Skip to content

Systemd-Boot

Athena OS replaces GRUB with systemd-boot as the default boot manager to enhance security, simplicity, and tight integration with modern Linux technologies like Secure Boot, TPM, and Unified Kernel Images (UKI).

Unlike GRUB, which is a large, insecure and scriptable bootloader supporting legacy BIOS environments and complex configurations, systemd-boot is a minimalistic EFI boot manager that works exclusively on modern UEFI systems. It directly loads EFI executables (like signed UKIs) from the EFI System Partition.

| Feature | GRUB | systemd-boot | | -------- | ---- | ------------- | | Complexity | High (shell, modules, scripting) | Minimal and deterministic | | UEFI Support | Partial / optional | Native | | Secure Boot | Requires shim or manual signing | Direct signing, fully UEFI-compliant | | TPM / Measured Boot | Limited support | Native integration with PCR11, PCR12, PCR13 via systemd-stub | | UKI (Unified Kernel Image) | Not supported | First-class support | | Speed | Slower (multiple stages) | Very fast (single EFI load) | | Configuration | grub.cfg scripts | Simple text files in /boot/loader/entries/ |

systemd-boot has a minimal codebase, no scripting engine, and no legacy BIOS compatibility layer.
This drastically reduces the risk of code injection, buffer overflows, or malicious configuration tampering.

Each boot entry in systemd-boot points directly to a signed EFI image (usually a UKI).
These files can be authenticated by Secure Boot and measured into the TPM at boot.

systemd-boot works seamlessly with Secure Boot, Measured Boot, and TPM-bound encryption.
Because it uses systemd-stub, every kernel image is:

  • Verified by Secure Boot.
  • Measured into PCR11 (and related registers).
  • Capable of proving integrity before decryption keys are released.

4. Native Support for Unified Kernel Images

Section titled “4. Native Support for Unified Kernel Images”

Unlike GRUB, which loads a kernel and initramfs separately, systemd-boot loads a single UKI (Unified Kernel Image), a self-contained, signed EFI file that includes:

  • The kernel
  • The initramfs
  • The kernel command line

This integration eliminates configuration drift and makes verification simple and reproducible.