Unified Kernel Support Phase 1
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary
Add support for unified kernels images to Fedora.
Owner
- Name: Gerd Hoffmann
- Email: kraxel@redhat.com
Current status
- Targeted release: Fedora Linux 38
- Last updated: 2022-09-26
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
The goal is to move away from initrd images being generated on the installed machine. They are generated while building the kernel package instead, then shipped as part of a unified kernel image.
A unified kernel image is an all-in-one efi binary containing kernel, initrd, cmdline and signature. The secure boot signature covers everything, specifically the initrd is included which is not the case when the initrd gets loaded as separate file from /boot.
Main motivation for this move is to make the distro more robust and more secure.
Switching the whole distro over to unified kernels quickly is unrealistic, there are too many features depending on the current initrd workflow. Thats why there is 'Phase 1' in title ;)
Problems of the current initrd workflow:
- optional dracut modules, initrd rebuild on installed machine needed to enabled them.
- configuration / secrets baked into the initrd.
- configuration being specified on the kernel command line.
- root filesystem being the most important one. [[ https://systemd.io/DISCOVERABLE_PARTITIONS/ | Discoverable partitions ]] can help with this one.
Phase 1 goals (high priority):
- Ship a unified kernel image as (optional) kernel sub-rpm. Users can opt-in to use that kernel by installing the sub-rpm. Initial focus is on booting virtual machines where we have a relatively small and well defined set of drivers / features needed. Booting modern physical machines with standard setup (i.e. boot from local sata/nvme storage) too shouldn't be much of a problem.
- Update kernel install scripts so unified kernels are installed and updated properly.
- Add bootloader support for unified kernel images. Add unified kernel bls support to grub2, or support using systemd-boot, or both.
Phase 1 goals (lower priority, might move to Phase 2):
- Measurement (details todo).
- Discoverable partitions (details todo).
- Switch cloud images to use unified kernels.
Phase 2 goals (longer-term stuff which is not realistic for F38).
- initrd extensions (details todo).
Feedback
Benefit to Fedora
Scope
- Proposal owners:
- Other developers:
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
How To Test
User Experience
Dependencies
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
Documentation
N/A (not a System Wide Change)