systemd-boot: add 'graceful' configuration option

On some systems bootctl cannot write the `LoaderSystemToken` EFI variable during installation, which results in a failure to install the boot loader. Upstream provides a flag (--graceful) to ignore such write failures - this change exposes it as a configuration option. As the exact semantics of this option appear to be somewhat volatile it should be used only if systemd-boot otherwise fails to install.
2021-09-26 17:54:36 +02:00 · 2021-09-26 17:54:36 +02:00 · 7bd84b6685
commit 7bd84b6685
parent 5e37cc3186
2 changed files with 26 additions and 5 deletions
--- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
+++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot-builder.py
@ -208,10 +208,15 @@ def main() -> None:
        if os.path.exists("@efiSysMountPoint@/loader/loader.conf"):
            os.unlink("@efiSysMountPoint@/loader/loader.conf")

-        if "@canTouchEfiVariables@" == "1":
-            subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "install"])
-        else:
-            subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@", "--no-variables", "install"])
+        flags = []
+
+        if "@canTouchEfiVariables@" != "1":
+            flags.append("--no-variables")
+
+        if "@graceful@" == "1":
+            flags.append("--graceful")
+
+        subprocess.check_call(["@systemd@/bin/bootctl", "--path=@efiSysMountPoint@"] + flags + ["install"])
    else:
        # Update bootloader to latest if needed
        systemd_version = subprocess.check_output(["@systemd@/bin/bootctl", "--version"], universal_newlines=True).split()[1]
--- a/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
+++ b/nixos/modules/system/boot/loader/systemd-boot/systemd-boot.nix
@ -24,7 +24,7 @@ let

    configurationLimit = if cfg.configurationLimit == null then 0 else cfg.configurationLimit;

-    inherit (cfg) consoleMode;
+    inherit (cfg) consoleMode graceful;

    inherit (efi) efiSysMountPoint canTouchEfiVariables;

@ -126,6 +126,22 @@ in {
        '';
      };
    };
+
+    graceful = mkOption {
+      default = false;
+
+      type = types.bool;
+
+      description = ''
+        Invoke <literal>bootctl install</literal> with the <literal>--graceful</literal> option,
+        which ignores errors when EFI variables cannot be written or when the EFI System Partition
+        cannot be found. Currently only applies to random seed operations.
+
+        Only enable this option if <literal>systemd-boot</literal> otherwise fails to install, as the
+        scope or implication of the <literal>--graceful</literal> option may change in the future.
+      '';
+    };
+
  };

  config = mkIf cfg.enable {