From Fedora Project Wiki


Unified Kernel Support Phase 2

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Improve support for unified kernels in Fedora.

Owner


Current status

  • Targeted release: Fedora Linux 40
  • Last updated: 2023-10-12
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

See Changes/Unified_Kernel_Support_Phase_1 for overview and Phase 1 goals.

Phase 2/3 goals (longer-term stuff which is not realistic to complete for Phase 1 / F38).

  • Add proper systemd-boot support to installers.
    • Temporary workaround possible: run 'bootctl install' in %post script.
  • Better measurement and remote attestation support.
    • store kernel + initrd hashes somewhere (kernel-hashes.rpm ?) to allow pre-calculate TPM PCR values.
    • avoid using grub2 (measures every config file line executed which is next to impossible to pre-calculate).
      • option one: sd-boot
      • option two: let shim.efi load uki directly (needs EFI variable updates on kernel updates).
  • Move away from depending on the kernel command line for configuration.
  • Move away from storing secrets in the initrd.
  • Handle dracut optional modules in a different way.

systemd has some building blocks which can be used to handle system configuration, although none of them are used by fedora today. systemd credentials can be used for secrets (also for configuration). The unified kernel stub can load credentials from the ESP. The unified kernel stub can also load extensions from the ESP, which can possibly be used to replace optional dracut modules.

Feedback

Benefit to Fedora

Scope

  • Proposal owners:
  • Other developers:
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

How To Test

User Experience

Dependencies

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No


Documentation

N/A (not a System Wide Change)

Release Notes