search

OSInside / kiwi

KIWI - Appliance Builder Next Generation
https://osinside.github.io/kiwi
GNU General Public License v3.0
302 stars 152 forks source link

RFE: Add support for direct UKI boot #2408

Open Conan-Kudo opened 10 months ago

Conan-Kudo commented 10 months ago

Problem description

As part of the effort to support UKIs in Fedora Cloud, we need to be able to create images that either generate UKIs or use pre-generated UKIs to boot the system (UEFI->shim->UKI or UEFI->UKI).

I suspect the way to solve this would be to add a uki "bootloader" which would force UEFI only mode and do the minimal effort required to configure the image to boot. We'd want to detect if there's already a UKI built as /boot/efi/EFI/*/vmlinuz-$(uname -r).efi to use or /lib/modules/$(uname -r)/*.efi to copy and install. If one doesn't exist, we should use dracut --uefi to generate one.

An example of a dracut --uefi call (ripped from the Fedora kernel package that produces kernel-virt-uki):

dracut --conf=/path/to/dracut/uki-config.conf \
       --confdir="$(mktemp -d)" \
       --verbose \
       --kver "$(uname -r)" \
       --kmoddir "/lib/modules/$(uname -r)/" \
       --logfile="$(mktemp)" \
       --uefi \
       --kernel-image "/lib/modules/$(uname -r)/vmlinuz" \
       --kernel-cmdline 'console=tty0 console=ttyS0' \
       "/boot/efi/EFI/Linux/vmlinuz-$(uname -r).efi"

Sample dracut uki config:

# generic + compressed please
hostonly="no"
compress="xz"

# VMs can't update microcode anyway
early_microcode="no"

# modules: basics
dracutmodules+=" base systemd systemd-initrd dracut-systemd dbus dbus-broker usrmount shutdown "

# modules: storage support
dracutmodules+=" dm lvm rootfs-block fs-lib "

# modules: tpm and crypto
dracutmodules+=" crypt crypt-loop tpm2-tss "

# drivers: virtual buses, pci
drivers+=" virtio-pci virtio-mmio "      # qemu-kvm
drivers+=" hv-vmbus pci-hyperv "         # hyperv
drivers+=" xen-pcifront "                # xen

# drivers: storage
drivers+=" ahci nvme sd_mod sr_mod "     # generic
drivers+=" virtio-blk virtio-scsi "      # qemu-kvm
drivers+=" hv-storvsc "                  # hyperv
drivers+=" xen-blkfront "                # xen

# root encryption
drivers+=" dm_crypt "

# filesystems
filesystems+=" vfat btrfs ext4 xfs overlay "

# systemd-pcrphase
install_items+=" /lib/systemd/system/systemd-pcrphase-initrd.service /usr/lib/systemd/systemd-pcrphase /usr/lib/systemd/system/initrd.target.wants/systemd-pcrphase-initrd.service "

Unlike with the shim+grub situation, we will want a way to force generating UKIs because a different cmdline or module bundle may be desired, since there's no way to pass kernel cmdlines from UEFI to boot the OS.

OS and Software information

Conan-Kudo commented 10 months ago

cc: @davide125, @davdunc, @DaanDeMeyer, @kraxel

kraxel commented 10 months ago

I don't think kiwi should generate UKIs. Either the distro provides UKIs, then just use them. Or use traditional kernel + initrd. Everything else is asking for trouble when it comes to kernel updates.

Supporting UKIs essentially needs: (a) copying the UKI to the ESP, and (b) generating BOOT.CSV.

See https://pagure.io/fork/kraxel/fedora-kiwi-descriptions/blob/kraxel/f/uki-setup.sh