From Fedora Project Wiki
Line 49: Line 49:
See [[ Changes/Unified_Kernel_Support_Phase_1 ]] for overview and Phase 1 goals.
See [[ Changes/Unified_Kernel_Support_Phase_1 ]] for overview and Phase 1 goals.


Phase 2/3 goals (longer-term stuff which is not realistic to complete for Phase 1 / F38).
Phase 2 goals:


* Add proper systemd-boot support to installers.
* Add support for booting UKIs directly.
** Temporary workaround possible: run 'bootctl install' in %post script.
** Boot path is shim.efi -> UKI, without any boot loader (grub, sd-boot) involved.
* Better measurement and remote attestation support.
** The UEFI boot configuration will get an entry for each kernel installed.
** store kernel + initrd hashes somewhere (kernel-hashes.rpm ?) to allow pre-calculate TPM PCR values.
** Newly installed kernels are configured to be booted once (via BootNext).
** avoid using grub2 (measures every config file line executed which is next to impossible to pre-calculate).
** Successful boot of the system will make the kernel update permanent (update BootOrder).
*** option one: sd-boot
* Enable UKIs for aarch64.
*** option two: let shim.efi load uki directly (needs EFI variable updates on kernel updates).
** Should be just flipping the switch, dependencies such as kernel zboot support are merged.
* Move away from depending on the kernel command line for configuration.
* Add a UEFI-only cloud image variant which uses UKIs.
* Move away from storing secrets in the initrd.
** Also suitable for being used in confidential VMs.
* Handle dracut optional modules in a different way.
** Cover both x86_64 and aarch64.
 
systemd has some building blocks which can be used to handle system configuration, although none of them are used by fedora today. [https://www.freedesktop.org/software/systemd/man/systemd-creds.html systemd credentials] can be used for secrets (also for configuration).  The [https://www.freedesktop.org/software/systemd/man/systemd-stub.html unified kernel stub] can load credentials from the ESP.  The unified kernel stub can also load [https://www.freedesktop.org/software/systemd/man/systemd-sysext.html extensions] from the ESP, which can possibly be used to replace optional dracut modules.


== Feedback ==
== Feedback ==

Revision as of 13:54, 12 October 2023


Unified Kernel Support Phase 2

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Improve support for unified kernels in Fedora.

Owner


Current status

  • Targeted release: Fedora Linux 40
  • Last updated: 2023-10-12
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

See Changes/Unified_Kernel_Support_Phase_1 for overview and Phase 1 goals.

Phase 2 goals:

  • Add support for booting UKIs directly.
    • Boot path is shim.efi -> UKI, without any boot loader (grub, sd-boot) involved.
    • The UEFI boot configuration will get an entry for each kernel installed.
    • Newly installed kernels are configured to be booted once (via BootNext).
    • Successful boot of the system will make the kernel update permanent (update BootOrder).
  • Enable UKIs for aarch64.
    • Should be just flipping the switch, dependencies such as kernel zboot support are merged.
  • Add a UEFI-only cloud image variant which uses UKIs.
    • Also suitable for being used in confidential VMs.
    • Cover both x86_64 and aarch64.

Feedback

Benefit to Fedora

Scope

  • Proposal owners:
  • Other developers:
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

How To Test

User Experience

Dependencies

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No


Documentation

N/A (not a System Wide Change)

Release Notes