https://fedoraproject.org/wiki/Changes/Unified_Kernel_Support_Phase_1 This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Add support for unified kernels images to Fedora. == Owner == * Name: [[User:kraxel| Gerd Hoffmann]] * Email: kraxel(a)redhat.com == Detailed Description == The goal is to move away from initrd images being generated on the installed machine. They are generated while building the kernel package instead, then shipped as part of a unified kernel image. A unified kernel image is an all-in-one efi binary containing kernel, initrd, cmdline and signature. The secure boot signature covers everything, specifically the initrd is included which is not the case when the initrd gets loaded as separate file from /boot.

> == Detailed Description == > The goal is to move away from initrd images being generated on the > installed machine. They are generated while building the kernel > package instead, then shipped as part of a unified kernel image. > > A unified kernel image is an all-in-one efi binary containing kernel, > initrd, cmdline and signature. The secure boot signature covers > everything, specifically the initrd is included which is not the case > when the initrd gets loaded as separate file from /boot. What platforms are going to be affected? Is it x86-64 only or does it include aarch64 (as it's also using UEFI)?

Are ppc64le and s390x out of the current scope?

On Tue, Dec 20, 2022 at 10:22:03AM -0500, Ben Cotton wrote: > https://fedoraproject.org/wiki/Changes/Unified_Kernel_Support_Phase_1 It's great to see this happening! > Phase 1 goals (high priority): > > * Ship a unified kernel image as (optional) kernel sub-rpm. Users can > opt-in to use that kernel by installing the sub-rpm. Initial focus is > on booting virtual machines where we have a relatively small and well > defined set of drivers / features needed. Supporting modern physical > machines with standard setup (i.e. boot from local sata/nvme storage) > too should be easy. > * Update kernel install scripts so unified kernels are installed and > updated properly. > * Add bootloader support for unified kernel images. Add > [https://systemd.io/BOOT_LOADER_SPECIFICATION/#type-2-efi-unified-kernel-i... > unified kernel bls support] to grub2, or support using systemd-boot, > or both. > > Phase 1 goals (lower priority, might move to Phase 2): > > * Add proper discoverable partitions support to installers (anaconda, > image builder, ...). > ** Temporary workaround possible: set types using sfdisk in %post script. > ** When using btrfs: configure 'root' subvolume as default volume. > * Add proper systemd-boot support to installers. > ** Temporary workaround possible: run 'bootctl install' in %post script. > * Better measurement and remote attestation support. > ** store kernel + initrd hashes somewhere (kernel-hashes.rpm ?) to > allow pre-calculate TPM PCR values. > ** avoid using grub2 (measures every config file line executed which > is next to impossible to pre-calculate). > * Switch cloud images to use unified kernels. With my FESCo hat on, I immediately have the following comment: please narrow down the scope to things that we can actually approve for F38. E.g. the parts related to replacing grub2 by sd-boot are IMHO not realistic for F38 (*). And if we use grub2, then also the pre-calculation of TPM PCR values is not realistic, since they are too volatile with grub2... I think that those are all very interesting research tangents, but the stuff that gets a stamp of approval as a Fedora Change needs to be down-to-earth and users-know-what-to-expect and you-can-pretty-much-figure-out-how-things-will-look-from-the-change-description. (*) Or if that is actually the plan, please specify *where* sd-boot would be supported.

https://fedoraproject.org/wiki/Changes/Unified_Kernel_Support_Phase_1 This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee. == Summary == Add support for unified kernels images to Fedora. == Owner == * Name: [[User:kraxel| Gerd Hoffmann]] * Email: kraxel(a)redhat.com == Detailed Description == The goal is to move away from initrd images being generated on the installed machine. They are generated while building the kernel package instead, then shipped as part of a unified kernel image. A unified kernel image is an all-in-one efi binary containing kernel, initrd, cmdline and signature. The secure boot signature covers everything, specifically the initrd is included which is not the case when the initrd gets loaded as separate file from /boot. Main motivation for this move is to make the distro more robust and more secure. Switching the whole distro over to unified kernels quickly is not realistic though. Too many features are depending on the current workflow with a host-specific initrd (and host-specific kernel command line), which is fundamentally incompatible with unified kernels where everybody will have the same initrd and command line. Thats why there is 'Phase 1' in title, so we can have more Phases in future releases 😃 A host-specific initrd / command line is needed today for: * features needing optional dracut modules (initrd rebuild needed to enable them). * configuration / secrets baked into the initrd (booting from iscsi for example). * configuration being specified on the kernel command line. ** root filesystem being the most important one. [https://systemd.io/DISCOVERABLE_PARTITIONS/ Discoverable partitions] allow to remove this. Phase 1 goals (high priority): * Ship a unified kernel image as (optional) kernel sub-rpm. Users can opt-in to use that kernel by installing the sub-rpm. Initial focus is on booting virtual machines where we have a relatively small and well defined set of drivers / features needed. Supporting modern physical machines with standard setup (i.e. boot from local sata/nvme storage) too should be easy. * Update kernel install scripts so unified kernels are installed and updated properly. * Add bootloader support for unified kernel images. Add [https://systemd.io/BOOT_LOADER_SPECIFICATION/#type-2-efi-unified-kernel-i... unified kernel bls support] to grub2, or support using systemd-boot, or both. Phase 1 goals (lower priority, might move to Phase 2): * Add proper discoverable partitions support to installers (anaconda, image builder, ...). ** Temporary workaround possible: set types using sfdisk in %post script. ** When using btrfs: configure 'root' subvolume as default volume. * Add proper systemd-boot support to installers. ** Temporary workaround possible: run 'bootctl install' in %post script. * Better measurement and remote attestation support. ** store kernel + initrd hashes somewhere (kernel-hashes.rpm ?) to allow pre-calculate TPM PCR values. ** avoid using grub2 (measures every config file line executed which is next to impossible to pre-calculate). * Switch cloud images to use unified kernels. Phase 2/3 goals (longer-term stuff which is not realistic to complete for F38). * Move away from using the kernel command line for configuration. * Move away from storing secrets in the initrd. * Handle dracut optional modules in a different way. systemd has some building blocks which can be used, although none of them are used by fedora today. [https://www.freedesktop.org/software/systemd/man/systemd-creds.html systemd credentials] can be used for secrets (also for configuration). The [https://www.freedesktop.org/software/systemd/man/systemd-stub.html unified kernel stub] can load credentials from the ESP. The unified kernel stub can also load [https://www.freedesktop.org/software/systemd/man/systemd-sysext.html extensions] from the ESP, which can possibly be used to replace optional dracut modules. == Feedback == == Benefit to Fedora == * Better secure boot support (specifically the initrd is covered by the signature). * Better confidential computing support (measurements are much more useful if we know what hashes to expect for the initrd). * More robust boot process (generating the initrd on the installed system is fragile, root cause for kernel bugs reported is simply a broken initrd sometimes). == Scope == * Proposal owners: ** Update kernel build to create unified kernel sub-package. *** part one: [https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2179 PR#2179] *** part two: (wip) [https://gitlab.com/kraxel/kernel-ark/-/commits/unified/ https://gitlab.com/kraxel/kernel-ark/-/commits/unified/] * Other developers: ** grub2: add unified kernel support *** wip code at [https://github.com/osteffenrh/grub2/ https://github.com/osteffenrh/grub2/] ** installer(s): add support for discoverable partitions. *** [https://bugzilla.redhat.com/show_bug.cgi?id=1075288 Bug#1075288] * Release engineering: [https://pagure.io/releng/issues #Releng issue number] * Policies and guidelines: N/A (not needed for this Change) * Trademark approval: N/A (not needed for this Change) * Alignment with Objectives: == Upgrade/compatibility impact == None (using unified kernel is opt-in for Phase 1). == How To Test == Try on a existing (uefi) system: * make sure you are running fedora 37 or rawhide. * make sure your root filesystem has type "Linux root (x86-64)" (use `fdisk -l` to check). ** should that not be the case use the fdisk tag command ('t') to change the partition type. * when using btrfs: make sure the 'root' subvolume is set as default volume. * `dnf copr enable kraxel/unified.kernel` * `dnf update "grub2*"` * `dnf install kernel-unified-virt` * `reboot` You should find two entries in the grub2 boot menu, one for classing kernel with separate initrd and one for the unified kernel image. Both should boot fine. The https://gitlab.com/kraxel/fedora-uki project has kickstart files and helper scripts for generating virtual machine images. * image using grub2-efi: https://gitlab.com/kraxel/fedora-uki/-/raw/master/kickstart/fedora-uki-gr... * image using systemd-boot: https://gitlab.com/kraxel/fedora-uki/-/raw/master/kickstart/fedora-uki-sd... Prebuilt virtual machine images are available from https://www.kraxel.org/fedora-uki/. == User Experience == == Dependencies == == Contingency Plan == * Contingency mechanism: ** Probably none (unified kernel images are opt-in for Phase 1). ** In case we tried switching the cloud images to unified kernels: revert the kickstart config changes. * Contingency deadline: * Blocks release? No == Documentation == == Release Notes ==

