CPU:
  Info: model: 11th Gen Intel Core i5-11600K socket: LGA1200 bits: 64
    type: MT MCP arch: Rocket Lake gen: core 11 level: v4 note: check
    built: 2021+ process: Intel 14nm family: 6 model-id: 0xA7 (167)
    stepping: 1 microcode: 0x59
  Topology: cpus: 1x cores: 6 tpc: 2 threads: 12 smt: enabled cache:
    L1: 480 KiB desc: d-6x48 KiB; i-6x32 KiB L2: 3 MiB desc: 6x512 KiB
    L3: 12 MiB desc: 1x12 MiB
  Speed (MHz): avg: 3069 high: 4900 min/max: 800/4900 base/boost: 3861/4900
    scaling: driver: intel_pstate governor: performance volts: 1.1 V
    ext-clock: 100 MHz cores: 1: 4212 2: 4545 3: 4900 4: 800 5: 800 6: 4839
    7: 800 8: 4722 9: 4900 10: 800 11: 4713 12: 800 bogomips: 93888
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
  Vulnerabilities: <filter>
Graphics:
  Device-1: Intel RocketLake-S GT1 [UHD Graphics 750] vendor: ASUSTeK
    driver: i915 v: kernel arch: Gen-12.1 process: Intel 10nm built: 2020-21
    ports: active: HDMI-A-2 empty: DP-1,HDMI-A-1 bus-ID: 00:02.0
    chip-ID: 8086:4c8a class-ID: 0300
  Display: server: Xwayland v: 23.2.1 driver: X: loaded: modesetting
    alternate: fbdev,intel,vesa dri: iris gpu: i915 tty: 80x24
  Monitor-1: HDMI-A-2 model: LG (GoldStar) TV SSCR2 serial: <filter>
    built: 2021 res: 3840x2160 dpi: 61 gamma: 1.2
    size: 1600x900mm (62.99x35.43") diag: 1836mm (72.3") ratio: 16:9 modes:
    max: 3840x2160 min: 720x400
Use of uninitialized value $val2 in string eq at /usr/bin/inxi line 7454.
Use of uninitialized value $val2 in split at /usr/bin/inxi line 7459.
Use of uninitialized value $val2 in concatenation (.) or string at /usr/bin/inxi line 7462.
Use of uninitialized value $val2 in concatenation (.) or string at /usr/bin/inxi line 7465.
Use of uninitialized value $val2 in concatenation (.) or string at /usr/bin/inxi line 7466.
  API: EGL Message:
Audio:
  Device-1: Intel Tiger Lake-H HD Audio vendor: ASUSTeK driver: snd_hda_intel
    v: kernel alternate: snd_sof_pci_intel_tgl bus-ID: 00:1f.3
    chip-ID: 8086:43c8 class-ID: 0403
  API: ALSA v: k6.5.5-zen1-1-zen status: kernel-api
    tools: alsactl,alsamixer,amixer
  Server-1: PipeWire v: 0.3.80 status: off with: 1: pipewire-pulse
    status: off 2: wireplumber status: off 3: pipewire-alsa type: plugin
    4: pw-jack type: plugin tools: pactl,pw-cat,pw-cli,wpctl
Network:
  Device-1: Intel Tiger Lake PCH CNVi WiFi driver: iwlwifi v: kernel
    bus-ID: 00:14.3 chip-ID: 8086:43f0 class-ID: 0280
  Device-2: Intel 82599 10 Gigabit Network vendor: Beijing Sinead
    driver: ixgbe v: kernel pcie: gen: 2 speed: 5 GT/s lanes: 8 port: 6000
    bus-ID: 01:00.0 chip-ID: 8086:1557 class-ID: 0200
  IF: lan state: up speed: 10000 Mbps duplex: full mac: <filter>
  Device-3: Realtek RTL8125 2.5GbE vendor: ASUSTeK driver: r8169 v: kernel
    pcie: gen: 2 speed: 5 GT/s lanes: 1 port: 4000 bus-ID: 05:00.0
    chip-ID: 10ec:8125 class-ID: 0200
