'LoaderSystemToken' error during install on HP T740 ThinClient

spont · December 26, 2025, 7:36am

Hello all

Apologies for the photos

I’ve got an HP T740 with:

AMD Ryzen Embedded V1756B (8) @ 3.25GHz
256GB NVME (plus a 256gb M2 SATA but that’s currently removed for installation)
32GB RAM

I’ve been trying to install the latest (as of 2025/12/25) version of IncusOS using a USB, but it ultimately fails with the following error:

The image isn’t showing for me so here it is:

error: failed to run: bootclt install: exit status 1 (copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed" to "/boot/EFI/systemd/systemd-bootx64.efi"
Copied "/usr/lib/systemd/boot/efi/systemd-bootx64.efi.signed" to "/boot/EFI/BOOT/BOOTX64.EFI"
Mount point '/boot' which backs the random seed file is world accessible which is a security hole!
Random seed file '/boot/loader/random-seed' is world accessible, which is a security hole!
Random seed file /boot/loader/random-seed successfully refreshed (32 bytes)
Failed to write 'LoaderSystemToken' EFI variable: Invalid argument)

I’ve had a successful install of this same image on a few ThinkCentre M920Qsthat have very similar hardware without any hiccups, I’m wondering if it’s hardware related.

I created the .img file with IncusOS image downloader for:

USB
Installation
Incus
Wipe Drive
Auto-reboot
No drive specified
Apply default configuration is checked
Certificate was generated with IncusOS image downloader

I transfered to USB with sudo dd if=Downloads/IncusOS_202512250102.img of=/dev/sdc status=progress

I have more photos of screen output post-failure and I’m willing to (try) to fetch logs to diagnose, but I’m pretty new to IncusOS and the observability of what’s happening before the failure isn’t much.

—

I just saw this incredibly similar post: Would love to get a stack of HP T730 thin clients running IncusOS

I would like to point out that I did in-fact successfully update the BIOS/firmware to the latest version from HP’s website before attempting the Incus install (released August of 2025 iirc).

stgraber · December 26, 2025, 12:32pm

@gibmat do you know what LoaderSystemToken is about?

gibmat · December 26, 2025, 1:25pm

There might be two distinct issues here: the warning about a world-readable random seed and the EFI variable error.

Since bootctl runs at the end of the install, normally we don’t look at journal output before the system reboots and it is lost. I will check if I see the same warning in a test VM, and if so we can adjust the mount arguments to /boot/ to silence it.

From some quick googling, the LoaderSystemToken error seems to point to a buggy UEFI implementation. There are a handful of bugs filed for systemd that mention it. bootctl does have a --graceful flag, which might be worth trying as a work-around for buggy systems.

gibmat · December 26, 2025, 3:20pm

Yeah, in this context that’s a red herring: Specify umask=0077 when mounting /boot/ to silence bootctl warning by gibmat · Pull Request #734 · lxc/incus-os · GitHub .

The actual error that’s stopping your install is the last line about failing to write the LoaderSystemToken EFI variable.

spont · December 26, 2025, 3:26pm

Thanks for looking! Is that bootctl flag something I’m able to add during the image creation or after the fact?

If that’s documented I’ll gladly read it, I just wasn’t able to find it taking a look around the .img this morning

gibmat · December 26, 2025, 6:01pm

No, we would need to update the code in the IncusOS image itself as the invocation of bootctl is part of the install logic.

spont · December 27, 2025, 7:14pm

Apologies for posting on a resolved topic, but should I make an Issue in GitHub for this or have y’all taken care of the work intake already? I’d dearly like to see this device supported!

stgraber · December 28, 2025, 4:56am

@gibmat are you planning on sending out a PR for that?

gibmat · December 29, 2025, 2:27pm