I concur. Refind is pretty much universal for me: it detects Linux kernels automatically, windows, boots from USB or detect USB (I always have an emergency copy that will boot my systems if I screw up), it also runs on Intel macs...

Also... It is very customizable with good a 100% graphic UI.

systemd-boot is also pretty hands-off. My distro's (OpenSUSE Tumbleweed) kernel packages build regular initrd images in package postinstall, but since the postinst script uses dracut I just had to drop a dracut config (`uefi=yes`) in /etc to make it build UKIs in /efi instead. systemd-boot automatically picks up those UKIs.

I just have to remember to delete the UKIs manually when I uninstall the corresponding old kernel package, otherwise the EFI partition would fill up eventually. If my distro ever switches to UKIs by default then the postuninstall script would handle that automatically.

I also switched to REFind because I wanted to boot my various Linux installations from encrypted ZFS pools, but after realizing how much more convenient it was (because it can just boot from whatever bootable OS installation it finds by scanning the disk), now I always use it instead of grub, regardless.

I noted recently that it also sees systemd-boot installations and will boot from those, if desired (in my case it was a fresh installation of Pop OS, which uses systemd-boot by default).

For me, it's unambiguously better (meaning easier, with no extra periodic steps required to maintain my ability to boot whatever bootable thing I want), but I am curious about what scenarios would make one want to use systemd-boot (or grub) instead.

I put a bunch of live environment/rescue images (trinity, UBCD, hirens, systemrescue etc) on a usb flash with ventoy, and ventoy couldn’t boot any of them except for systemrescue (seemed like it had an issue with EFI with the other ones)..

As an alternative to ventoy, can I use refind on a usb flash drive with iso images?

Another rEFInd user chiming in, the best bootloader ever. Using it on all my Gentoo and Arch installs. The Fedora installs are still on Grub2 though.

For examples of how amazing rEFInd can look - see https://github.com/hashhar/rEFInd-theme/ and https://github.com/EvanPurkhiser/rEFInd-minimal

I also used to use rEFInd while I was running macOS/windows dualboot for a short time. I am going back to it from grub now since booting from my zfs root partition with grub has become a hassle.

IIRC, systemd-boot relies on EFISTUB. It's just a boot manager, not a boot loader. One EFI application calling another.

For trivial setups (one kernel that keeps getting updated in-place), a boot manager is not required. For more sophisticated setups (version in kernel file name or Nix style system versions or whatever), a boot manager is very convenient.

EFISTUB can also be done on Debian [1]. I used this for a while, but it felt too fragile and inconvenient:

- the same disk is now impossible/harder to boot in another system/mainboard.

- no more choice between different kernels in case the newest one broke something

- to change the cmdline with kenel parameters you now need to run efibootmgr

Still, the quick boot can be worth it :-)

[1] https://wiki.debian.org/EFIStub

I also am a huge fan of EFISTUB. EFISTUB is basically the only way of making secure boot work in a sane way for Linux - include the initramfs in the kernel and sign the whole thing with your secure boot keys. You don’t even need to compile the kernel, you can use dracut to package everything up yourself.

Because having boot menu for stuff like older kernels, recovery mode, and access to kernel command line is pretty useful.

As a distro I wouldnt want to rely on uefi implementations that range from ok to garbage tier (no cmdline arguments, hidden boot selection menu etc)

I want to enter a sane booting environment as soon as possible (gummiboot, refind, grub). Also why not? Its basically free and In my experience doesnt really complicate secure boot.

> Ever since then I have not understood why most distros don't switch to this setup.

The persistence of GRUB for x86-64 systems is both fascinating and irritating; the original driver for users paying the price of the complexity of GRUB was the idea that it would bring consistency across architectures and be an overall reduction in complexity for distro maintainers. Instead the bootloaders for non-x86 architectures are generally not-GRUB (zipl, various ARM options which are sometimes SoC specific, and so on), while x86 users are stuck with the byzantine complexity of GRUB.

I have my taylor-made kernel compiled with all and only the drivers I need, without an initram and with EFISTUB, directly called by the UEFI as its first boot option. That's how I manage to boot in 5 seconds.

Then I have some distro-supplied kernels, with initram, modules, non-standard parameters AND grub, just for those times when I need something exotic. I have to stop the normal boot with Esc and select the second boot option from the UEFI menu, that points to grub. It's clumsy and slow but I just need it once in a blue moon.