  IF: rj45 state: down mac: <filter>
  IF-ID-1: docker0 state: up speed: 10000 Mbps duplex: unknown mac: <filter>
  IF-ID-2: veth0f31499 state: up speed: 10000 Mbps duplex: full
    mac: <filter>
  IF-ID-3: wan state: up speed: 10000 Mbps duplex: full mac: <filter>
  IF-ID-4: wg0 state: unknown speed: N/A duplex: N/A mac: N/A
Bluetooth:
  Device-1: Intel AX201 Bluetooth driver: btusb v: 0.8 type: USB rev: 2.0
    speed: 12 Mb/s lanes: 1 mode: 1.1 bus-ID: 1-14:7 chip-ID: 8087:0026
    class-ID: e001
  Report: btmgmt ID: hci0 rfk-id: 0 state: up address: <filter> bt-v: 5.2
    lmp-v: 11 status: discoverable: no pairing: no class-ID: 108
RAID:
  Supported mdraid levels: raid1 raid6 raid5 raid4
  Device-1: md0 maj-min: 9:0 type: mdraid level: mirror status: active
    state: clean size: 63 GiB
  Info: report: 2/2 UU blocks: 66060224 chunk-size: N/A
  Components: Online:
  0: nvme0n1p3 maj-min: 259:3 size: 64 GiB state: active sync
  1: nvme1n1p2 maj-min: 259:7 size: 63 GiB state: active sync
  Device-2: md127 maj-min: 9:127 type: mdraid level: raid-5 status: active
    state: clean size: 38.2 TiB
  Info: report: 4/4 UUUU blocks: 41016744960 chunk-size: 1024k
    super-blocks: 1.2 algorithm: 2
  Components: Online:
  0: sda1 maj-min: 8:1 size: 12.73 TiB state: active sync
  1: sdb1 maj-min: 8:17 size: 12.73 TiB state: active sync
  2: sdc1 maj-min: 8:33 size: 12.73 TiB state: active sync
  4: sdd1 maj-min: 8:49 size: 12.73 TiB state: active sync
Drives:
  Local Storage: total: 55.54 TiB used: 40.69 TiB (73.3%)
  ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: Seagate model: FireCuda 530
    ZP4000GM30013 size: 3.64 TiB block-size: physical: 512 B logical: 512 B
    speed: 63.2 Gb/s lanes: 4 tech: SSD serial: <filter> fw-rev: SU6SM001
    temp: 53.9 C scheme: GPT
  SMART: yes health: PASSED on: 1y 229d 3h cycles: 23
    read-units: 196,729,421 [100 TB] written-units: 275,797,242 [141 TB]
  ID-2: /dev/nvme1n1 maj-min: 259:5 vendor: Samsung model: SSD 980 PRO 1TB
    size: 931.51 GiB block-size: physical: 512 B logical: 512 B speed: 63.2 Gb/s
    lanes: 4 tech: SSD serial: <filter> fw-rev: 3B2QGXA7 temp: 46.9 C
    scheme: GPT
  SMART: yes health: PASSED on: 1y 89d 23h cycles: 139
    read-units: 927,272,320 [474 TB] written-units: 395,879,508 [202 TB]
  ID-3: /dev/sda maj-min: 8:0 vendor: Western Digital
    model: WD140EFGX-68B0GN0 family: Red size: 12.73 TiB block-size:
    physical: 4096 B logical: 4096 B sata: 3.2 speed: 6.0 Gb/s tech: HDD
    rpm: 7200 serial: <filter> fw-rev: 0A85 temp: 50 C scheme: GPT
  SMART: yes state: enabled health: PASSED on: 2y 16d 13h cycles: 138
  ID-4: /dev/sdb maj-min: 8:16 vendor: Western Digital
    model: WD140EFGX-68B0GN0 family: Red size: 12.73 TiB block-size:
    physical: 4096 B logical: 4096 B sata: 3.2 speed: 6.0 Gb/s tech: HDD
    rpm: 7200 serial: <filter> fw-rev: 0A85 temp: 49 C scheme: GPT
