From Fedora Project Wiki
No edit summary
(adding release notes tracker)
 
(69 intermediate revisions by 3 users not shown)
Line 3: Line 3:
= Unified Kernel Support Phase 2 =
= Unified Kernel Support Phase 2 =


{{Change_Proposal_Banner}}


== Summary ==
== Summary ==
Line 17: Line 16:
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. -->
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. -->
* Email: kraxel@redhat.com
* Email: kraxel@redhat.com
* Name: [[User:vittyvk| Vitaly Kuznetsov]]
* Email: vkuznets@redhat.com
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
-->
-->


== Current status ==
== Current status ==
[[Category:ChangePageIncomplete]]
[[Category:ChangeAcceptedF40]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
Line 33: Line 34:
<!-- [[Category:SystemWideChange]] -->
<!-- [[Category:SystemWideChange]] -->


* Targeted release: [https://docs.fedoraproject.org/en-US/releases/f39/ Fedora Linux 39]
* Targeted release: [https://docs.fedoraproject.org/en-US/releases/f40/ Fedora Linux 40]
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
Line 41: Line 42:
ON_QA -> change is fully code complete
ON_QA -> change is fully code complete
-->
-->
* FESCo issue: <will be assigned by the Wrangler>
* [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/NHM3SBBSLWAHNBXZVUK6UOBPGB4VW6FF/ Announced]
* Tracker bug: <will be assigned by the Wrangler>
* [https://discussion.fedoraproject.org/t/f40-change-proposal-unified-kernel-support-phase-2-system-wide/98298 Discourse Thread]
* Release notes tracker: <will be assigned by the Wrangler>
* FESCo issue: [https://pagure.io/fesco/issue/3123 #3123]
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2258073 #2258073]
* Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/1100 #1100]


== Detailed Description ==
== Detailed Description ==
Line 49: Line 52:
See [[ Changes/Unified_Kernel_Support_Phase_1 ]] for overview and Phase 1 goals.
See [[ Changes/Unified_Kernel_Support_Phase_1 ]] for overview and Phase 1 goals.


Phase 2 goals:
==== Phase 2 goals ====
* TODO
 
* Add support for booting UKIs directly.
** Boot path is shim.efi -> UKI, without any boot loader (grub, sd-boot) involved.
** The UEFI boot configuration will get an entry for each kernel installed.
** Newly installed kernels are configured to be booted once (via BootNext).
** Successful boot of the system will make the kernel update permanent (update BootOrder).
* Enable UKIs for aarch64.
** Should be just flipping the switch, dependencies such as kernel zboot support are merged.
* Add a UEFI-only cloud image variant which uses UKIs.
** Also suitable for being used in confidential VMs.
** Cover both x86_64 and aarch64.
** Related: [https://fedoraproject.org/wiki/Changes/KiwiBuiltCloudImages Changes/KiwiBuiltCloudImages]
 
==== Related bugs + merge requests ====
 
* shim: remove dependency on grub2-efi-x64 ([https://bugzilla.redhat.com/show_bug.cgi?id=2240989 buzilla 2240989])
* shim: handling of multiple lines in BOOT.CSV is inconsistent ([https://issues.redhat.com/browse/RHEL-10704 jira RHEL-10704], [https://github.com/rhboot/shim/issues/554 github 554])
* anaconda: add support for [https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ discoverable partitions] ([https://bugzilla.redhat.com/show_bug.cgi?id=2160074 bugzilla 2160074], [https://bugzilla.redhat.com/show_bug.cgi?id=2178043 bugzilla 2178043])
* dracut: do not create yet another initramfs for UKIs ([https://github.com/dracutdevs/dracut/pull/2521 github PR 2521])
* kernel: enable UKIs on aarch64 ([https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2818 MR 2818])
* fedora-kiwi-descriptions: add Cloud-Base-UEFI-UKI profile ([https://pagure.io/fedora-kiwi-descriptions/pull-request/9 PR #9])


== Feedback ==
== Feedback ==
Line 83: Line 106:
     https://fedoraproject.org/wiki/Changes/perl5.26 (major upgrade to a popular software stack, visible to users of that stack)
     https://fedoraproject.org/wiki/Changes/perl5.26 (major upgrade to a popular software stack, visible to users of that stack)
-->
-->
* Better secure boot support: the UKI initrd is covered by the signature.
* Better support for tpm measurements and confidential computing.
** measurements are more useful if we know what hashes to expect for the initrd.
** measurements are more useful without grub.efi in the boot path (which measures each grub.cfg line processed).
* More robust boot process
** generating the initrd on the installed system is fragile


== Scope ==
== Scope ==
* Proposal owners:
* Proposal owners:
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
** updates for virt-firmware and uki-direct packages.
** enable UKIs on aarch64 ([https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2818 MR 2818]).
** prepare kickstart ([https://pagure.io/fedora-kickstarts.git Fedora kickstarts]) changes for generating UKI enabled images.


* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Other developers: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
** installer/anaconda: implement discoverable partition support.
** bootloader/shim: fix bugs.
** Fedora Cloud SIG: Add UKI enabled images as an option to [https://fedoraproject.org/cloud/download Download Fedora Cloud]
** See also: [https://fedoraproject.org/wiki/Changes/Unified_Kernel_Support_Phase_2#Related_bugs Related Bugs] section.


* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
Line 108: Line 144:


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
None, it's opt-in.  Also the uefi cloud image is an additional image and will not replace the current bios/uefi hybrid image.


== How To Test ==
== How To Test ==
Line 124: Line 160:
3. What are the expected results of those actions?
3. What are the expected results of those actions?
-->
-->
==== Switch an existing install to use UKIs. ====
Needs up-to-date Fedora 39 or Rawhide install in a virtual machine.
Bare metal hardware with standard storage (ahci / nvme) should work too.
Needs an big enough ESP to store UKI images there (minimum 200M, recommended 500M).
1. dnf install virt-firmware uki-direct
* The uki-direct package contains the kernel-install plugin and systemd unit needed to automatically manage kernel updates.
* You should have version 23.10 or newer.
2. sh /usr/share/doc/python3-virt-firmware/experimental/fixup-partitions-for-uki.sh
* Workaround for [https://bugzilla.redhat.com/show_bug.cgi?id=2160074 bug 2160074] (anaconda not setting up [https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ discoverable partitions]).
* UKIs need this to find the root filesystem without root=... on the kernel command line.
3. dnf install kernel-uki-virt
4. kernel-bootcfg --show
* optional step, shows UEFI boot configuration, the new UKI should be added as BootNext
$ kernel-bootcfg --show
# C - BootCurrent, N - BootNext, O - BootOrder
# --------------------------------------------
#  N    -  0008  -  6.5.7-300.fc39.x86_64            <= entry for the the new kernel
# C  O  -  0007  -  6.5.6-300.fc39.x86_64            <= currently running kernel
#    O  -  0006  -  Fedora                          <= grub2 entry
#    O  -  0001  -  UEFI QEMU QEMU HARDDISK
[ ... ]
5. reboot
6. kernel-bootcfg --show
* optional again, after successful boot the new kernel should be first in BootOrder.
$ kernel-bootcfg --show
# C - BootCurrent, N - BootNext, O - BootOrder
# --------------------------------------------
# C  O  -  0008  -  6.5.7-300.fc39.x86_64
#    O  -  0007  -  6.5.6-300.fc39.x86_64
#    O  -  0006  -  Fedora
#    O  -  0001  -  UEFI QEMU QEMU HARDDISK
[ ... ]
==== Test UKI cloud images (new: kiwi) ====
* Clone the [https://pagure.io/fedora-kiwi-descriptions fedora-kiwi-descriptions] repo, follow instructions to build cloud images locally.  The name of the profile is "Cloud-Base-UEFI-UKI".
* Once the [https://fedoraproject.org/wiki/Changes/KiwiBuiltCloudImages Changes/KiwiBuiltCloudImages] proposal is fully implemented and enabled in fedora build infrastructure you should find images on the usual download locations.
** [https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Cloud/ rawhide]
==== Test UKI cloud images (old: kickstart) ====
Repo with kickstart files and scripts: https://gitlab.com/kraxel/fedora-uki
Images for download: https://www.kraxel.org/fedora-uki/
* fedora-uki-cloud: uki-based cloud image, use cloud-init to configure this.
* fedora-uki-direct: minimal uki-based image, root password is 'root'.
* fedora-classic: minimal non-uki image, root password is 'root'.
Known problems:
* images can fail to boot on the first attempt
** should that happen reset the guest once, the second and all following boots will work fine.
** root cause is a shim bug ([https://github.com/rhboot/shim/issues/554 github 554]).
** known workaround: add a vTPM to the guest configuration.
==== Booting another kernel ====
From the booted system:
* uefi-boot-menu --reboot
From the firmware:
If your UEFI firmware offers an boot menu you should be able to use that to select the kernel to boot.  Unfortunately this is not standardized so there is no standard procedure to do so.
* Virtual machines (OVMF): Enter the firmware setup by pressing ESC when you see the tianocore splash screen.  Select "Boot Manager" in the toplevel menu.
* Thinkpad laptops: Interupt normal boot (just 'Enter' on recent hardware, or using the special key on older models), then press F12 ("choose a temporary startup device").


<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->


== User Experience ==
== User Experience ==
Line 149: Line 259:


<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
* Contingency mechanism: (What to do?  Who will do it?) N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency mechanism: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
** drop kickstart file for the uefi-only cloud image.
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
* Contingency deadline: N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency deadline: N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
* Blocks release? N/A (not a System Wide Change), Yes/No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Blocks release? No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 


== Documentation ==
== Documentation ==

Latest revision as of 20:50, 28 February 2024


Unified Kernel Support Phase 2

Summary

Improve support for unified kernels in Fedora.

Owner

Current status

Detailed Description

See Changes/Unified_Kernel_Support_Phase_1 for overview and Phase 1 goals.

