Nixos no longer boots since kernel 6.17

[max06]

I'm running nixos-unstable with Lanzaboote/systemd-boot. After updating the kernel to 6.17 or newer, boot fails after selecting the new generation, with no further output. The latest known working version is kernel 6.16.11, just built some minutes ago.

Disabling secureboot only causes one more log line to be printed by the stub, telling me that secure boot is disabled.

After that:

• no more output
• system appears frozen, with usb no longer working (keyboard disconnected)
• There's no journal for the attempted boot

Booting an older generation works.
Using nixos-rebuild build-vm also seems to work - I think it might also simply not use systemd-boot.

Attaching output possibly relevant:

    fileSystems = {
      "/" = {
        device = "/dev/disk/by-uuid/a0a11869-5de8-4a71-95cc-46cdc207c1d7";
        fsType = "btrfs";
      };

      "/boot" = {
        device = "/dev/disk/by-uuid/13AE-1DAE";
        fsType = "vfat";
        options = ["fmask=0022" "dmask=0022"];
      };
    };

    swapDevices = [
      {
        device = "/var/lib/swapfile";
        size = 16 * 1024;
        options = ["discard"];
      }
    ];

    boot = {
      initrd = {
        availableKernelModules = ["sd_mod" "sr_mod"];
        kernelModules = ["lz4"];
        luks.devices."crypted".device = "/dev/disk/by-uuid/c7d11b07-5448-42d3-a861-4d53ae58b563";
        systemd.enable = true;
      };

      kernelParams = [
        "zswap.enabled=1" # enables zswap
        "zswap.compressor=lz4" # compression algorithm
        "zswap.max_pool_percent=20" # maximum percentage of RAM that zswap is allowed to use
        "zswap.shrinker_enabled=1" # whether to shrink the pool proactively on high memory pressure
      ];

      kernel.sysctl = {
        "vm.swappiness" = 10;
      };

      # kernelPackages = pkgs.linuxPackages_6_16;
      kernelPackages = pkgs.linuxPackages_latest;

      extraModulePackages = [];
      supportedFilesystems = ["ntfs"];

      loader = {
        systemd-boot.enable = true;
        systemd-boot.configurationLimit = 16;
        efi.canTouchEfiVariables = true;
      };

      binfmt.emulatedSystems = ["aarch64-linux"];
      binfmt.preferStaticEmulators = true; # Make it work with Docker
    };

flo@monster ~> bootctl status --no-pager 
System:
      Firmware: UEFI 2.70 (American Megatrends 5.17)
 Firmware Arch: x64
   Secure Boot: enabled (user)
  TPM2 Support: yes
  Measured UKI: yes
  Boot into FW: supported

Current Boot Loader:
      Product: systemd-boot 257.9
     Features: ✓ Boot counting
               ✓ Menu timeout control
               ✓ One-shot menu timeout control
               ✓ Default entry control
               ✓ One-shot entry control
               ✓ Support for XBOOTLDR partition
               ✓ Support for passing random seed to OS
               ✓ Load drop-in drivers
               ✓ Support Type #1 sort-key field
               ✓ Support @saved pseudo-entry
               ✓ Support Type #1 devicetree field
               ✓ Enroll SecureBoot keys
               ✓ Retain SHIM protocols
               ✓ Menu can be disabled
               ✓ Multi-Profile UKIs are supported
               ✓ Boot loader set partition information
    Partition: /dev/disk/by-partuuid/2252f6d0-65e3-4517-8cb5-e3d4efccc573
       Loader: └─/EFI/BOOT/BOOTX64.EFI
Current Entry: nixos-generation-173-nzqbvj6kvidkbbdlfikr5nvzizzfbc6hvqkii5ijqufxhvt5rfgq.efi

Current Stub:
      Product: lanzastub 0.4.2
     Features: ✓ Stub sets loader partition information
               ✗ Picks up credentials from boot partition
               ✗ Picks up system extension images from boot partition
               ✗ Picks up configuration extension images from boot partition
               ✗ Measures kernel+command line+sysexts
               ✗ Support for passing random seed to OS
               ✗ Pick up .cmdline from addons
               ✗ Pick up .cmdline from SMBIOS Type 11
               ✗ Pick up .dtb from addons
               ✗ Stub understands profile selector
               ✗ Stub sets stub partition information
               ✗ Stub loader set partition information

Random Seed:
 System Token: set
       Exists: yes

Available Boot Loaders on ESP:
          ESP: /boot (/dev/disk/by-partuuid/2252f6d0-65e3-4517-8cb5-e3d4efccc573)
         File: ├─/EFI/systemd/systemd-bootx64.efi (systemd-boot 257.9)
               └─/EFI/BOOT/BOOTX64.EFI (systemd-boot 257.9)

Boot Loaders Listed in EFI Variables:
        Title: UEFI OS
           ID: 0x0011
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/2252f6d0-65e3-4517-8cb5-e3d4efccc573
         File: └─/EFI/BOOT/BOOTX64.EFI