  SMART: yes state: enabled health: PASSED on: 2y 16d 13h cycles: 138
  ID-5: /dev/sdc maj-min: 8:32 vendor: Western Digital
    model: WD140EFGX-68B0GN0 family: Red size: 12.73 TiB block-size:
    physical: 4096 B logical: 4096 B sata: 3.2 speed: 6.0 Gb/s tech: HDD
    rpm: 7200 serial: <filter> fw-rev: 0A85 temp: 49 C scheme: GPT
  SMART: yes state: enabled health: PASSED on: 2y 16d 13h cycles: 138
  ID-6: /dev/sdd maj-min: 8:48 vendor: Western Digital
    model: WD140EFGX-68B0GN0 family: Red size: 12.73 TiB block-size:
    physical: 4096 B logical: 4096 B sata: 3.2 speed: 6.0 Gb/s tech: HDD
    rpm: 7200 serial: <filter> fw-rev: 0A85 temp: 44 C scheme: GPT
  SMART: yes state: enabled health: PASSED on: 1y 53d 6h cycles: 15
  ID-7: /dev/sde maj-min: 8:64 vendor: SanDisk model: Ultra size: 57.3 GiB
    block-size: physical: 512 B logical: 512 B type: USB rev: 3.2 spd: 5 Gb/s
    lanes: 1 mode: 3.2 gen-1x1 tech: N/A serial: <filter> fw-rev: 1.00
    scheme: MBR
  SMART Message: Unknown USB bridge. Flash drive/Unsupported enclosure?
Partition:
  ID-1: / raw-size: 63 GiB size: 63 GiB (100.00%) used: 55.3 GiB (87.8%)
    fs: btrfs block-size: 4096 B dev: /dev/md0 maj-min: 9:0
  ID-2: /boot/efi raw-size: 127 MiB size: 126.7 MiB (99.79%)
    used: 116.5 MiB (91.9%) fs: vfat block-size: 512 B dev: /dev/nvme1n1p1
    maj-min: 259:6
  ID-3: /home raw-size: 63 GiB size: 63 GiB (100.00%) used: 55.3 GiB (87.8%)
    fs: btrfs block-size: 4096 B dev: /dev/md0 maj-min: 9:0
  ID-4: /var/log raw-size: 63 GiB size: 63 GiB (100.00%)
    used: 55.3 GiB (87.8%) fs: btrfs block-size: 4096 B dev: /dev/md0
    maj-min: 9:0
  ID-5: /var/tmp raw-size: 63 GiB size: 63 GiB (100.00%)
    used: 55.3 GiB (87.8%) fs: btrfs block-size: 4096 B dev: /dev/md0
    maj-min: 9:0
Swap:
  Kernel: swappiness: 133 (default 60) cache-pressure: 100 (default) zswap: no
  ID-1: swap-1 type: zram size: 30.16 GiB used: 0 KiB (0.0%) priority: 100
    comp: zstd avail: lzo,lzo-rle,lz4,lz4hc,842 max-streams: 12 dev: /dev/zram0
Sensors:
  System Temperatures: cpu: 56.0 C mobo: 43.0 C
  Fan Speeds (rpm): fan-1: 2070 fan-2: 1153 fan-3: 0 fan-4: 0 fan-5: 0
    fan-6: 0
Info:
  Processes: 378 Uptime: 6m wakeups: 10 Memory: total: 32 GiB
  available: 30.16 GiB used: 6.32 GiB (21.0%) igpu: 1024 MiB Init: systemd
  v: 254 default: multi-user tool: systemctl Compilers: gcc: 13.2.1
  clang: 16.0.6 Packages: pm: pacman pkgs: 1205 libs: 253
  tools: pamac,paru,trizen,yay Shell: fish (sudo) v: 3.6.1
  running-in: pty pts/1 (SSH) inxi: 3.3.30
Garuda (2.6.16-1):
  System install date:     2021-09-16
  Last full system update: 2023-10-04 ↻
  Is partially upgraded:   No
  Relevant software:       NetworkManager dracut(custom) mkinitcpio
  Windows dual boot:       No/Undetected
  Failed units:            beeper.service mdmonitor.service shadow.service systemd-networkd-wait-online.service [email protected]