Only thing that comes to mind is if you swap disks between machines and want the same boot menu on all of them.

>Does anyone know why anyone would choose systemd-boot over something like efistub?

Lots of people dual boot without manually going through their UEFI. It's important enough that I can see why many distros wouldn't make it default.

systemd-boot presents a boot menu at startup. It can support different boot targets defined in files under the EFI directory, and it automatically detects Windows UEFI targets.

How often do you actually reboot your machine? My office compile box is showing 17 days uptime, and that's quite low (I think I did an update).

Optimizing a few seconds off of something you seldom do isn't that useful. (Not that I haven't been guilty of that, again and again and again and...)

> Ever since then I have not understood why most distros don't switch to this setup

I still use GRUB because IIRC my Gigabyte motherboard kept forgetting entries and/or associated settings.

I think you do understand if you think about it.

You have so many different hardware vendors, but one common boot loader. Who can you rely on working every time for every vendor?

Also I use grub to select old deploys in Fedora Silverblue.

I'd love to use systemd-boot though.

One issue I have with it is that I can't snapshot it like the rest of my system, but I don't really know if any other bootloader solves this issue

It has a number of keyboard shortcuts, and uses UEFI variables to store some of this config.

It took me a long time to figure out what I did to change defaults by accident and how it stayed changed.

Jumped the gun and typed my LUKS unlock password a moment too soon.

It's a genuinely complex problem. Booting x86-64 with arbitrary hardware attached while maintaining compatibility with boot modes from 30+ years ago is quite a feat.

https://en.wikipedia.org/wiki/Das_U-Boot + https://en.wikipedia.org/wiki/Devicetree is an alternative, but it's a massive pain because you lose PnP.

I think UEFI actually helps; I do not miss having to manually overwrite the first sector of my hard drive in order to make the bootloader work.

(But yes, booting remains a pain)

That's just how it is. Booting arbitrary hardware is an inherently complex problem.

Regarding modern PCs: Even I think UEFI is in large parts over-engineered crap it made at least booting simpler and much more sane.

Here is a question for you, what value is secure boot providing you that you cannot get from an encrypted root filesystem with a TPM and systemd-cryptsetup.

That is too say, the signed grub binary can be used to load literally anything. It can even chain load into another non-signed modified grub.

On the other hand, the crypt setup route ensures that you bios, grub, TPM, and many other measurements are correct.

Look at table one here: https://www.freedesktop.org/software/systemd/man/systemd-cry...

One of those measurements is secure boot, but I cannot for the life me figure out what value it is adding.

Secure Boot without enrolling your own keys and deleting the shipped ones is not more than snake oil.

In such a case you can just disable it as it doesn't provide anything than additional hassle.

FWIW on AWS, all nitro instance types can boot as UEFI if the AMI has itself set to use UEFI and all arm64 instances only support UEFI. So if you stick to modern instance types, you can happily use UEFI in AWS.

GCP looks like it does UEFI too. And Azure Gen2 instances use UEFI too.

What difference does it make what boot loader cloud providers use?

ISTR there is work on making GRUB do that.

Seems like it. https://wiki.archlinux.org/title/LILO

I've found the answer: https://aur.archlinux.org/packages/powerofforreboot.efi This works well on my system, YMMV.

I think encrypting your boot partition and kernel is not very useful. The "better" (IMO), would be to sign the kernel and use secureboot, but otherwise leave it unencrypted. This way the kernel and whatnot can't be tampered with and you don't have to deal with an encrypted boot partition.

I don't think there would be anything in your kernel or bootloader that needs to be confidential!

In a systemd-boot setup there is no "boot partition", encrypted or otherwise. There is an EFI partition that contains the systemd-boot EFI binary and the UKI binary, and it is a regular unencrypted FAT32 partition.

The UKI will contain kernel + initramfs to be able to mount your encrypted root partition as `/`, using regular cryptsetup, not the special low-perf code used by grub.

And to be clear, this is how UEFI boot would work even if you didn't have systemd-boot and had your firmware directly boot the UKI.

I'm waiting for that.

Would be the ultimate base OS.

But it's not so easy. I actually looked into all the dependencies of a Linux system and it turns out to be an extremely entangled monolith at the core. Everything depends on everything. So you actually can't have "just a kernel and systemd as 'user-land'".

Does this mean you're installing Linux into write-limited flash? If so that could eventually brick your system.