Hi, On 12/20/22 17:28, Neal Gompa wrote: > On Tue, Dec 20, 2022 at 10:22 AM Ben Cotton <bcotton(a)redhat.com&gt; wrote: >> >> https://fedoraproject.org/wiki/Changes/Unified_Kernel_Support_Phase_1 >> >> This document represents a proposed Change. As part of the Changes >> process, proposals are publicly announced in order to receive >> community feedback. This proposal will only be implemented if approved >> by the Fedora Engineering Steering Committee. >> >> >> == Summary == >> Add support for unified kernels images to Fedora. >> >> == Owner == >> * Name: [[User:kraxel| Gerd Hoffmann]] >> * Email: kraxel(a)redhat.com >> >> >> == Detailed Description == >> The goal is to move away from initrd images being generated on the >> installed machine. They are generated while building the kernel >> package instead, then shipped as part of a unified kernel image. >> >> A unified kernel image is an all-in-one efi binary containing kernel, >> initrd, cmdline and signature. The secure boot signature covers >> everything, specifically the initrd is included which is not the case >> when the initrd gets loaded as separate file from /boot. >> >> Main motivation for this move is to make the distro more robust and more secure. >> >> Switching the whole distro over to unified kernels quickly is not >> realistic though. Too many features are depending on the current >> workflow with a host-specific initrd (and host-specific kernel command >> line), which is fundamentally incompatible with unified kernels where >> everybody will have the same initrd and command line. Thats why there >> is 'Phase 1' in title, so we can have more Phases in future releases >> 😃 >> >> A host-specific initrd / command line is needed today for: >> >> * features needing optional dracut modules (initrd rebuild needed to >> enable them). >> * configuration / secrets baked into the initrd (booting from iscsi >> for example). >> * configuration being specified on the kernel command line. >> ** root filesystem being the most important one. >> [https://systemd.io/DISCOVERABLE_PARTITIONS/ Discoverable partitions] >> allow to remove this. >> >> Phase 1 goals (high priority): >> >> * Ship a unified kernel image as (optional) kernel sub-rpm. Users can >> opt-in to use that kernel by installing the sub-rpm. Initial focus is >> on booting virtual machines where we have a relatively small and well >> defined set of drivers / features needed. Supporting modern physical >> machines with standard setup (i.e. boot from local sata/nvme storage) >> too should be easy. >> * Update kernel install scripts so unified kernels are installed and >> updated properly. >> * Add bootloader support for unified kernel images. Add >> [https://systemd.io/BOOT_LOADER_SPECIFICATION/#type-2-efi-unified-kernel-i... >> unified kernel bls support] to grub2, or support using systemd-boot, >> or both. >> >> Phase 1 goals (lower priority, might move to Phase 2): >> >> * Add proper discoverable partitions support to installers (anaconda, >> image builder, ...). >> ** Temporary workaround possible: set types using sfdisk in %post script. >> ** When using btrfs: configure 'root' subvolume as default volume. >> * Add proper systemd-boot support to installers. >> ** Temporary workaround possible: run 'bootctl install' in %post script. >> * Better measurement and remote attestation support. >> ** store kernel + initrd hashes somewhere (kernel-hashes.rpm ?) to >> allow pre-calculate TPM PCR values. >> ** avoid using grub2 (measures every config file line executed which >> is next to impossible to pre-calculate). >> * Switch cloud images to use unified kernels. >> >> Phase 2/3 goals (longer-term stuff which is not realistic to complete for F38). >> >> * Move away from using the kernel command line for configuration. >> * Move away from storing secrets in the initrd. >> * Handle dracut optional modules in a different way. >> >> systemd has some building blocks which can be used, although none of >> them are used by fedora today. >> [https://www.freedesktop.org/software/systemd/man/systemd-creds.html >> systemd credentials] can be used for secrets (also for configuration). >> The [https://www.freedesktop.org/software/systemd/man/systemd-stub.html >> unified kernel stub] can load credentials from the ESP. >> >> The unified kernel stub can also load >> [https://www.freedesktop.org/software/systemd/man/systemd-sysext.html >> extensions] from the ESP, which can possibly be used to replace >> optional dracut modules. >> >> == Feedback == >> >> >> == Benefit to Fedora == >> * Better secure boot support (specifically the initrd is covered by >> the signature). >> * Better confidential computing support (measurements are much more >> useful if we know what hashes to expect for the initrd). >> * More robust boot process (generating the initrd on the installed >> system is fragile, root cause for kernel bugs reported is simply a >> broken initrd sometimes). >> >> == Scope == >> * Proposal owners: >> ** Update kernel build to create unified kernel sub-package. >> *** part one: [https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2179 >> PR#2179] >> *** part two: (wip) >> [https://gitlab.com/kraxel/kernel-ark/-/commits/unified/ >> https://gitlab.com/kraxel/kernel-ark/-/commits/unified/] >> >> * Other developers: >> ** grub2: add unified kernel support >> *** wip code at [https://github.com/osteffenrh/grub2/ >> https://github.com/osteffenrh/grub2/] >> ** installer(s): add support for discoverable partitions. >> *** [https://bugzilla.redhat.com/show_bug.cgi?id=1075288 Bug#1075288] >> >> * Release engineering: [https://pagure.io/releng/issues #Releng issue number] >> * Policies and guidelines: N/A (not needed for this Change) >> * Trademark approval: N/A (not needed for this Change) >> * Alignment with Objectives: >> >> >> == Upgrade/compatibility impact == >> >> None (using unified kernel is opt-in for Phase 1). >> >> == How To Test == >> Try on a existing (uefi) system: >> * make sure you are running fedora 37 or rawhide. >> * make sure your root filesystem has type "Linux root (x86-64)" (use >> `fdisk -l` to check). >> ** should that not be the case use the fdisk tag command ('t') to >> change the partition type. >> * when using btrfs: make sure the 'root' subvolume is set as default volume. >> * `dnf copr enable kraxel/unified.kernel` >> * `dnf update "grub2*"` >> * `dnf install kernel-unified-virt` >> * `reboot` >> You should find two entries in the grub2 boot menu, one for classing >> kernel with separate initrd and one for the unified kernel image. >> Both should boot fine. >> >> The https://gitlab.com/kraxel/fedora-uki project has kickstart files >> and helper scripts for generating virtual machine images. >> * image using grub2-efi: >> https://gitlab.com/kraxel/fedora-uki/-/raw/master/kickstart/fedora-uki-gr... >> * image using systemd-boot: >> https://gitlab.com/kraxel/fedora-uki/-/raw/master/kickstart/fedora-uki-sd... >> >> Prebuilt virtual machine images are available from >> https://www.kraxel.org/fedora-uki/. >> >> == User Experience == >> >> >> == Dependencies == >> >> >> == Contingency Plan == >> * Contingency mechanism: >> ** Probably none (unified kernel images are opt-in for Phase 1). >> ** In case we tried switching the cloud images to unified kernels: >> revert the kickstart config changes. >> * Contingency deadline: >> * Blocks release? No >> >> == Documentation == >> >> >> == Release Notes == >> > > I think UKIs are fundamentally flawed and are an idea that came out of > a group that doesn't really interact with real users enough to > understand how much of a problem they actually are. I realize that > this Change is only about VMs, but since it explicitly talks about it > being "phase 1", the implication is that future Changes are coming to > switch fully over. Consequently, I'm going to provide much more > holistic feedback instead of just nitpicking on this case. > > In the Fedora case, things are simpler right up until we hit graphics > drivers. This is also a problem for VMs too, because GPU passthrough > is a common case for scientific and gaming workloads. In case of VMs there certainly is no need to load the GPU driver from the initrd. > As long as the > NVIDIA driver remains dominant in Linux, UKIs cannot work because by > design you cannot load anything that isn't part of the kernel image. Actually since the NVIDIA binary driver couples the driver and userspace versions together very tightly using the NVIDIA binary driver inside the initrd is a bad idea. The rpmfusion pkgs deliberately do not do this so that the kmods can be rebuild on an nvidia driver update for all installed kernels without needing to then also regenerate all initrds (which would be a bad thing to do since we might then cause all initrds to break at the same time). > For bare metal, we *need* these drivers in early boot, though Actually I have been toying with the idea to just rely on efifb in the initrd, at least for the cases where we have an efifb/simpledrm. When doing a 32 bit Debian install to test some kernel stuff on quite old hw I noticed that Debian's install images let *grub* bring up the video-output in vesa mode, with automatic resolution selection. If we were to do this for legacy BIOS too then the kernel could inherit that vesa mode with simpledrm and then we would have legacy BIOS boot also covered with a "firmware framebuffer".