Also objdumps of before and after, in case someone can tell the difference

 ╭─root@sna in /boot/efi/EFI/Linux took 1ms
 ╰─λ objdump -x linux.unsigned.efi 

linux.unsigned.efi:     file format pei-x86-64
linux.unsigned.efi
architecture: i386:x86-64, flags 0x00000103:
HAS_RELOC, EXEC_P, D_PAGED
start address 0x000000014df9cbc0

Characteristics 0x22e
	executable
	line numbers stripped
	symbols stripped
	large address aware
	debugging information removed

Time/Date		Wed Sep 27 14:11:01 2023
Magic			020b	(PE32+)
MajorLinkerVersion	0
MinorLinkerVersion	0
SizeOfCode		000000000000bcee
SizeOfInitializedData	00000000039e70a0
SizeOfUninitializedData	0000000000000000
AddressOfEntryPoint	000000000000cbc0
BaseOfCode		0000000000001000
ImageBase		000000014df90000
SectionAlignment	00001000
FileAlignment		00000200
MajorOSystemVersion	0
MinorOSystemVersion	0
MajorImageVersion	254
MinorImageVersion	0
MajorSubsystemVersion	1
MinorSubsystemVersion	1
Win32Version		00000000
SizeOfImage		039fc000
SizeOfHeaders		00000400
CheckSum		00000000
Subsystem		0000000a	(EFI application)
DllCharacteristics	00000160
					HIGH_ENTROPY_VA
					DYNAMIC_BASE
					NX_COMPAT
SizeOfStackReserve	0000000000100000
SizeOfStackCommit	0000000000001000
SizeOfHeapReserve	0000000000100000
SizeOfHeapCommit	0000000000001000
LoaderFlags		00000000
NumberOfRvaAndSizes	00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0000000000000000 00000000 Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 0000000000013000 00000078 Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved


PE File Base Relocations (interpreted .reloc section contents)

Virtual Address: 00010000 Chunk size 120 (0x78) Number of fixups 56
	reloc    0 offset    0 [10000] ABSOLUTE
	reloc    1 offset   20 [10020] DIR64
	reloc    2 offset   28 [10028] DIR64
	reloc    3 offset   30 [10030] DIR64
	reloc    4 offset   38 [10038] DIR64
	reloc    5 offset   40 [10040] DIR64
	reloc    6 offset   48 [10048] DIR64
	reloc    7 offset   50 [10050] DIR64
	reloc    8 offset   58 [10058] DIR64
	reloc    9 offset   60 [10060] DIR64
	reloc   10 offset   68 [10068] DIR64
	reloc   11 offset   70 [10070] DIR64
	reloc   12 offset   78 [10078] DIR64
	reloc   13 offset   80 [10080] DIR64
	reloc   14 offset   88 [10088] DIR64
	reloc   15 offset   90 [10090] DIR64
	reloc   16 offset   98 [10098] DIR64
	reloc   17 offset   a0 [100a0] DIR64
	reloc   18 offset   a8 [100a8] DIR64
	reloc   19 offset   b0 [100b0] DIR64
	reloc   20 offset   b8 [100b8] DIR64
	reloc   21 offset   c0 [100c0] DIR64
	reloc   22 offset   c8 [100c8] DIR64
	reloc   23 offset   d0 [100d0] DIR64
	reloc   24 offset   d8 [100d8] DIR64
	reloc   25 offset   e0 [100e0] DIR64
	reloc   26 offset   e8 [100e8] DIR64
	reloc   27 offset   f0 [100f0] DIR64
	reloc   28 offset   f8 [100f8] DIR64
	reloc   29 offset  100 [10100] DIR64
	reloc   30 offset  108 [10108] DIR64
	reloc   31 offset  110 [10110] DIR64
	reloc   32 offset  118 [10118] DIR64
	reloc   33 offset  120 [10120] DIR64
	reloc   34 offset  128 [10128] DIR64
	reloc   35 offset  130 [10130] DIR64
	reloc   36 offset  138 [10138] DIR64
	reloc   37 offset  140 [10140] DIR64
	reloc   38 offset  148 [10148] DIR64
	reloc   39 offset  150 [10150] DIR64
	reloc   40 offset  158 [10158] DIR64
	reloc   41 offset  160 [10160] DIR64
	reloc   42 offset  168 [10168] DIR64
	reloc   43 offset  170 [10170] DIR64
	reloc   44 offset  178 [10178] DIR64
	reloc   45 offset  180 [10180] DIR64
	reloc   46 offset  188 [10188] DIR64
	reloc   47 offset  190 [10190] DIR64
	reloc   48 offset  198 [10198] DIR64
	reloc   49 offset  1a0 [101a0] DIR64
	reloc   50 offset  1a8 [101a8] DIR64
	reloc   51 offset  1b0 [101b0] DIR64
	reloc   52 offset  1b8 [101b8] DIR64
	reloc   53 offset  1c0 [101c0] DIR64
	reloc   54 offset  1c8 [101c8] DIR64
	reloc   55 offset  1e0 [101e0] DIR64

