Systemd 255 is here with improved UKI support
This is release 0b11111111 (0xFF) – what could possibly go wrong?
The 255th version of systemd is here, banishing support for split and unmerged
/usr directories but enriching its UKI boot support.
Although Systemd 255 mainly consolidates and builds on changes that were announced earlier, it does have some new features.
A visible one may prove to be the new BSOD service, which is genuinely more welcome than it sounds. Yes, it does stand for Blue Screen Of Death just like in Windows, but the idea is that
LOG_EMERG level messages – meaning an inoperable system – will be displayed on the machine's console full-screen. This severity of error usually means that the computer failed to boot, and the new tool can even try to display a QR code, facilitating the first line of recourse of any competent BOFH: looking the error message up on Google.
Version 255 is FF in hexadecimal and 11111111 in binary: a byte with all eight bits set. Next spring will see version 256, meaning 0b100000000 or 0x100, and we suspect that a few distros may have problems with that version number – but they are probably small issues. A bigger one is that this release requires distributions to have completed the
/usr merge process. This requirement was announced well in advance, and we discussed what it means back when systemd 254 came out. Merging the
/usr hierarchies was a Fedora initiative, and was completed back in 2012 in Fedora 17, aka "Beefy Miracle." It has also been the default in new installations of Ubuntu since 19.04, and in openSUSE Tumbleweed since 2021.
Debian started the
/usr merge process in 2016, but as LWN reported in 2018 it hit some problems, and even by last June these were not completely resolved. However, back in October, the Debian developers lifted the moratorium on moving files from locations under the root directory to ones under
/usr; the project status page has more details. The process may be complete by Debian 13, expected in 2025. The current Debian "Bookworm" uses systemd 252, and we expect that it will until its end of life, so systemd 255 won't affect Debian stable releases.
Version 255 will be the last one that supports v1 of the kernel's cgroups feature. Some other features are now deprecated or turned off, such as support for SysV service scripts, the
SystemdOptions EFI variable, and user-specified system suspend, hibernate and hybrid-sleep states in the
systemd-sleep.conf file. Using the kernel command-line parameters to disable TCP/IP now turns off more IPv6 functionality. Only the
initrd can now switch the root filesystem, and to do that on running systems, sysadmins should use the soft-reboot function introduced in systemd 254.
Over two dozen of the changes related to Agent P's new Unified Kernel Image boot files, which we examined in depth last year. Support for this started appearing in systemd 252 and more supporting tools came with systemd 253. There is still more to come – for instance, release 255 introduces a new
systemd-pcrlock tool for handling TPM2 PCR "measurements". PCR stands for Platform Configuration Registers; the first eight (0-7) are stipulated by the Trusted Computing Group specification. PCRs 8 and upwards are defined by the OS, as explained in this Fedora Magazine article.
- Rocky Linux and Oracle Unbreakable Linux also hit 9.3
- GhostBSD makes FreeBSD a little less frightening for the Linux loyal
- Red Hat retires mailing list, leaving Linux loyalists to read between the lines
- Microsoft slips out Windows Server 2022 with extended support for 10 years
We explained how this stuff works in the earlier three articles, linked above. The executive summary is that this new tooling improves support for booting Linux with Intel and Microsoft's Secure Boot feature, including automatically unlocking fully encrypted disks using keys held in the TPM2 chip's memory. The goal is not needing a human to manually enter a passphrase before the computer boots up. That's fine if you encrypt your laptop's hard disk, but it's very much not fine for a server in a remote datacenter somewhere, or for an encrypted VM. Secure Boot used to be a Windows-only feature, but TPM2 support is required for Windows 11, and for Windows Server 2022 if you use Bitlocker encryption.
Most Linux users will probably first meet systemd 255 in Ubuntu 24.04 and Fedora 40, both due early next year. ®