Given the discussion about firmware sizes for GPUs in other threads, I think this is something to seriously consider. Otherwise the size of our initrds is going to become absolutely huge. Using firmware framebuffers inside the initrd could also significantly speed up booting, since then the graphics card probing, which can be quite slow when there are multiple external monitors, can be done in parallel with booting the rest of the system instead of having plymouth block on this.

Neal Gompa wrote: > I think Fedora is the only major distro that doesn't do this, > actually. Mageia and openSUSE do this too. They also use graphical > GRUB by default instead of plain text GRUB. IIRC, the reason that Fedora does not use graphical GRUB by default is that it at least used to break the NVidia proprietary driver.

On Tue, Dec 20, 2022 at 10:22 AM Ben Cotton <bcotton(a)redhat.com&gt; wrote: > > https://fedoraproject.org/wiki/Changes/Unified_Kernel_Support_Phase_1 > > This document represents a proposed Change. As part of the Changes > process, proposals are publicly announced in order to receive > community feedback. This proposal will only be implemented if approved > by the Fedora Engineering Steering Committee. > > > == Summary == > Add support for unified kernels images to Fedora. > > == Owner == > * Name: [[User:kraxel| Gerd Hoffmann]] > * Email: kraxel(a)redhat.com > > > == Detailed Description == > The goal is to move away from initrd images being generated on the > installed machine. They are generated while building the kernel > package instead, then shipped as part of a unified kernel image. > > A unified kernel image is an all-in-one efi binary containing kernel, > initrd, cmdline and signature. The secure boot signature covers > everything, specifically the initrd is included which is not the case > when the initrd gets loaded as separate file from /boot. > > Main motivation for this move is to make the distro more robust and more secure. > > Switching the whole distro over to unified kernels quickly is not > realistic though. Too many features are depending on the current > workflow with a host-specific initrd (and host-specific kernel command > line), which is fundamentally incompatible with unified kernels where > everybody will have the same initrd and command line. Thats why there > is 'Phase 1' in title, so we can have more Phases in future releases > 😃 > > A host-specific initrd / command line is needed today for: > > * features needing optional dracut modules (initrd rebuild needed to > enable them). > * configuration / secrets baked into the initrd (booting from iscsi > for example). > * configuration being specified on the kernel command line. > ** root filesystem being the most important one. > [https://systemd.io/DISCOVERABLE_PARTITIONS/ Discoverable partitions] > allow to remove this. > > Phase 1 goals (high priority): > > * Ship a unified kernel image as (optional) kernel sub-rpm. Users can > opt-in to use that kernel by installing the sub-rpm. Initial focus is > on booting virtual machines where we have a relatively small and well > defined set of drivers / features needed. Supporting modern physical > machines with standard setup (i.e. boot from local sata/nvme storage) > too should be easy. > * Update kernel install scripts so unified kernels are installed and > updated properly. > * Add bootloader support for unified kernel images. Add > [https://systemd.io/BOOT_LOADER_SPECIFICATION/#type-2-efi-unified-kernel-i... > unified kernel bls support] to grub2, or support using systemd-boot, > or both. > > Phase 1 goals (lower priority, might move to Phase 2): > > * Add proper discoverable partitions support to installers (anaconda, > image builder, ...). > ** Temporary workaround possible: set types using sfdisk in %post script. > ** When using btrfs: configure 'root' subvolume as default volume. > * Add proper systemd-boot support to installers. > ** Temporary workaround possible: run 'bootctl install' in %post script. > * Better measurement and remote attestation support. > ** store kernel + initrd hashes somewhere (kernel-hashes.rpm ?) to > allow pre-calculate TPM PCR values. > ** avoid using grub2 (measures every config file line executed which > is next to impossible to pre-calculate). > * Switch cloud images to use unified kernels. > > Phase 2/3 goals (longer-term stuff which is not realistic to complete for F38). > > * Move away from using the kernel command line for configuration. > * Move away from storing secrets in the initrd. > * Handle dracut optional modules in a different way.

I think UKIs are fundamentally flawed and are an idea that came out of a group that doesn't really interact with real users enough to understand how much of a problem they actually are. I realize that this Change is only about VMs, but since it explicitly talks about it being "phase 1", the implication is that future Changes are coming to switch fully over. Consequently, I'm going to provide much more holistic feedback instead of just nitpicking on this case.