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
  0 .text         0000bcee  000000014df91000  000000014df91000  00000400  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 .rodata       000022dc  000000014df9d000  000000014df9d000  0000c200  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .data         00000268  000000014dfa0000  000000014dfa0000  0000e600  2**4
                  CONTENTS, ALLOC, LOAD, DATA
  3 .sdmagic      00000030  000000014dfa1000  000000014dfa1000  0000ea00  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  4 .sbat         000000ea  000000014dfa2000  000000014dfa2000  0000ec00  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  5 .reloc        00000078  000000014dfa3000  000000014dfa3000  0000ee00  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .osrel        00000187  000000014dfa4000  000000014dfa4000  0000f000  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  7 .cmdline      000000d5  000000014dfa5000  000000014dfa5000  0000f200  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  8 .uname        00000010  000000014dfa6000  000000014dfa6000  0000f400  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  9 .initrd       02ccbf3e  000000014dfa7000  000000014dfa7000  0000f600  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
 10 .linux        00d18820  0000000150c73000  0000000150c73000  02cdb600  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
SYMBOL TABLE:
no symbols



 ╭─root@sna in /boot/efi/EFI/Linux took 20ms
 ╰─λ objdump -x linux-zen-signed.orig 

linux-zen-signed.orig:     file format pei-x86-64
linux-zen-signed.orig
architecture: i386:x86-64, flags 0x00000103:
HAS_RELOC, EXEC_P, D_PAGED
start address 0x000000014df9cbc0

Characteristics 0x22e
	executable
	line numbers stripped
	symbols stripped
	large address aware
	debugging information removed

Time/Date		Mon Oct  2 00:47:20 2023
Magic			020b	(PE32+)
MajorLinkerVersion	2
MinorLinkerVersion	41
SizeOfCode		000000000000be00
SizeOfInitializedData	00000000039e7c00
SizeOfUninitializedData	0000000000000000
AddressOfEntryPoint	000000000000cbc0
BaseOfCode		0000000000001000
ImageBase		000000014df90000
SectionAlignment	00001000
FileAlignment		00000200
MajorOSystemVersion	0
MinorOSystemVersion	0
MajorImageVersion	254
MinorImageVersion	0
MajorSubsystemVersion	1
MinorSubsystemVersion	1
Win32Version		00000000
SizeOfImage		00014000
SizeOfHeaders		00000400
CheckSum		03a013de
Subsystem		0000000a	(EFI application)
DllCharacteristics	00000160
					HIGH_ENTROPY_VA
					DYNAMIC_BASE
					NX_COMPAT
SizeOfStackReserve	0000000000100000
SizeOfStackCommit	0000000000001000
SizeOfHeapReserve	0000000000100000
SizeOfHeapCommit	0000000000001000
LoaderFlags		00000000
NumberOfRvaAndSizes	00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0000000000000000 00000000 Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 00000000039f3e00 00000618 Security Directory
Entry 5 0000000000013000 00000078 Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved


