joonas-fi
commented
8 months ago Additional motivation: secure boot
An UKI is easier to sign for secure boot.
This is an enabler for SB.
High-level flow
flowchart TD
boot(Device boot) --> uefiboot
uefiboot[Firmware bootloader\nUEFI] -->|Find ESP| B(run:\n/EFI/BOOT/BOOTx64.efi\nUKI as EFI app)
B --> C(EFI Stub\nouter interface: EFI\ninner interface: Linux loader\n\n- passes embedded resources to Linux kernel)
C --> bootLinux(Boot Linux kernel)
Kernel --> Resources(Embedded resources)
Initrd(Initrd\n- 'early userspace'\n- knows how to find & mount root partition) --> Resources
Cmdline --> Resources
Resources --> BHow to build an UKI
Build the UKI (BOOTx64.efi):
$ docker run --rm -it -v /sysroot/apps/OS-checkout/a04daf5:/sysroot -v $(pwd):/workspace ukify build --linux=/sysroot/boot/vmlinuz --initrd=/sysroot/boot/initrd.img --cmdline="root=LABEL=persist sysid=a04daf5 rw" --output=/workspace/BOOTx64.efiNow to bake that into boot partition:
$ sudo mount /dev/sda1 /tmp/newboot
$ cp BOOTx64.efi /tmp/newboot/EFI/BOOT/BOOTx64.efiThe boot partition minimally should look like this:
$ tree /boot
/boot
└── EFI
└── BOOT
└── BOOTx64.efiLinks:
Test in VM
rm testboot.qcow2
qemu-img create -f qcow2 -b /dev/sda -F raw testboot.qcow2Then launch VM
qemu-system-x86_64 -machine type=q35,accel=kvm -drive file=testboot.qcow2 -drive if=pflash,format=raw,unit=0,readonly=on,file=misc/uefi-files/OVMF_CODE-pure-efi.fd -m 8G -smp 4
https://github.com/RobertCsordas/arch-efiboot/blob/master/build_kernel.sh
This would enable us to boot without rEFInd directly into Linux (or Linux-based boot menu)