In the Fedora case, things are simpler right up until we hit graphics drivers. This is also a problem for VMs too, because GPU passthrough is a common case for scientific and gaming workloads. As long as the NVIDIA driver remains dominant in Linux, UKIs cannot work because by design you cannot load anything that isn't part of the kernel image. For bare metal, we *need* these drivers in early boot, though. And that's another problem: no third-party early boot drivers. Even if you solve the signing issue, you need to introduce some kind of two-stage OS boot process so we can bring up the bare minimum to load a second image containing all the remaining drivers. And at that point, you've defeated the purpose of UKIs. I've heard from some people that system extensions (sysexts) would be a way to solve this, and maybe it is.

But again, we've eliminated the value of UKIs by doing so.

Speaking more broadly, there are also problems that will be introduced as this trickles down from Fedora into prominent downstreams (assuming this is accepted). In the RHEL case, you've basically broken driver disks completely. In the UKI model, there's no way to incorporate early boot storage, network, and graphics drivers. This is *incredibly* common for RHEL administrators because there's a general acceptance of proprietary kernel modules from vendors these days. Even ignoring those, Red Hat's kernel feature support mindset is completely incompatible with UKIs, because RHEL does default-off rather than Fedora's default-on model for kernel features. We could debate until the cows come home on whether it's right or wrong, but their current mindset essentially means tons of common hardware becomes unsupported quite regularly. The ELRepo project is popular among RHEL folks because it restores those drivers and makes it possible to use RHEL on those machines through a combination of driver disks and kernel module packages.

The crux of the problem here is *signing*. All of this is tied up in Secure Boot and TPM, which is the wrong place to actually handle this. In other operating systems (notably Windows), Secure Boot certificates are not used for blocking or enabling kernel-level drivers. Instead, there's a kernel-level certificate store that is used to validate and enable drivers, allowing everything to be managed in a hardware platform agnostic way. I've also yet to hear of a decent reason for TPM measurements too. Block or filesystem verity provides similar guarantees to provide tamper resistance and are both much easier to debug than TPM interfaces. I am not convinced that you are providing security or reliability with this and the trade-offs are *terrible* for regular users.

With my FESCo hat on, I'm uneasy about this change. With my "Fedora user and advocate" hat on, I think that the UAPI group has failed to provide something useful to the Linux world here and I would be extremely apprehensive about Fedora adopting any portion of this stuff.