PE File Base Relocations (interpreted .reloc section contents)

Virtual Address: 00010000 Chunk size 120 (0x78) Number of fixups 56
	reloc    0 offset    0 [10000] ABSOLUTE
	reloc    1 offset   20 [10020] DIR64
	reloc    2 offset   28 [10028] DIR64
	reloc    3 offset   30 [10030] DIR64
	reloc    4 offset   38 [10038] DIR64
	reloc    5 offset   40 [10040] DIR64
	reloc    6 offset   48 [10048] DIR64
	reloc    7 offset   50 [10050] DIR64
	reloc    8 offset   58 [10058] DIR64
	reloc    9 offset   60 [10060] DIR64
	reloc   10 offset   68 [10068] DIR64
	reloc   11 offset   70 [10070] DIR64
	reloc   12 offset   78 [10078] DIR64
	reloc   13 offset   80 [10080] DIR64
	reloc   14 offset   88 [10088] DIR64
	reloc   15 offset   90 [10090] DIR64
	reloc   16 offset   98 [10098] DIR64
	reloc   17 offset   a0 [100a0] DIR64
	reloc   18 offset   a8 [100a8] DIR64
	reloc   19 offset   b0 [100b0] DIR64
	reloc   20 offset   b8 [100b8] DIR64
	reloc   21 offset   c0 [100c0] DIR64
	reloc   22 offset   c8 [100c8] DIR64
	reloc   23 offset   d0 [100d0] DIR64
	reloc   24 offset   d8 [100d8] DIR64
	reloc   25 offset   e0 [100e0] DIR64
	reloc   26 offset   e8 [100e8] DIR64
	reloc   27 offset   f0 [100f0] DIR64
	reloc   28 offset   f8 [100f8] DIR64
	reloc   29 offset  100 [10100] DIR64
	reloc   30 offset  108 [10108] DIR64
	reloc   31 offset  110 [10110] DIR64
	reloc   32 offset  118 [10118] DIR64
	reloc   33 offset  120 [10120] DIR64
	reloc   34 offset  128 [10128] DIR64
	reloc   35 offset  130 [10130] DIR64
	reloc   36 offset  138 [10138] DIR64
	reloc   37 offset  140 [10140] DIR64
	reloc   38 offset  148 [10148] DIR64
	reloc   39 offset  150 [10150] DIR64
	reloc   40 offset  158 [10158] DIR64
	reloc   41 offset  160 [10160] DIR64
	reloc   42 offset  168 [10168] DIR64
	reloc   43 offset  170 [10170] DIR64
	reloc   44 offset  178 [10178] DIR64
	reloc   45 offset  180 [10180] DIR64
	reloc   46 offset  188 [10188] DIR64
	reloc   47 offset  190 [10190] DIR64
	reloc   48 offset  198 [10198] DIR64
	reloc   49 offset  1a0 [101a0] DIR64
	reloc   50 offset  1a8 [101a8] DIR64
	reloc   51 offset  1b0 [101b0] DIR64
	reloc   52 offset  1b8 [101b8] DIR64
	reloc   53 offset  1c0 [101c0] DIR64
	reloc   54 offset  1c8 [101c8] DIR64
	reloc   55 offset  1e0 [101e0] DIR64

