Unified Kernel Support Phase 2
Summary
Improve support for unified kernels in Fedora.
Owner
- Name: Gerd Hoffmann
- Email: kraxel@redhat.com
Current status
- Targeted release: Fedora Linux 40
- Last updated: 2023-10-12
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
See Changes/Unified_Kernel_Support_Phase_1 for overview and Phase 1 goals.
Phase 2/3 goals (longer-term stuff which is not realistic to complete for Phase 1 / F38).
- Add proper systemd-boot support to installers.
- Temporary workaround possible: run 'bootctl install' in %post script.
- Better measurement and remote attestation support.
- store kernel + initrd hashes somewhere (kernel-hashes.rpm ?) to allow pre-calculate TPM PCR values.
- avoid using grub2 (measures every config file line executed which is next to impossible to pre-calculate).
- option one: sd-boot
- option two: let shim.efi load uki directly (needs EFI variable updates on kernel updates).
- Move away from depending on the kernel command line for configuration.
- Move away from storing secrets in the initrd.
- Handle dracut optional modules in a different way.
systemd has some building blocks which can be used to handle system configuration, although none of them are used by fedora today. systemd credentials can be used for secrets (also for configuration). The unified kernel stub can load credentials from the ESP. The unified kernel stub can also load extensions from the ESP, which can possibly be used to replace optional dracut modules.
Feedback
Benefit to Fedora
Scope
- Proposal owners:
- Other developers:
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
How To Test
User Experience
Dependencies
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
N/A (not a System Wide Change)