        Title: Windows Boot Manager
           ID: 0x0001
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/a016f24b-2503-45ea-8a44-4dd0665f0fc0
         File: └─/EFI/MICROSOFT/BOOT/BOOTMGFW.EFI

Boot Loader Entries:
        $BOOT: /boot (/dev/disk/by-partuuid/2252f6d0-65e3-4517-8cb5-e3d4efccc573)
        token: nixos

Default Boot Loader Entry:
         type: Boot Loader Specification Type #2 (.efi)
        title: NixOS Xantusia 25.11.20251007.c9b6fb7 (Linux 6.16.11) (Generation 173, 2025-10-08)
           id: nixos-generation-173-nzqbvj6kvidkbbdlfikr5nvzizzfbc6hvqkii5ijqufxhvt5rfgq.efi
       source: /boot//EFI/Linux/nixos-generation-173-nzqbvj6kvidkbbdlfikr5nvzizzfbc6hvqkii5ijqufxhvt5rfgq.efi (on the EFI System Partition)
     sort-key: lanza
      version: Generation 173, 2025-10-08
        linux: /boot//EFI/Linux/nixos-generation-173-nzqbvj6kvidkbbdlfikr5nvzizzfbc6hvqkii5ijqufxhvt5rfgq.efi
      options: init=/nix/store/7b77fdsy51qps5iv114la36a4knkbrpx-nixos-system-monster-25.11.20251007.c9b6fb7/init amd_pstate=active zswap.enabled=1 zswap.compressor=lz4 zswap.max_pool_percent=20 zswap.shrinker_enabled=1 psi=1 root=fstab loglevel=4 lsm=landlock,yama,bpf nvidia-drm.modeset=1 nvidia-drm.fbdev=1

flo@monster ~> nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.16.11, NixOS, 25.11 (Xantusia), 25.11.20251007.c9b6fb7`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.31.2`
 - channels(root): `"nixos-24.05"`
 - nixpkgs: `/nix/store/npsan903n6s1f30nrip3fvqkmx8fxwgg-source`

I can provide a full system config - once I'm done cleaning it up.
Happy to assist with whatever you need.

If that's not a nixos issue, I'd be happy to forward this to the lkml.

[matthiasdotsh]

I have the same problem using;

• A Surface Pro 9 with a surface-kernel based on 6.17
• zfs (pkgs.zfs_unsable) with zfs native encryption
• impermanence
• systemd-boot
• no secureboot

[max06]

So, the only common factors so far are kernel 6.17 and systemd-boot.

I'm using an unencrypted efi-partition (/boot) and a luks-encrypted btrfs-partiton (/, /nix/store). No impermanence or zfs.

You also don't get any stage 1 output after selecting the generation? Just an empty screen?

[matthiasdotsh]

You also don't get any stage 1 output after selecting the generation? Just an empty screen?

Exactly, and after a few seconds, the computer simply restarts.

[max06]

That restart is not happening for me. I need to physically push the reset-button, since everything else is dead.

Can you tell me which systemd-version you're running? I'm currently checking different bug-trackers for similar reports.

[matthiasdotsh]

Can you tell me which systemd-version you're running? I'm currently checking different bug-trackers for similar reports.

$ systemctl --version
systemd 257 (257.9)
+PAM +AUDIT -SELINUX +APPARMOR +IMA +IPE +SMACK +SECCOMP +GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -BTF -XKBCOMMON +UTMP -SYSVINIT +LIBARCHIVE

[matthiasdotsh]

Btw: I think we are both using nixos-unstable…

[max06]

Ah, yes, we do!

Alright, next question: Do you have your tpm enabled? Does it magically start to work with the tpm disabled?

[matthiasdotsh]

Alright, next question: Do you have your tpm enabled?

tpm was disabled all the time.

[max06]

Well, that eliminates one potential bug. Which means, it's either a change (or bug) in the kernel rendering it incompatible with systemd-boot, or a result of the way nixos is building the package. I only pinned the kernel down to 6.16 in my nixos configuration, sticking with latest systemd. The old kernel boots, the new one doesn't.

Hard to imagine that we'd be the only users of a current kernel with systemd-boot, so either nobody else noticed it so far or it's a limited issue. And by limited I mean it's limited to nixos users (with systemd-boot) or limited to a specific hardware/system. In this case, we're running on completely different hardware...

It would be great to have at least one report where our combination is running fine with no issues. Otherwise I'm running out of ideas. And I have no real clue how to debug systemd-boot itself. That's way out of my comfort zone...

(I might be able to build a virtual reproduction of my system, maybe tomorrow. With uefi, systemd-boot and a serial console.)

Almost forgot: You mentioned you're not running secureboot. Can you share the output of bootctl status --no-pager? To limit debugging to common components...