On Tue, Dec 20, 2022 at 2:02 PM Daniel P. Berrangé <berrange(a)redhat.com wrote: > On Tue, Dec 20, 2022 at 11:28:48AM -0500, Neal Gompa wrote: > > On Tue, Dec 20, 2022 at 10:22 AM Ben Cotton <bcotton(a)redhat.com wrote: > > > > https://fedoraproject.org/wiki/Changes/Unified_Kernel_Support_Phase_1 > > > > > This document represents a proposed Change. As part of the Changes > > > process, proposals are publicly announced in order to receive > > > community feedback. This proposal will only be implemented if approved > > > by the Fedora Engineering Steering Committee. > > > > > > > == Summary == > > > Add support for unified kernels images to Fedora. > > > > > == Owner == > > > * Name: [[User:kraxel| Gerd Hoffmann]] > > > * Email: kraxel(a)redhat.com > > > > > > > == Detailed Description == > > > The goal is to move away from initrd images being generated on the > > > installed machine. They are generated while building the kernel > > > package instead, then shipped as part of a unified kernel image. > > > > > A unified kernel image is an all-in-one efi binary containing kernel, > > > initrd, cmdline and signature. The secure boot signature covers > > > everything, specifically the initrd is included which is not the case > > > when the initrd gets loaded as separate file from /boot. > > > > > Main motivation for this move is to make the distro more robust and more secure. > > > > > Switching the whole distro over to unified kernels quickly is not > > > realistic though. Too many features are depending on the current > > > workflow with a host-specific initrd (and host-specific kernel command > > > line), which is fundamentally incompatible with unified kernels where > > > everybody will have the same initrd and command line. Thats why there > > > is 'Phase 1' in title, so we can have more Phases in future releases > > > 😃 > > > > > A host-specific initrd / command line is needed today for: > > > > > * features needing optional dracut modules (initrd rebuild needed to > > > enable them). > > > * configuration / secrets baked into the initrd (booting from iscsi > > > for example). > > > * configuration being specified on the kernel command line. > > > ** root filesystem being the most important one. > > > [https://systemd.io/DISCOVERABLE_PARTITIONS/ Discoverable partitions] > > > allow to remove this. > > > > > Phase 1 goals (high priority): > > > > > * Ship a unified kernel image as (optional) kernel sub-rpm. Users can > > > opt-in to use that kernel by installing the sub-rpm. Initial focus is > > > on booting virtual machines where we have a relatively small and well > > > defined set of drivers / features needed. Supporting modern physical > > > machines with standard setup (i.e. boot from local sata/nvme storage) > > > too should be easy. > > > * Update kernel install scripts so unified kernels are installed and > > > updated properly. > > > * Add bootloader support for unified kernel images. Add > > > [ https://systemd.io/BOOT_LOADER_SPECIFICATION/#type-2-efi-unified-kernel-i... > > > unified kernel bls support] to grub2, or support using systemd-boot, > > > or both. > > > > > Phase 1 goals (lower priority, might move to Phase 2): > > > > > * Add proper discoverable partitions support to installers (anaconda, > > > image builder, ...). > > > ** Temporary workaround possible: set types using sfdisk in %post script. > > > ** When using btrfs: configure 'root' subvolume as default volume. > > > * Add proper systemd-boot support to installers. > > > ** Temporary workaround possible: run 'bootctl install' in %post script. > > > * Better measurement and remote attestation support. > > > ** store kernel + initrd hashes somewhere (kernel-hashes.rpm ?) to > > > allow pre-calculate TPM PCR values. > > > ** avoid using grub2 (measures every config file line executed which > > > is next to impossible to pre-calculate). > > > * Switch cloud images to use unified kernels. > > > > > Phase 2/3 goals (longer-term stuff which is not realistic to complete for F38). > > > > > * Move away from using the kernel command line for configuration. > > > * Move away from storing secrets in the initrd. > > > * Handle dracut optional modules in a different way. > snip > > > I think UKIs are fundamentally flawed and are an idea that came out of > > a group that doesn't really interact with real users enough to > > understand how much of a problem they actually are. I realize that > > this Change is only about VMs, but since it explicitly talks about it > > being "phase 1", the implication is that future Changes are coming to > > switch fully over. Consequently, I'm going to provide much more > > holistic feedback instead of just nitpicking on this case. > The future "phase 2/3" goal are mentioned above, and don't > mention fully switching to UKIs. > I don't anticipate such a switch being realistic any time > in the forseeable future. There are too many unknowns, in > addition to some points you mentioned, to even consider > that right now. The in place upgrade story gogin from > locally generated initrd, with arbitrary user chosen > content to a UKI doesn't even bare thinking about. I > don't think that's even possible to achieve in a seemless > way given the infinite number of variations. IOW, I would > anticipate the current kernel+initrd scheme being around > indefinitely, in parallel with any UKI support. Forgive me for being pessimistic here, because Change proposals like this are not written in such a way. You also bundled in bootloader changes and PCR/TPM stuff too. All of which are irrelevant, not useful, and don't actually work for Linux users. > > In the Fedora case, things are simpler right up until we hit graphics > > drivers. This is also a problem for VMs too, because GPU passthrough > > is a common case for scientific and gaming workloads. As long as the > > NVIDIA driver remains dominant in Linux, UKIs cannot work because by > > design you cannot load anything that isn't part of the kernel image. > > For bare metal, we *need* these drivers in early boot, though. And > > that's another problem: no third-party early boot drivers. Even if you > > solve the signing issue, you need to introduce some kind of two-stage > > OS boot process so we can bring up the bare minimum to load a second > > image containing all the remaining drivers. And at that point, you've > > defeated the purpose of UKIs. I've heard from some people that system > > extensions (sysexts) would be a way to solve this, and maybe it is. > Yes, system extensions are one mechanism for making the initrd > content more flexible when using UKIs. There would be one base > layer definiing the 90% common case, and a number of add-ons > that can cope with niche use cases. This avoids the core UKI > having to be huge and ship with every possible feature present. > This is something that might be considered at a later phase, > but is not a priority. What's proposed in phase 1 is sufficient > to cope with the cloud VM common case. While device passthrough > may be common in some industries/domains usage, it is not the > common case for cloud computing in general. > > But again, we've eliminated the value of UKIs by doing so. > That is not correct. There are a number of benefits of UKIs. > The most critical is that the initrd content and cmdline is > covered by the SecureBoot signature. This remains true even > with system extensions, as such extensions would be signed > too. They do not neccessarily need to be signed by the OS > vendor, they could use a 3rd party SecureBoot signing key, > or the users' own key. That is TBD and not something we're > actively considering - its not even mentioned in phase 2/3 > ideas in the change proposal. Secure Boot keys are flawed. There are many documented problems with relying on Secure Boot keys in the real world. Redesign to not use them, please. > A further benefit of UKIs is supportability, since we know > exactly what content is in the initrd that user is booting. > With locally generated initrds there are an arbitrary > number of combinations and many ways for the initrd creation > process to go wrong, which are hard for Fedora maintainers > to understand and debug. > > Speaking more broadly, there are also problems that will be introduced > > as this trickles down from Fedora into prominent downstreams (assuming > > this is accepted). In the RHEL case, you've basically broken driver > > disks completely. In the UKI model, there's no way to incorporate > > early boot storage, network, and graphics drivers. This is > > *incredibly* common for RHEL administrators because there's a general > > acceptance of proprietary kernel modules from vendors these days. Even > > ignoring those, Red Hat's kernel feature support mindset is completely > > incompatible with UKIs, because RHEL does default-off rather than > > Fedora's default-on model for kernel features. We could debate until > > the cows come home on whether it's right or wrong, but their current > > mindset essentially means tons of common hardware becomes unsupported > > quite regularly. The ELRepo project is popular among RHEL folks > > because it restores those drivers and makes it possible to use RHEL on > > those machines through a combination of driver disks and kernel module > > packages. > Yes, this desire for UKIs in Fedora is matched by a desire to > ship the same UKIs in RHEL too. > No one is proposing to take away the existing ability to use > locally generated initrds, either in Fedora or RHEL. Everything > that is possible todo today will remain possible indefinitely. > UKIs are adding a new mechanism in parallel, in order to solve > a number of use cases that are not possible today, due to > unsigned content being part of the boot chain when SecureBoot > is active. > > The crux of the problem here is *signing*. All of this is tied up in > > Secure Boot and TPM, which is the wrong place to actually handle this. > > In other operating systems (notably Windows), Secure Boot certificates > > are not used for blocking or enabling kernel-level drivers. Instead, > > there's a kernel-level certificate store that is used to validate and > > enable drivers, allowing everything to be managed in a hardware > > platform agnostic way. I've also yet to hear of a decent reason for > > TPM measurements too. Block or filesystem verity provides similar > > guarantees to provide tamper resistance and are both much easier to > > debug than TPM interfaces. I am not convinced that you are providing > > security or reliability with this and the trade-offs are *terrible* > > for regular users. > The immediate need for UKIs is indeed related to SecureBoot and > TPMs. These are a core technology foundation of the confidential > virtual machine stack. On Azure today, if you request an Ubuntu > confidential VM, Azure will pre-encrypt the root filesystem and > seal the LUKS key against predicted TPM PCR values. It guarantees > that the root disk can only be decrypted by the specific VM > instance that is requested, when it is running in SecureBoot > mode with the expected measurments on AMD SEV-SNP confidential > hardware. The Ubuntu image in Azure already uses UKIs, and boots > them directly from shim, with no bootloader involved. The usage > of SecureBoot and TPMs is all transparent to the user, since all > the integration is handled by the OS vendor on their behalf. Well, how is that relevant to Fedora? We don't have Azure images, and Red Hat still blocks us from meaningfully existing in that ecosystem, which is why we don't have official WSL images or Azure images. I'll reiterate that we should not rely on SB signing for this. > > With my FESCo hat on, I'm uneasy about this change. With my "Fedora > > user and advocate" hat on, I think that the UAPI group has failed to > > provide something useful to the Linux world here and I would be > > extremely apprehensive about Fedora adopting any portion of this > > stuff. > As mentioned above, UKIs have provided a means to close the > SecureBoot hole with unsigned initrd content that has existed > in more or less every mainstream Linux distro. That is a > clearly useful outcome, regardless of whether Fedora is interested > in any other aspect of what that UAPI groups is proposing. > In proposing the UKI support for Fedora, we're not coming at this > as representatives of the UAPI group or its vision. We're trying > to solve the problem of having a fully verified secureboot chain > for VMs with no unsigned content, and to be able to use this to > support confidential VMs with disk encryption sealed to TPMs, as > required by Azure today, and likely KVM in future. Yeah, I seriously doubt this. Linux's model for supporting confidential computing is not user-friendly, so I expect low adoption and resistance once the flaws become apparent to would-be users.

On Tue, 2022-12-20 at 14:29 -0500, Neal Gompa wrote: > Yeah, I seriously doubt this. Linux's model for supporting > confidential computing is not user-friendly, so I expect low adoption > and resistance once the flaws become apparent to would-be users. Neal, you are being unnecessarily negative. And user-friendliness is directly related to the fact we do not have good support for it. This proposal would make SecureBoot fundamentally transparent, and if you don't see it and it works, I see no resistance happening. SecureBoot may not be to your liking but is what is installed on 99% of modern hardware sold, so it is a good idea to first show you can support it. Then if you have interested you can propose "something better".

If, as you fear, it won't work ... then it won't and we'll try something else. However, having some knowledge of the (security side of the) matter I do not see why it wouldn't work, once all the pieces fall in place.

I dread the many minutes wasted regenerating initrd when I have a pretty standard configuration that requires really no special drivers... the only issue probably being the use of LVM for the root filesystem, which I hope we'll have a way to deal with (but I can do without on the laptop).

On Tue, Dec 20, 2022, 4:27 PM Simo Sorce <simo(a)redhat.com&gt; wrote: > On Tue, 2022-12-20 at 14:29 -0500, Neal Gompa wrote: > > Yeah, I seriously doubt this. Linux's model for supporting > > confidential computing is not user-friendly, so I expect low adoption > > and resistance once the flaws become apparent to would-be users. > > > > Neal, you are being unnecessarily negative. And user-friendliness is > directly related to the fact we do not have good support for it. This > proposal would make SecureBoot fundamentally transparent, and if you > don't see it and it works, I see no resistance happening. > > SecureBoot may not be to your liking but is what is installed on 99% of > modern hardware sold, so it is a good idea to first show you can > support it. Then if you have interested you can propose "something > better". > We have supported Secure Boot for over a decade now. In that timeframe, literally nobody did anything to make all the workflows you talk about easier and friendlier.

