From Fedora Project Wiki


Unified Kernel Support Phase 2

Summary

Improve support for unified kernels in Fedora.

Owner

Current status

Detailed Description

See Changes/Unified_Kernel_Support_Phase_1 for overview and Phase 1 goals.

Phase 2 goals

  • Add support for booting UKIs directly.
    • Boot path is shim.efi -> UKI, without any boot loader (grub, sd-boot) involved.
    • The UEFI boot configuration will get an entry for each kernel installed.
    • Newly installed kernels are configured to be booted once (via BootNext).
    • Successful boot of the system will make the kernel update permanent (update BootOrder).
  • Enable UKIs for aarch64.
    • Should be just flipping the switch, dependencies such as kernel zboot support are merged.
  • Add a UEFI-only cloud image variant which uses UKIs.

Related bugs + merge requests

Feedback

Benefit to Fedora

  • Better secure boot support: the UKI initrd is covered by the signature.
  • Better support for tpm measurements and confidential computing.
    • measurements are more useful if we know what hashes to expect for the initrd.
    • measurements are more useful without grub.efi in the boot path (which measures each grub.cfg line processed).
  • More robust boot process
    • generating the initrd on the installed system is fragile

Scope

  • Proposal owners:
    • updates for virt-firmware and uki-direct packages.
    • enable UKIs on aarch64 (MR 2818).
    • prepare kickstart (Fedora kickstarts) changes for generating UKI enabled images.
  • Other developers:
    • installer/anaconda: implement discoverable partition support.
    • bootloader/shim: fix bugs.
    • Fedora Cloud SIG: Add UKI enabled images as an option to Download Fedora Cloud
    • See also: Related Bugs section.
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

None, it's opt-in. Also the uefi cloud image is an additional image and will not replace the current bios/uefi hybrid image.

How To Test

Switch an existing install to use UKIs.

Needs up-to-date Fedora 39 or Rawhide install in a virtual machine. Bare metal hardware with standard storage (ahci / nvme) should work too.

Needs an big enough ESP to store UKI images there (minimum 200M, recommended 500M).

1. dnf install virt-firmware uki-direct

  • The uki-direct package contains the kernel-install plugin and systemd unit needed to automatically manage kernel updates.
  • You should have version 23.10 or newer.

2. sh /usr/share/doc/python3-virt-firmware/experimental/fixup-partitions-for-uki.sh

3. dnf install kernel-uki-virt

4. kernel-bootcfg --show

  • optional step, shows UEFI boot configuration, the new UKI should be added as BootNext
$ kernel-bootcfg --show
# C - BootCurrent, N - BootNext, O - BootOrder
# --------------------------------------------
#   N    -  0008  -  6.5.7-300.fc39.x86_64            <= entry for the the new kernel
# C   O  -  0007  -  6.5.6-300.fc39.x86_64            <= currently running kernel
#     O  -  0006  -  Fedora                           <= grub2 entry
#     O  -  0001  -  UEFI QEMU QEMU HARDDISK 
[ ... ]

5. reboot

6. kernel-bootcfg --show

  • optional again, after successful boot the new kernel should be first in BootOrder.
$ kernel-bootcfg --show
# C - BootCurrent, N - BootNext, O - BootOrder
# --------------------------------------------
# C   O  -  0008  -  6.5.7-300.fc39.x86_64
#     O  -  0007  -  6.5.6-300.fc39.x86_64
#     O  -  0006  -  Fedora
#     O  -  0001  -  UEFI QEMU QEMU HARDDISK 
[ ... ]

Test UKI cloud images (new: kiwi)

  • Clone the fedora-kiwi-descriptions repo, follow instructions to build cloud images locally. The name of the profile is "Cloud-Base-UEFI-UKI".
  • Once the Changes/KiwiBuiltCloudImages proposal is fully implemented and enabled in fedora build infrastructure you should find images on the usual download locations.

Test UKI cloud images (old: kickstart)

Repo with kickstart files and scripts: https://gitlab.com/kraxel/fedora-uki

Images for download: https://www.kraxel.org/fedora-uki/

  • fedora-uki-cloud: uki-based cloud image, use cloud-init to configure this.
  • fedora-uki-direct: minimal uki-based image, root password is 'root'.
  • fedora-classic: minimal non-uki image, root password is 'root'.

Known problems:

  • images can fail to boot on the first attempt
    • should that happen reset the guest once, the second and all following boots will work fine.
    • root cause is a shim bug (github 554).
    • known workaround: add a vTPM to the guest configuration.

Booting another kernel

From the booted system:

  • uefi-boot-menu --reboot

From the firmware:

If your UEFI firmware offers an boot menu you should be able to use that to select the kernel to boot. Unfortunately this is not standardized so there is no standard procedure to do so.

  • Virtual machines (OVMF): Enter the firmware setup by pressing ESC when you see the tianocore splash screen. Select "Boot Manager" in the toplevel menu.
  • Thinkpad laptops: Interupt normal boot (just 'Enter' on recent hardware, or using the special key on older models), then press F12 ("choose a temporary startup device").


User Experience

Dependencies

Contingency Plan

  • Contingency mechanism:
    • drop kickstart file for the uefi-only cloud image.
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? No

Documentation

N/A (not a System Wide Change)

Release Notes

Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/Unified_Kernel_Support_Phase_2&oldid=702106"