From Fedora Project Wiki
< Changes
| Line 244: | Line 244: | ||
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan? This might be as simple as "Revert the shipped configuration". Or it might not (e.g. rebuilding a number of dependent packages). If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. --> | <!-- If you cannot complete your feature by the final development freeze, what is the backup plan? This might be as simple as "Revert the shipped configuration". Or it might not (e.g. rebuilding a number of dependent packages). If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy. --> | ||
* Contingency mechanism: | * Contingency mechanism: <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
** drop kickstart file for the uefi-only cloud image. | ** drop kickstart file for the uefi-only cloud image. | ||
<!-- When is the last time the contingency mechanism can be put in place? This will typically be the beta freeze. --> | <!-- When is the last time the contingency mechanism can be put in place? This will typically be the beta freeze. --> | ||
Revision as of 11:24, 23 November 2023
Unified Kernel Support Phase 2
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary
Improve support for unified kernels in Fedora.
Owner
- Name: Gerd Hoffmann
- Email: kraxel@redhat.com
- Name: Vitaly Kuznetsov
- Email: vkuznets@redhat.com
Current status
- Targeted release: Fedora Linux 40
- Last updated: 2023-11-23
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
See Changes/Unified_Kernel_Support_Phase_1 for overview and Phase 1 goals.
Phase 2 goals
- Add support for booting UKIs directly.
- Boot path is shim.efi -> UKI, without any boot loader (grub, sd-boot) involved.
- The UEFI boot configuration will get an entry for each kernel installed.
- Newly installed kernels are configured to be booted once (via BootNext).
- Successful boot of the system will make the kernel update permanent (update BootOrder).
- Enable UKIs for aarch64.
- Should be just flipping the switch, dependencies such as kernel zboot support are merged.
- Add a UEFI-only cloud image variant which uses UKIs.
- Also suitable for being used in confidential VMs.
- Cover both x86_64 and aarch64.
Related bugs
- shim: remove dependency on grub2-efi-x64 (buzilla 2240989)
- shim: handling of multiple lines in BOOT.CSV is inconsistent (jira RHEL-10704, github 554)
- anaconda: add support for discoverable partitions (bugzilla 2160074, bugzilla 2178043)
- dracut: do not create yet another initramfs for UKIs (github PR 2521)
- kernel: enable UKIs on aarch64 (MR 2818)
Feedback
Benefit to Fedora
- Better secure boot support: the UKI initrd is covered by the signature.
- Better support for tpm measurements and confidential computing.
- measurements are more useful if we know what hashes to expect for the initrd.
- measurements are more useful without grub.efi in the boot path (which measures each grub.cfg line processed).
- More robust boot process
- generating the initrd on the installed system is fragile
Scope
- Proposal owners:
- Other developers:
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives:
Upgrade/compatibility impact
None, it's opt-in. Also the uefi cloud image is an additional image and will not replace the current bios/uefi hybrid image.
How To Test
Switch an existing install to use UKIs.
Needs up-to-date Fedora 39 or Rawhide install in a virtual machine. Bare metal hardware with standard storage (ahci / nvme) should work too.
Needs an big enough ESP to store UKI images there (minimum 200M, recommended 500M).
1. dnf install virt-firmware uki-direct
- The uki-direct package contains the kernel-install plugin and systemd unit needed to automatically manage kernel updates.
- You should have version 23.10 or newer.
2. sh /usr/share/doc/python3-virt-firmware/experimental/fixup-partitions-for-uki.sh
- Workaround for bug 2160074 (anaconda not setting up discoverable partitions).
- UKIs need this to find the root filesystem without root=... on the kernel command line.
3. dnf install kernel-uki-virt
4. kernel-bootcfg --show
- optional step, shows UEFI boot configuration, the new UKI should be added as BootNext
$ kernel-bootcfg --show # C - BootCurrent, N - BootNext, O - BootOrder # -------------------------------------------- # N - 0008 - 6.5.7-300.fc39.x86_64 <= entry for the the new kernel # C O - 0007 - 6.5.6-300.fc39.x86_64 <= currently running kernel # O - 0006 - Fedora <= grub2 entry # O - 0001 - UEFI QEMU QEMU HARDDISK [ ... ]
5. reboot
6. kernel-bootcfg --show
- optional again, after successful boot the new kernel should be first in BootOrder.
$ kernel-bootcfg --show # C - BootCurrent, N - BootNext, O - BootOrder # -------------------------------------------- # C O - 0008 - 6.5.7-300.fc39.x86_64 # O - 0007 - 6.5.6-300.fc39.x86_64 # O - 0006 - Fedora # O - 0001 - UEFI QEMU QEMU HARDDISK [ ... ]
Test UKI cloud images
Repo with kickstart files and scripts: https://gitlab.com/kraxel/fedora-uki
Images for download: https://www.kraxel.org/fedora-uki/
- fedora-uki-cloud: uki-based cloud image, use cloud-init to configure this.
- fedora-uki-direct: minimal uki-based image, root password is 'root'.
- fedora-classic: minimal non-uki image, root password is 'root'.
Known problems:
- images can fail to boot on the first attempt
- should that happen reset the guest once, the second and all following boots will work fine.
- root cause is a shim bug (github 554).
- known workaround: add a vTPM to the guest configuration.
Booting another kernel
From the booted system:
- uefi-boot-menu --reboot
From the firmware:
If your UEFI firmware offers an boot menu you should be able to use that to select the kernel to boot. Unfortunately this is not standardized so there is no standard procedure to do so.
- Virtual machines (OVMF): Enter the firmware setup by pressing ESC when you see the tianocore splash screen. Select "Boot Manager" in the toplevel menu.
- Thinkpad laptops: Interupt normal boot (just 'Enter' on recent hardware, or using the special key on older models), then press F12 ("choose a temporary startup device").
User Experience
Dependencies
Contingency Plan
- Contingency mechanism:
- drop kickstart file for the uefi-only cloud image.
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? No
Documentation
N/A (not a System Wide Change)