In fact, everyone I talk to seems to think it's basically impossible because of how it works at the firmware level.

Finally, unless this proposal harms Fedora I do not see why oppose it. > If, as you fear, it won't work ... then it won't and we'll try > something else. However, having some knowledge of the (security side of > the) matter I do not see why it wouldn't work, once all the pieces fall > in place. > This adds significant complexity to the Fedora kernel package and it effectively increases what we need to test for virtualized Fedora Linux environments.

On Di, 20.12.22 17:11, Neal Gompa (ngompa13(a)gmail.com) wrote: > > SecureBoot may not be to your liking but is what is installed on 99% of > > modern hardware sold, so it is a good idea to first show you can > > support it. Then if you have interested you can propose "something > > better". > > We have supported Secure Boot for over a decade now. In that timeframe, > literally nobody did anything to make all the workflows you talk about > easier and friendlier. > > In fact, everyone I talk to seems to think it's basically impossible > because of how it works at the firmware level. > > It's telling that neither Windows nor macOS use Secure Boot like Linux > does. And they don't precisely for the reasons I outlined. Yes, Linux never solved the initrd hole so far, but that's not really the fault of SecureBoot, it's the fault of Linux if you so will. And this proposal is an attempt to finally do something about this, and get things in order to actually deliver what the other OSes all are delivering. I understand the big issue you have is that the certificate store for Linux (i.e. the mokutil db) is limited in size because EFI variable NVRAM is limited in size? If that's the big issue you are having then that's absolutely something the Linux community can fix, and can address. Specifically, shim could allow storing the cert store on disk, and authenticate it at boot via the TPM. Not trivial, but doable. And certainly not the firmware's fault... I mean, UEFI has its warts, but I don't see that it's UEFI's fault if the way Linux/shim/mokutil implement the cert db is done the way it is currently done.

> > Finally, unless this proposal harms Fedora I do not see why oppose it. > > If, as you fear, it won't work ... then it won't and we'll try > > something else. However, having some knowledge of the (security side of > > the) matter I do not see why it wouldn't work, once all the pieces fall > > in place. > > This adds significant complexity to the Fedora kernel package and it > effectively increases what we need to test for virtualized Fedora Linux > environments. Nah. UKIs + sysext are ultimately something that is simpler and much better to test than the current mess. Yeah, for a while we'll have to add complexity because to mechanisms will have to be supported, but eventually things are going to be simple and easier to test.

> I assert that the proposal has not yet met the bar to overcome those > issues. If the "those issues" is supposed to be that you hit the size of the mokutil cert store once, then I fail to see the relationship to UKI/sysext. After all, the fedora signing keys for sysexts would be built into the kernel and hence not be charged against NVRAM. And the fedora UKI is signed with the same key as our current kernels, which are also not charged against NVRAM but are built into fedora shim. And the shim signature key is the msft key. Yeah, if you want to build your own UKIs + sysext, then you have to use mokutil to enroll a cert, but it would be entirely sufficient to enroll one for that, and sign UKIS, kmods, sysext with them. (or, maybe you actually hit the NVRAM size limits because you enrolled hashes, not certs? if so, then maybe address that?)

On Thu, Dec 22, 2022 at 05:38:01AM -0500, Neal Gompa wrote: > On Wed, Dec 21, 2022 at 1:56 PM Lennart Poettering <mzerqung(a)0pointer.de&gt; wrote: > > > > On Di, 20.12.22 17:11, Neal Gompa (ngompa13(a)gmail.com) wrote: > > > > > > SecureBoot may not be to your liking but is what is installed on 99% of > > > > modern hardware sold, so it is a good idea to first show you can > > > > support it. Then if you have interested you can propose "something > > > > better". > > > > > > We have supported Secure Boot for over a decade now. In that timeframe, > > > literally nobody did anything to make all the workflows you talk about > > > easier and friendlier. > > > > > > In fact, everyone I talk to seems to think it's basically impossible > > > because of how it works at the firmware level. > > > > > > It's telling that neither Windows nor macOS use Secure Boot like Linux > > > does. And they don't precisely for the reasons I outlined. > > > > Yes, Linux never solved the initrd hole so far, but that's not really > > the fault of SecureBoot, it's the fault of Linux if you so > > will. And this proposal is an attempt to finally do something about > > this, and get things in order to actually deliver what the other OSes > > all are delivering. > > > > I understand the big issue you have is that the certificate store for > > Linux (i.e. the mokutil db) is limited in size because EFI variable > > NVRAM is limited in size? If that's the big issue you are having then > > that's absolutely something the Linux community can fix, and can > > address. Specifically, shim could allow storing the cert store on > > disk, and authenticate it at boot via the TPM. Not trivial, but > > doable. And certainly not the firmware's fault... > > > > I mean, UEFI has its warts, but I don't see that it's UEFI's fault if > > the way Linux/shim/mokutil implement the cert db is done the way it is > > currently done. > > > > Frankly, I'm aggravated by the increased reliance on UEFI features > without fixing Linux's problems with UEFI features. If we stopped > relying on UEFI for the cert store, a lot of my issues would go away, > because then we can design better workflows for managing certificates. > It makes automation possible, it makes management possible, and it > opens the doors to experiment with how to do layered images for boot > (e.g. UKIs + system extension images) without bricking people's > computers. So your objections are completely unrelated to the use of UKIs, and should not be a blocker for this feature proposal. You're just asking people to work on other UEFI related problems.

> > > I assert that the proposal has not yet met the bar to overcome those > > > issues. > > > > If the "those issues" is supposed to be that you hit the size of the > > mokutil cert store once, then I fail to see the relationship to > > UKI/sysext. After all, the fedora signing keys for sysexts would be > > built into the kernel and hence not be charged against NVRAM. And the > > fedora UKI is signed with the same key as our current kernels, which > > are also not charged against NVRAM but are built into fedora shim. And > > the shim signature key is the msft key. > > > > Yeah, if you want to build your own UKIs + sysext, then you have to > > use mokutil to enroll a cert, but it would be entirely sufficient to > > enroll one for that, and sign UKIS, kmods, sysext with them. > > > > (or, maybe you actually hit the NVRAM size limits because you enrolled > > hashes, not certs? if so, then maybe address that?) > > > > I do not want to add more things to Fedora that *will* cause people to > potentially brick their systems because they have to screw around with > UEFI to be able to extend what they can use to boot their systems. Bricking systems is not an issue for VMs, where this proposal is targetted. > Just because today it's only about VMs doesn't mean I can't figure out > you want to do more with it down the road. I want to see some > demonstration of someone actually caring about the user experience for > once with the boot stuff. If something is proposed for bare metal in the future, then raise the problems at that point. It is unreasonable to demand that we fix problems for a use case that is not in scope for what is being proposed. Anything related to bare metal was explicitly out of scope, precisely because it will massively increase the complexity of what needs to be addressed, making the task infeasible. We need an incremental path where we can tackle individual practical tasks rather than trying to solve everything in one go.

