(announcing the change) |
(adding release notes tracker) |
||
(9 intermediate revisions by 2 users not shown) | |||
Line 3: | Line 3: | ||
= Unified Kernel Support Phase 2 = | = Unified Kernel Support Phase 2 = | ||
== Summary == | == Summary == | ||
Line 25: | Line 24: | ||
== Current status == | == Current status == | ||
[[Category: | [[Category:ChangeAcceptedF40]] | ||
<!-- When your change proposal page is completed and ready for review and announcement --> | <!-- When your change proposal page is completed and ready for review and announcement --> | ||
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | <!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler --> | ||
Line 45: | Line 44: | ||
* [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/NHM3SBBSLWAHNBXZVUK6UOBPGB4VW6FF/ Announced] | * [https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org/thread/NHM3SBBSLWAHNBXZVUK6UOBPGB4VW6FF/ Announced] | ||
* [https://discussion.fedoraproject.org/t/f40-change-proposal-unified-kernel-support-phase-2-system-wide/98298 Discourse Thread] | * [https://discussion.fedoraproject.org/t/f40-change-proposal-unified-kernel-support-phase-2-system-wide/98298 Discourse Thread] | ||
* FESCo issue: | * FESCo issue: [https://pagure.io/fesco/issue/3123 #3123] | ||
* Tracker bug: | * Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=2258073 #2258073] | ||
* Release notes tracker: | * Release notes tracker: [https://pagure.io/fedora-docs/release-notes/issue/1100 #1100] | ||
== Detailed Description == | == Detailed Description == | ||
Line 65: | Line 64: | ||
** Also suitable for being used in confidential VMs. | ** Also suitable for being used in confidential VMs. | ||
** Cover both x86_64 and aarch64. | ** Cover both x86_64 and aarch64. | ||
** Related: [https://fedoraproject.org/wiki/Changes/KiwiBuiltCloudImages Changes/KiwiBuiltCloudImages] | |||
==== Related bugs ==== | ==== Related bugs + merge requests ==== | ||
* shim: remove dependency on grub2-efi-x64 ([https://bugzilla.redhat.com/show_bug.cgi?id=2240989 buzilla 2240989]) | * shim: remove dependency on grub2-efi-x64 ([https://bugzilla.redhat.com/show_bug.cgi?id=2240989 buzilla 2240989]) | ||
Line 73: | Line 73: | ||
* dracut: do not create yet another initramfs for UKIs ([https://github.com/dracutdevs/dracut/pull/2521 github PR 2521]) | * dracut: do not create yet another initramfs for UKIs ([https://github.com/dracutdevs/dracut/pull/2521 github PR 2521]) | ||
* kernel: enable UKIs on aarch64 ([https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2818 MR 2818]) | * kernel: enable UKIs on aarch64 ([https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2818 MR 2818]) | ||
* fedora-kiwi-descriptions: add Cloud-Base-UEFI-UKI profile ([https://pagure.io/fedora-kiwi-descriptions/pull-request/9 PR #9]) | |||
== Feedback == | == Feedback == | ||
Line 203: | Line 204: | ||
[ ... ] | [ ... ] | ||
==== Test UKI cloud images ==== | ==== Test UKI cloud images (new: kiwi) ==== | ||
* Clone the [https://pagure.io/fedora-kiwi-descriptions fedora-kiwi-descriptions] repo, follow instructions to build cloud images locally. The name of the profile is "Cloud-Base-UEFI-UKI". | |||
* Once the [https://fedoraproject.org/wiki/Changes/KiwiBuiltCloudImages Changes/KiwiBuiltCloudImages] proposal is fully implemented and enabled in fedora build infrastructure you should find images on the usual download locations. | |||
** [https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Cloud/ rawhide] | |||
==== Test UKI cloud images (old: kickstart) ==== | |||
Repo with kickstart files and scripts: https://gitlab.com/kraxel/fedora-uki | Repo with kickstart files and scripts: https://gitlab.com/kraxel/fedora-uki | ||
Latest revision as of 20:50, 28 February 2024
Unified Kernel Support Phase 2
Summary
Improve support for unified kernels in Fedora.
Owner
- Name: Gerd Hoffmann
- Email: kraxel@redhat.com
- Name: Vitaly Kuznetsov
- Email: vkuznets@redhat.com
Current status
- Targeted release: Fedora Linux 40
- Last updated: 2024-02-28
- Announced
- Discourse Thread
- FESCo issue: #3123
- Tracker bug: #2258073
- Release notes tracker: #1100
Detailed Description
See Changes/Unified_Kernel_Support_Phase_1 for overview and Phase 1 goals.
Phase 2 goals
- Add support for booting UKIs directly.
- Boot path is shim.efi -> UKI, without any boot loader (grub, sd-boot) involved.
- The UEFI boot configuration will get an entry for each kernel installed.
- Newly installed kernels are configured to be booted once (via BootNext).
- Successful boot of the system will make the kernel update permanent (update BootOrder).
- Enable UKIs for aarch64.
- Should be just flipping the switch, dependencies such as kernel zboot support are merged.
- Add a UEFI-only cloud image variant which uses UKIs.