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
  0 .osrel        00000163  0000000200020000  0000000200020000  00000400  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  1 .cmdline      000000d5  0000000200030000  0000000200030000  00000600  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  2 .linux        00d18820  0000000202000000  0000000202000000  00000800  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  3 .initrd       02ccbf3e  0000000203000000  0000000203000000  00d19200  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  4 .text         0000bcee  000000014df91000  000000014df91000  039e5200  2**4
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  5 .rodata       000022dc  000000014df9d000  000000014df9d000  039f1000  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  6 .data         00000268  000000014dfa0000  000000014dfa0000  039f3400  2**4
                  CONTENTS, ALLOC, LOAD, DATA
  7 .sdmagic      00000030  000000014dfa1000  000000014dfa1000  039f3800  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  8 .sbat         000000ea  000000014dfa2000  000000014dfa2000  039f3a00  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
  9 .reloc        00000078  000000014dfa3000  000000014dfa3000  039f3c00  2**2
                  CONTENTS, ALLOC, LOAD, READONLY, DATA
SYMBOL TABLE:
no symbols

My systems didn’t have systemd-ukify installed, and installing it didn’t remove anything else. Something else builds the (broken) UEFI unified kernel image, from Pacman hooks, whenever the kernel is upgraded. Can anyone help me squaring out which package and/or scripts are responsible for that?

What are you using to generate the initramfs? It looks like you have both dracut and mkinitcpio being detected here:

Please reinstall your kernel and paste the input/output into the thread so we can take a look.

It would seem that mkinitcpio is being used for that. Unified kernel assembly appears to be a separate step after initrd and kernel images are already created separately (prior to part 5/5 below where unified image is made), so it should no longer concern mkinitcpio I think.

pacman -S linux-zen
resolving dependencies...
looking for conflicting packages...

Packages (1) linux-zen-6.5.7.zen1-1

Total Installed Size:  132.00 MiB

:: Proceed with installation? [Y/n]
(1/1) checking keys in keyring                                           [----------------------------------------] 100%
(1/1) checking package integrity                                         [----------------------------------------] 100%
(1/1) loading package files                                              [----------------------------------------] 100%
(1/1) checking for file conflicts                                        [----------------------------------------] 100%
(1/1) checking available disk space                                      [----------------------------------------] 100%
:: Running pre-transaction hooks...
(1/1) Saving Linux kernel modules...
:: Processing package changes...
(1/1) installing linux-zen                                               [----------------------------------------] 100%
Optional dependencies for linux-zen
    wireless-regdb: to set the correct wireless channels of your country [installed]
    linux-firmware: firmware images needed for some devices [installed]
:: Running post-transaction hooks...
(1/5) Restoring Linux kernel modules...
++ uname -r
+ KVER=6.5.5-zen1-1-zen
+ test -e /usr/lib/modules/backup/6.5.5-zen1-1-zen
+ rsync -AHXal --ignore-existing /usr/lib/modules/backup/6.5.5-zen1-1-zen /usr/lib/modules/
+ rm -rf /usr/lib/modules/backup
(2/5) Arming ConditionNeedsUpdate...
(3/5) Updating module dependencies...
(4/5) Updating linux initcpios...
==> Building image from preset: /etc/mkinitcpio.d/linux-zen.preset: 'default'
==> Using configuration file: '/etc/mkinitcpio.conf'
  -> -k /boot/vmlinuz-linux-zen -c /etc/mkinitcpio.conf -g /boot/initramfs-linux-zen.img
==> Starting build: '6.5.7-zen1-1-zen'
  -> Running build hook: [base]
  -> Running build hook: [systemd]
  -> Running build hook: [keyboard]
  -> Running build hook: [autodetect]
  -> Running build hook: [modconf]
  -> Running build hook: [sd-vconsole]
  -> Running build hook: [systemd-tool]
    replacing initramfs unit file: /usr/lib/systemd/system/initrd-debug-progs.service
    replacing initramfs unit file: /usr/lib/systemd/system/initrd-shell.service
    replacing initramfs unit file: /etc/systemd/system/initrd-network.service
    replacing initramfs unit file: /usr/lib/systemd/system/systemd-networkd.service
    replacing initramfs unit file: /usr/lib/systemd/system/initrd-shell.service
  -> Running build hook: [block]
  -> Running build hook: [mdadm_udev]
  -> Running build hook: [lvm2]
  -> Running build hook: [fsck]
  -> Running build hook: [filesystems]
==> Generating module dependencies
==> Creating zstd-compressed initcpio image: '/boot/initramfs-linux-zen.img'
==> Image generation successful
(5/5) Updating UEFI kernel images...
Generating and signing linux-zen-signed.efi
objcopy: /boot/efi/EFI/Linux/linux-zen-signed.efi:.osrel: section below image base
objcopy: /boot/efi/EFI/Linux/linux-zen-signed.efi:.cmdline: section below image base
objcopy: /boot/efi/EFI/Linux/linux-zen-signed.efi:.linux: section below image base
objcopy: /boot/efi/EFI/Linux/linux-zen-signed.efi:.initrd: section below image base
Signing Unsigned original image
warning: data remaining[87576 vs 98992]: gaps between PE/COFF sections?
Skipping already signed file /boot/efi/EFI/boot/bootx64.efi
warning: data remaining[87576 vs 98992]: gaps between PE/COFF sections?
Skipping already signed file /boot/efi/EFI/systemd/systemd-bootx64.efi