> If something is proposed for bare metal in the future, then raise > the problems at that point. It is unreasonable to demand that we > fix problems for a use case that is not in scope for what is being > proposed. Anything related to bare metal was explicitly out of > scope, precisely because it will massively increase the complexity > of what needs to be addressed, making the task infeasible. We need > an incremental path where we can tackle individual practical tasks > rather than trying to solve everything in one go. Yeah, and what happens when it gets punted again when that happens? I do not think it's unreasonable to bring these objections up front when this is clearly marked as a "phase 1" Change that implies UKIs will be used in more and more scenarios over time.

Hmm, the updated Change is mostly okay. I disagree that you have any real security benefits since all the Secure Boot stuff in Linux is still in a bad place.

I would like the Change document to be updated to include feedback about Secure Boot in there to further justify how restricted the scope will remain for Phase 1. Additionally, "discoverable partitions" fixes nothing for Fedora right now. There are two problems here: * We don't have a discoverable subvolume specification for Btrfs * Discoverable partition specification falls over dead with snapshots. Don't plan on using systemd-boot. I've said why before in other threads, so I'm not repeating it again. Drop locking out modified kernel command lines. That's pretty much a non-starter. If you want to pursue a Fedora Cloud image with UKIs, please bring it up with the Cloud SIG, keeping in mind the feedback I listed.

I have to think about what happens when the cat is out of the bag. What I want is not necessarily a solution to this now, but a commitment that someone will actively work on fixing these problems *before* proposing the next phase and have it ready *before* making any future proposals on UKIs. If you can't do that, I can't in good faith consider incrementally supporting UKIs, because there's effectively no plan to make them work as a future default way of shipping the Linux kernel.

> BTW, you keep talking of "these" problems, and are extremely vague > about those. I think I understood that you hit the NVRAM size limits > before, by enrolling private certs? Yes. Specifically for dealing with the NVIDIA driver, backports of Intel network card drivers, OpenZFS, ELRepo modules, etc. > What are those issues precisely? Did you file bugs? How many certs did > you try to enroll? Or did you try to enroll hashes? Were was this > dicussed? Anywhere between 1 to 3 UEFI certs, representing different vendors (machine-local, ELRepo, and OpenZFS).

> OK, so what's left is exactly one issue you had: you tried to enroll 3 > UEFI certs via mokutil and what exactly happened then? machine > bricked how precisely? The UEFI environment failed to import without reporting failure and the system failed to boot, showing garbage instead.

> link for a bug report? Sorry, I can't.

No one helped anyway, even back when I could provide more information. They're even less likely now that I can't provide that information.

> I mean, UEFI has its warts, but I don't see that it's UEFI's fault if > the way Linux/shim/mokutil implement the cert db is done the way it is > currently done.

Frankly, I'm aggravated by the increased reliance on UEFI features without fixing Linux's problems with UEFI features. If we stopped relying on UEFI for the cert store, a lot of my issues would go away, because then we can design better workflows for managing certificates.

It makes automation possible, it makes management possible, and it opens the doors to experiment with how to do layered images for boot (e.g. UKIs + system extension images) without bricking people's computers.

That also has the side effect of us having half a chance of being able to port this security capability to non-UEFI platforms where we use fake UEFI implementations to bootstrap our boot process, because the amount of coverage required for fake UEFI implementations is considerably lower now.

More generally, relying on UEFI-specific security features when most platforms are not being brought up with UEFI is foolish. ARM is almost entirely non-UEFI (except the tiny proportion of servers that almost no one has)

and RISC-V is not a UEFI platform either.

You *need* to think about these problems when designing this stuff. You can't take a myopic x86-only view to this. I have not heard of anything about UKI security for non-x86 because it seems to all be tied up in UEFI stuff.

> Nah. UKIs + sysext are ultimately something that is simpler and much > better to test than the current mess. Yeah, for a while we'll have to > add complexity because to mechanisms will have to be supported, but > eventually things are going to be simple and easier to test. Maybe. It's not super intuitive from where I'm standing, and I know how all this stuff works.

On Do, 22.12.22 05:38, Neal Gompa (ngompa13(a)gmail.com) wrote: > > I understand the big issue you have is that the certificate store for > > Linux (i.e. the mokutil db) is limited in size because EFI variable > > NVRAM is limited in size? If that's the big issue you are having then > > that's absolutely something the Linux community can fix, and can > > address. Specifically, shim could allow storing the cert store on > > disk, and authenticate it at boot via the TPM. Not trivial, but > > doable. And certainly not the firmware's fault... > > > > I mean, UEFI has its warts, but I don't see that it's UEFI's fault if > > the way Linux/shim/mokutil implement the cert db is done the way it is > > currently done. > > Frankly, I'm aggravated by the increased reliance on UEFI features > without fixing Linux's problems with UEFI features. If we stopped > relying on UEFI for the cert store, a lot of my issues would go away, > because then we can design better workflows for managing > certificates. Well, the thing is: a chain of trust is a *chain*, hence you must ultimately hook validation to what the firmware provides you with as root. And that ultimately is the SecureBoot db on commodity hardware. If I buy a boring laptop at a store it will come with a UEFI cert store, and nothing else. Linux cannot really ignore that. If it did, then you'd not have a trusted boot chain, hence the whole excercsie would be pointless.

> It makes automation possible, it makes management possible, and it > opens the doors to experiment with how to do layered images for boot > (e.g. UKIs + system extension images) without bricking people's > computers. As mentioned before: note that the Fedora signing keys are only built into shim and the kernel, not stored in NVRAM. But anyway, I think it would be great if shim could manage a cert store on disk, I already said that. But that's truly orthogonal to UKIs and sysext really. You keep trying to change topics away from UKI/sysext towards your general discontent with UEFI. > That also has the side effect of us having half a chance of being able > to port this security capability to non-UEFI platforms where we use > fake UEFI implementations to bootstrap our boot process, because the > amount of coverage required for fake UEFI implementations is > considerably lower now. > > More generally, relying on UEFI-specific security features when most > platforms are not being brought up with UEFI is foolish. ARM is almost > entirely non-UEFI (except the tiny proportion of servers that almost > no one has) and RISC-V is not a UEFI platform either. POWER uses > OpenFirmware instead of UEFI, and IBM Z does something else entirely > different. Well, "foolish", eyh? The thing is that chain of trust works quite differently on each such system (if it exists at all). UEFI is a standardizing and unifying force that simplifies things greatly, since while not universal it's still the most widely adopted mechanism (and one of the more advanced). Generally, I am very sure we should focus on making the more limited stuff work like the modern stuff, and not the other way round. For example, there has already been work on making UKIs boot on grub/MBR, as mentioned, which is exactly how I think it should be done: move the old/legacy/simple stuff work more like the new/modern/featureful/standardized stuff, rather than the other way round. > You *need* to think about these problems when designing this stuff. > You can't take a myopic x86-only view to this. I have not heard of > anything about UKI security for non-x86 because it seems to all be > tied up in UEFI stuff. I work for a company that is working on ARM UEFI systems booting UKIs in massive scale.

