search

microsoft / azurelinux

Linux OS for Azure 1P services and edge appliances
MIT License
4.28k stars 538 forks source link

Passing Kernel Params from systemd-boot for Secure Boot UKI #10635

Open yockgen opened 1 week ago

yockgen commented 1 week ago

My Mariner OS is built with following features:

1, Unified Kernel Image (kernel+initrd+cmdline)

  1. Systemd-boot as boot loader
  2. Secure Boot enabled
  3. Multi boot

Systemd-boot config files looks like below 

root@YockgenOS [ ~ ]# cat /boot/efi/loader/entries/sos1.conf
Title   Yockgen OS1 UKI
efi     /EFI/Linux/linux-6.1.0-0.efi.signed
options root=PARTUUID=xxxxx-xxxx-xxxxa ro quiet yockgen=1
root@YockgenOS [ ~ ]# cat /boot/efi/loader/entries/sos2.conf
Title   Yockgen OS2 UKI
efi     /EFI/Linux/linux-6.1.0-1.efi.signed
options root=PARTUUID=xxxxx-xxxx-xxxxa  ro quiet yockgen=2

With Secure Boot enabled, the /proc/cmdline is no longer overwritten by the systemd-boot configuration. The cmdline is shown those params during UKI built time.

Runtime logs as below:

root@YockgenOS [ ~ ]# cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-6.6.43-1.cm2       rd.auto=1 root=PARTUUID=21f13e53-110f-4be5-b18a-fed745cacc87 init=/lib/systemd/systemd ro loglevel=3 no-vmw-sta crashkernel=256M lockdown=integrity lockdown=integrity sysctl.kernel.unprivileged_bpf_disabled=1 net.ifnames=0 plymouth.enable=0 systemd.legacy_systemd_cgroup_controller=yes systemd.unified_cgroup_hierarchy=0

root@YockgenOS [ ~ ]# cat /boot/efi/loader/entries/sos1.conf
Title   Yockgen OS1 UKI
efi     /EFI/Linux/linux-6.1.0-0.efi.signed
options root=PARTUUID=xxxxx-xxxx-xxxxa  ro quiet yockgen=1

root@YockgenOS [ ~ ]# cat /boot/efi/loader/entries/sos2.conf
Title   Yockgen OS2 UKI
efi     /EFI/Linux/linux-6.1.0-1.efi.signed
options root=PARTUUID=xxxxx-xxxx-xxxxa  ro quiet yockgen=2

I couldn't hardcode the 'yockgen' parameter during the build process, as its value depends on the runtime environment. This value needs to be assessed by a custom Dracut module during the initrd stage to mount specific devices.

What could be the possible solution for this?

Thanks a lot of any guidance!

trungams commented 2 days ago

Hi @yockgen, would UKI addons be something you are looking for?

https://uapi-group.org/specifications/specs/unified_kernel_image/#pe-addons

yockgen commented 2 days ago

Thanks @trungams , Yes, PE addon is one of possible solutions, however, there is a rigid security requirement for my project that if the PE addon EFI could be copied and pasted to other UKIs in the device to overwrite the cmdline, according to my understanding, this is possible. What is your suggestion on this?