The gap warnings I have seen before but not “section below image base”. Perhaps that is the problem? By log it seems that objcopy is being used directly but this still doesn’t say by which script, also not which EFI stub (ukify uses systemd-stub).

Thanks for your guidance.

Grepping all of /usr for the message shown yielded results… The image update is done via this hook that calls sbupdate to do the work.

rw-r--r-- 573 root 26 Sep  2021  /usr/share/libalpm/hooks/95-sbupdate.hook
.rwxr-xr-x 6.4k root 26 Sep  2021  /usr/bin/sbupdate

I suspect this is installed via yay from AUR because I also found ~/.cache/yay/sbupdate-git/. Github of sbupdate is archived, with final commits - in August 2023 - making it use systemd-ukify…

Looks like I need to remove these outdated files and instead setup a hook to use ukify directly.

Since you are using mkinitcpio, did you set up the /etc/mkinitcpio.d/linux.preset file? Unified kernel image - ArchWiki

What Pacman hooks are in use? If you are using kernel-install to automatically install kernels in the UKI format you need to mask the direct kernel installation Pacman hooks. Unified kernel image - ArchWiki

mkinitcpio ships with a kernel-install plugin that generates the appropriate image (a UKI image for layout=uki). Other programs, such as sbctl, also ship with a kernel-install plugin.

To setup kernel-install to produce UKIs:

• Set the kernel-install layout to ‘uki’. e.g.:

# echo "layout=uki" >> /etc/kernel/install.conf

• Mask the direct kernel installation Pacman hooks:

# ln -s /dev/null /etc/pacman.d/hooks/60-mkinitcpio-remove.hook 
# ln -s /dev/null /etc/pacman.d/hooks/90-mkinitcpio-install.hook

• Create a Pacman hook for kernel-install. You can use pacman-hook-kernel-installAUR.
• Remove and reinstall the kernel packages that you use.

I’m not sure if that is the only way to do this, but if you are using mkinitcpio and systemd-boot I guess I would probably make sure that is set up correctly.

Problem solved. Got rid of sbupdate, sbkeys, mkinitcpio and some other outdated cruft. Ukify is also not needed because Dracut has this as built-in functionality. What I am using is:

• systemd-boot (bootctl install)
• dracut to build UEFI unified signed kernel directly
• sbctl for Secure Boot key management (create-keys, enroll-keys)
• pacman -S garuda-bootctl-dracut to install the above and have hooks for kernel upgrade etc.

Check with sbctl verify after installation that everything is signed. I needed to sbctl sign systemd-boot manually but kernels get auto-signed on pacman updates.

Thanks for the help in triaging this! I also found this post helpful: Reddit - Dive into anything

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.