- Also suitable for being used in confidential VMs.
- Cover both x86_64 and aarch64.
- Related: Changes/KiwiBuiltCloudImages
Related bugs + merge requests
- shim: remove dependency on grub2-efi-x64 (buzilla 2240989)
- shim: handling of multiple lines in BOOT.CSV is inconsistent (jira RHEL-10704, github 554)
- anaconda: add support for discoverable partitions (bugzilla 2160074, bugzilla 2178043)
- dracut: do not create yet another initramfs for UKIs (github PR 2521)
- kernel: enable UKIs on aarch64 (MR 2818)
- fedora-kiwi-descriptions: add Cloud-Base-UEFI-UKI profile (PR #9)
Feedback
Benefit to Fedora
- Better secure boot support: the UKI initrd is covered by the signature.
- Better support for tpm measurements and confidential computing.
- measurements are more useful if we know what hashes to expect for the initrd.
- measurements are more useful without grub.efi in the boot path (which measures each grub.cfg line processed).
- More robust boot process
- generating the initrd on the installed system is fragile
Scope
- Proposal owners:
- updates for virt-firmware and uki-direct packages.
- enable UKIs on aarch64 (MR 2818).
- prepare kickstart (Fedora kickstarts) changes for generating UKI enabled images.
- Other developers:
- installer/anaconda: implement discoverable partition support.
- bootloader/shim: fix bugs.
- Fedora Cloud SIG: Add UKI enabled images as an option to Download Fedora Cloud
- See also: Related Bugs section.
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
None, it's opt-in. Also the uefi cloud image is an additional image and will not replace the current bios/uefi hybrid image.
How To Test
Switch an existing install to use UKIs.
Needs up-to-date Fedora 39 or Rawhide install in a virtual machine. Bare metal hardware with standard storage (ahci / nvme) should work too.
Needs an big enough ESP to store UKI images there (minimum 200M, recommended 500M).
1. dnf install virt-firmware uki-direct
- The uki-direct package contains the kernel-install plugin and systemd unit needed to automatically manage kernel updates.
- You should have version 23.10 or newer.
2. sh /usr/share/doc/python3-virt-firmware/experimental/fixup-partitions-for-uki.sh
- Workaround for bug 2160074 (anaconda not setting up discoverable partitions).
- UKIs need this to find the root filesystem without root=... on the kernel command line.
3. dnf install kernel-uki-virt
4. kernel-bootcfg --show
- optional step, shows UEFI boot configuration, the new UKI should be added as BootNext
$ kernel-bootcfg --show # C - BootCurrent, N - BootNext, O - BootOrder # -------------------------------------------- # N - 0008 - 6.5.7-300.fc39.x86_64 <= entry for the the new kernel # C O - 0007 - 6.5.6-300.fc39.x86_64 <= currently running kernel # O - 0006 - Fedora <= grub2 entry # O - 0001 - UEFI QEMU QEMU HARDDISK [ ... ]
5. reboot
6. kernel-bootcfg --show
- optional again, after successful boot the new kernel should be first in BootOrder.
$ kernel-bootcfg --show # C - BootCurrent, N - BootNext, O - BootOrder # -------------------------------------------- # C O - 0008 - 6.5.7-300.fc39.x86_64 # O - 0007 - 6.5.6-300.fc39.x86_64 # O - 0006 - Fedora # O - 0001 - UEFI QEMU QEMU HARDDISK [ ... ]
Test UKI cloud images (new: kiwi)
- Clone the fedora-kiwi-descriptions repo, follow instructions to build cloud images locally. The name of the profile is "Cloud-Base-UEFI-UKI".
- Once the Changes/KiwiBuiltCloudImages proposal is fully implemented and enabled in fedora build infrastructure you should find images on the usual download locations.
Test UKI cloud images (old: kickstart)
Repo with kickstart files and scripts: https://gitlab.com/kraxel/fedora-uki
Images for download: https://www.kraxel.org/fedora-uki/
- fedora-uki-cloud: uki-based cloud image, use cloud-init to configure this.
- fedora-uki-direct: minimal uki-based image, root password is 'root'.
- fedora-classic: minimal non-uki image, root password is 'root'.
Known problems:
- images can fail to boot on the first attempt
- should that happen reset the guest once, the second and all following boots will work fine.
- root cause is a shim bug (github 554).
- known workaround: add a vTPM to the guest configuration.
Booting another kernel
From the booted system:
- uefi-boot-menu --reboot
From the firmware:
If your UEFI firmware offers an boot menu you should be able to use that to select the kernel to boot. Unfortunately this is not standardized so there is no standard procedure to do so.
- Virtual machines (OVMF): Enter the firmware setup by pressing ESC when you see the tianocore splash screen. Select "Boot Manager" in the toplevel menu.
- Thinkpad laptops: Interupt normal boot (just 'Enter' on recent hardware, or using the special key on older models), then press F12 ("choose a temporary startup device").
User Experience
Dependencies
Contingency Plan
- Contingency mechanism:
- drop kickstart file for the uefi-only cloud image.
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? No
Documentation
N/A (not a System Wide Change)