Phase 2 goals

  • Add support for booting UKIs directly.
    • Boot path is shim.efi -> UKI, without any boot loader (grub, sd-boot) involved.
    • The UEFI boot configuration will get an entry for each kernel installed.
    • Newly installed kernels are configured to be booted once (via BootNext).
    • Successful boot of the system will make the kernel update permanent (update BootOrder).
  • Enable UKIs for aarch64.
    • Should be just flipping the switch, dependencies such as kernel zboot support are merged.
  • Add a UEFI-only cloud image variant which uses UKIs.

Related bugs + merge requests

Feedback

Benefit to Fedora

  • Better secure boot support: the UKI initrd is covered by the signature.
  • Better support for tpm measurements and confidential computing.
    • measurements are more useful if we know what hashes to expect for the initrd.
    • measurements are more useful without grub.efi in the boot path (which measures each grub.cfg line processed).
  • More robust boot process
    • generating the initrd on the installed system is fragile

Scope

  • Proposal owners:
    • updates for virt-firmware and uki-direct packages.
    • enable UKIs on aarch64 (MR 2818).
    • prepare kickstart (Fedora kickstarts) changes for generating UKI enabled images.
  • Other developers:
    • installer/anaconda: implement discoverable partition support.
    • bootloader/shim: fix bugs.
    • Fedora Cloud SIG: Add UKI enabled images as an option to Download Fedora Cloud
    • See also: Related Bugs section.
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

None, it's opt-in. Also the uefi cloud image is an additional image and will not replace the current bios/uefi hybrid image.

How To Test

Switch an existing install to use UKIs.

Needs up-to-date Fedora 39 or Rawhide install in a virtual machine. Bare metal hardware with standard storage (ahci / nvme) should work too.

Needs an big enough ESP to store UKI images there (minimum 200M, recommended 500M).

1. dnf install virt-firmware uki-direct

  • The uki-direct package contains the kernel-install plugin and systemd unit needed to automatically manage kernel updates.
  • You should have version 23.10 or newer.

2. sh /usr/share/doc/python3-virt-firmware/experimental/fixup-partitions-for-uki.sh

3. dnf install kernel-uki-virt

4. kernel-bootcfg --show

  • optional step, shows UEFI boot configuration, the new UKI should be added as BootNext
$ kernel-bootcfg --show
# C - BootCurrent, N - BootNext, O - BootOrder
# --------------------------------------------
#   N    -  0008  -  6.5.7-300.fc39.x86_64            <= entry for the the new kernel
# C   O  -  0007  -  6.5.6-300.fc39.x86_64            <= currently running kernel
#     O  -  0006  -  Fedora                           <= grub2 entry
#     O  -  0001  -  UEFI QEMU QEMU HARDDISK 
[ ... ]

5. reboot

6. kernel-bootcfg --show

  • optional again, after successful boot the new kernel should be first in BootOrder.
$ kernel-bootcfg --show
# C - BootCurrent, N - BootNext, O - BootOrder
# --------------------------------------------
# C   O  -  0008  -  6.5.7-300.fc39.x86_64
#     O  -  0007  -  6.5.6-300.fc39.x86_64
#     O  -  0006  -  Fedora
#     O  -  0001  -  UEFI QEMU QEMU HARDDISK 
[ ... ]

Test UKI cloud images (new: kiwi)

  • Clone the fedora-kiwi-descriptions repo, follow instructions to build cloud images locally. The name of the profile is "Cloud-Base-UEFI-UKI".
  • Once the Changes/KiwiBuiltCloudImages proposal is fully implemented and enabled in fedora build infrastructure you should find images on the usual download locations.

Test UKI cloud images (old: kickstart)

Repo with kickstart files and scripts: https://gitlab.com/kraxel/fedora-uki

Images for download: https://www.kraxel.org/fedora-uki/

  • fedora-uki-cloud: uki-based cloud image, use cloud-init to configure this.
  • fedora-uki-direct: minimal uki-based image, root password is 'root'.
  • fedora-classic: minimal non-uki image, root password is 'root'.

Known problems:

  • images can fail to boot on the first attempt
    • should that happen reset the guest once, the second and all following boots will work fine.
    • root cause is a shim bug (github 554).
    • known workaround: add a vTPM to the guest configuration.

Booting another kernel

From the booted system:

  • uefi-boot-menu --reboot

From the firmware:

If your UEFI firmware offers an boot menu you should be able to use that to select the kernel to boot. Unfortunately this is not standardized so there is no standard procedure to do so.

  • Virtual machines (OVMF): Enter the firmware setup by pressing ESC when you see the tianocore splash screen. Select "Boot Manager" in the toplevel menu.
  • Thinkpad laptops: Interupt normal boot (just 'Enter' on recent hardware, or using the special key on older models), then press F12 ("choose a temporary startup device").


User Experience

Dependencies

Contingency Plan

  • Contingency mechanism:
    • drop kickstart file for the uefi-only cloud image.
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? No

Documentation

N/A (not a System Wide Change)

Release Notes