[matthiasdotsh]

$ sudo bootctl status --no-pager  
System:
      Firmware: UEFI 2.70 (EDK II 1538.01)
 Firmware Arch: x64
   Secure Boot: disabled (setup)
  TPM2 Support: yes
  Measured UKI: no
  Boot into FW: supported

Current Boot Loader:
      Product: systemd-boot 257.9
     Features: ✓ Boot counting
               ✓ Menu timeout control
               ✓ One-shot menu timeout control
               ✓ Default entry control
               ✓ One-shot entry control
               ✓ Support for XBOOTLDR partition
               ✓ Support for passing random seed to OS
               ✓ Load drop-in drivers
               ✓ Support Type #1 sort-key field
               ✓ Support @saved pseudo-entry
               ✓ Support Type #1 devicetree field
               ✓ Enroll SecureBoot keys
               ✓ Retain SHIM protocols
               ✓ Menu can be disabled
               ✓ Multi-Profile UKIs are supported
               ✓ Boot loader set partition information
    Partition: /dev/disk/by-partuuid/738e3dec-c0c4-42e4-961b-0cdc6027e5a0
       Loader: └─/EFI/systemd/systemd-bootx64.efi
Current Entry: nixos-generation-275.conf

Random Seed:
 System Token: set
       Exists: yes

Available Boot Loaders on ESP:
          ESP: /boot (/dev/disk/by-partuuid/738e3dec-c0c4-42e4-961b-0cdc6027e5a0)
         File: ├─/EFI/systemd/systemd-bootx64.efi (systemd-boot 257.9)
               └─/EFI/BOOT/BOOTX64.EFI (systemd-boot 257.9)

Boot Loaders Listed in EFI Variables:
        Title: Linux Boot Manager
           ID: 0x000C
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/738e3dec-c0c4-42e4-961b-0cdc6027e5a0
         File: └─/EFI/systemd/systemd-bootx64.efi

        Title: Linux Boot Manager
           ID: 0x000B
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/ff707f79-9780-4e7b-b12b-015cd1148c72
         File: └─/EFI/systemd/systemd-bootx64.efi

        Title: Linux Boot Manager
           ID: 0x000A
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/c80ef5d9-4951-49cc-92c4-0f1cffadeebd
         File: └─/EFI/systemd/systemd-bootx64.efi

        Title: Linux Boot Manager
           ID: 0x0009
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/052057bc-7a40-412a-b09f-f57301070e0d
         File: └─/EFI/systemd/systemd-bootx64.efi

        Title: Linux Boot Manager
           ID: 0x0008
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/9cd21372-4c2f-4f4a-b5cc-32969e50cc6a
         File: └─/EFI/systemd/systemd-bootx64.efi

        Title: Linux Boot Manager
           ID: 0x0007
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/206a9a47-5283-489a-8ad4-1faa2c0b6fcd
         File: └─/EFI/systemd/systemd-bootx64.efi

        Title: Linux Boot Manager
           ID: 0x0006
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/9d844e98-442b-4792-86e0-4fddae868a93
         File: └─/EFI/systemd/systemd-bootx64.efi

        Title: Linux Boot Manager
           ID: 0x0004
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/60aacaf5-0e1d-4828-8b7c-7240b4ddb276
         File: └─/EFI/systemd/systemd-bootx64.efi

        Title: Windows Boot Manager
           ID: 0x0005
       Status: active, boot-order
    Partition: /dev/disk/by-partuuid/95f4b19f-a970-4133-83b2-ccd1147414b7
         File: └─/EFI/Microsoft/Boot/bootmgfw.efi

Boot Loader Entries:
        $BOOT: /boot (/dev/disk/by-partuuid/738e3dec-c0c4-42e4-961b-0cdc6027e5a0)
        token: nixos

Default Boot Loader Entry:
         type: Boot Loader Specification Type #1 (.conf)
        title: NixOS (Generation 278 NixOS Xantusia 25.11.20251009.0b4defa (Linux 6.17.1), built on 2025-10-11)
           id: nixos-generation-278.conf
       source: /boot//loader/entries/nixos-generation-278.conf (on the EFI System Partition)
     sort-key: nixos
      version: Generation 278 NixOS Xantusia 25.11.20251009.0b4defa (Linux 6.17.1), built on 2025-10-11
   machine-id: ec429f9f92ea4e579ac63dcb1e20f33e
        linux: /boot//EFI/nixos/q6ywsgnc9mv1vggfy93i6b4jrl7lfyjm-linux-6.17.1-bzImage.efi
       initrd: /boot//EFI/nixos/4kswkwacc2z595v902ghs61xpmmvhxnv-initrd-linux-6.17.1-initrd.efi
      options: init=/nix/store/mpi236k4i3640ykxihlsyqf6cf2whqr2-nixos-system-surface-pro9-25.11.20251009.0b4defa/init i915.enable_psr=0 psi=1 nohibernate loglevel=4 lsm=landlock,yama,bpf

Edit: I'm a little confused about the tpm stuff in the output. I never played around with tpm. I don"t have anything related to tpm in my config and think. Is tpm enabled per default? How can I deactivate it for testing?

[matthiasdotsh]

It would be great to have at least one report where our combination is running fine with no issues. Otherwise I'm running out of ideas. And I have no real clue how to debug systemd-boot itself. That's way out of my comfort zone...

@8bitbuddhist You managed to boot the 6.17 kernel on a Surface Pro 9 (same device as mine) and also used systemd-boot, right?