On Do, 22.12.22 10:43, Neal Gompa (ngompa13(a)gmail.com) wrote: > On Thu, Dec 22, 2022 at 10:39 AM Lennart Poettering > <mzerqung(a)0pointer.de&gt; wrote: > > > > On Do, 22.12.22 05:38, Neal Gompa (ngompa13(a)gmail.com) wrote: > > > > > > I understand the big issue you have is that the certificate store for > > > > Linux (i.e. the mokutil db) is limited in size because EFI variable > > > > NVRAM is limited in size? If that's the big issue you are having then > > > > that's absolutely something the Linux community can fix, and can > > > > address. Specifically, shim could allow storing the cert store on > > > > disk, and authenticate it at boot via the TPM. Not trivial, but > > > > doable. And certainly not the firmware's fault... > > > > > > > > I mean, UEFI has its warts, but I don't see that it's UEFI's fault if > > > > the way Linux/shim/mokutil implement the cert db is done the way it is > > > > currently done. > > > > > > Frankly, I'm aggravated by the increased reliance on UEFI features > > > without fixing Linux's problems with UEFI features. If we stopped > > > relying on UEFI for the cert store, a lot of my issues would go away, > > > because then we can design better workflows for managing > > > certificates. > > > > Well, the thing is: a chain of trust is a *chain*, hence you must > > ultimately hook validation to what the firmware provides you with as > > root. And that ultimately is the SecureBoot db on commodity hardware. > > > > If I buy a boring laptop at a store it will come with a UEFI cert > > store, and nothing else. Linux cannot really ignore that. If it did, > > then you'd not have a trusted boot chain, hence the whole excercsie > > would be pointless. > > > > Shim trusts MS and the main distro cert, grub is trusted from there, > then the OS trusts those and anything else the admin adds. That's how > It should work. Trust chains are sensible as long as they're > extensible. Hmm, that chain is partly backwards? it's the firmware that has to trust the msft cert which trusts shim, which trusts the distro cert, which trusts grub and the kernel. The thing that comes first at boot must trust the next, otherwise we'd have to boot into untrusted stuff first, which really misses the point? not grokking what you are trying tosay?

> On Thu, Dec 22, 2022 at 10:51 AM Lennart Poettering > <mzerqung(a)0pointer.de&gt; wrote: > > Basically, I'm saying that the model of trust is flawed because users > are unable to work with it. > > And besides, each level up is a smaller scope from the previous. A > cert trusted by shim can execute anything the firmware trusts, a cert > trusted by grub can only execute things it trusts, and finally a cert > trusted by the OS can only execute things in its context. Once we > reach the OS-level, we don't need pre-boot trust anymore. So enrolling > certificates to trust kernel modules/sysexts/etc. should not require > going down the trust levels. The OS should be able to establish its > own trust to those pieces or reject them independently. It should > certainly trust everything the lower levels trust, but there's no > reason to not allow the higher levels to establish their own scoped > trust. > > This is the flaw we have right now: we can't do that. Of course there's a reason to only allow a fully validated trust chain - not only that, but it's the very basic of the entire model, and without it the entire premise falls flat on its face. The way to enroll your own certs is via firmware-mediated mechanisms such as shim+mok, and via built-in trusted keyring. Adding arbitrary trust anchors at the OS level completely ignores the foundational principle of the whole thing.

On Thu, Dec 22, 2022 at 12:00 PM Luca Boccassi <bluca(a)debian.org&gt; wrote: > >> On Thu, Dec 22, 2022 at 10:51 AM Lennart Poettering >> <mzerqung(a)0pointer.de&gt; wrote: >> >> Basically, I'm saying that the model of trust is flawed because users >> are unable to work with it. >> >> And besides, each level up is a smaller scope from the previous. A >> cert trusted by shim can execute anything the firmware trusts, a cert >> trusted by grub can only execute things it trusts, and finally a cert >> trusted by the OS can only execute things in its context. Once we >> reach the OS-level, we don't need pre-boot trust anymore. So enrolling >> certificates to trust kernel modules/sysexts/etc. should not require >> going down the trust levels. The OS should be able to establish its >> own trust to those pieces or reject them independently. It should >> certainly trust everything the lower levels trust, but there's no >> reason to not allow the higher levels to establish their own scoped >> trust. >> >> This is the flaw we have right now: we can't do that. > > Of course there's a reason to only allow a fully validated trust chain - > not only that, but it's the very basic of the entire model, and without > it the entire premise falls flat on its face. The way to enroll your own > certs is via firmware-mediated mechanisms such as shim+mok, and via > built-in trusted keyring. Adding arbitrary trust anchors at the OS level > completely ignores the foundational principle of the whole thing. Your concept only works in *some* enterprise hardware where it's even possible to have full control without breaking something. Even in my server gear, I can't do that without breaking the network firmware.

If I can't safely distrust Microsoft reliably, then it's already broken.

Firmware trust has been broken since the very beginning, and it was broken by design in the PC world. Consumer PC equipment is even worse off because of how Microsoft's Windows requirements influence how UEFI implementations work.

On 12/22/22 12:00, Luca Boccassi wrote: As Neal mentioned earlier, these mechanisms are often broken. Not only does some firmware wind up bricking the machine when they are used, they also may not support removing the key used to sign Windows. If the attacker can boot Windows and measured boot is not in use, they have won.

Well, the thing is: a chain of trust is a*chain*, hence you must ultimately hook validation to what the firmware provides you with as root. And that ultimately is the SecureBoot db on commodity hardware.

SecureBoot may not be to your liking but is what is installed on 99% of modern hardware sold, so it is a good idea to first show you can support it. Then if you have interested you can propose "something better".

Secured-core PCs require Secure Boot to be enabled and configured to distrust the Microsoft 3rd Party UEFI CA signature, by default, to provide customers with the most secure configuration of their PCs possible.

To trust and boot operating systems, like Linux, and components signed by the UEFI signature, Secured-core PCs can be configured in the BIOS menu to add the signature in the UEFI database by following these steps

On Tue, Dec 20, 2022 at 2:02 PM Daniel P. Berrangé <berrange(a)redhat.com&gt; wrote: > > In the Fedora case, things are simpler right up until we hit graphics > > drivers. This is also a problem for VMs too, because GPU passthrough > > is a common case for scientific and gaming workloads. As long as the > > NVIDIA driver remains dominant in Linux, UKIs cannot work because by > > design you cannot load anything that isn't part of the kernel image. > > For bare metal, we *need* these drivers in early boot, though. And > > that's another problem: no third-party early boot drivers. Even if you > > solve the signing issue, you need to introduce some kind of two-stage > > OS boot process so we can bring up the bare minimum to load a second > > image containing all the remaining drivers. And at that point, you've > > defeated the purpose of UKIs. I've heard from some people that system > > extensions (sysexts) would be a way to solve this, and maybe it is. > > Yes, system extensions are one mechanism for making the initrd > content more flexible when using UKIs. There would be one base > layer definiing the 90% common case, and a number of add-ons > that can cope with niche use cases. This avoids the core UKI > having to be huge and ship with every possible feature present. > > This is something that might be considered at a later phase, > but is not a priority. What's proposed in phase 1 is sufficient > to cope with the cloud VM common case. While device passthrough > may be common in some industries/domains usage, it is not the > common case for cloud computing in general. > > > But again, we've eliminated the value of UKIs by doing so. > > That is not correct. There are a number of benefits of UKIs. > > The most critical is that the initrd content and cmdline is > covered by the SecureBoot signature. This remains true even > with system extensions, as such extensions would be signed > too. They do not neccessarily need to be signed by the OS > vendor, they could use a 3rd party SecureBoot signing key, > or the users' own key. That is TBD and not something we're > actively considering - its not even mentioned in phase 2/3 > ideas in the change proposal. > Secure Boot keys are flawed. There are many documented problems with relying on Secure Boot keys in the real world. Redesign to not use them, please.

> TPMs. These are a core technology foundation of the confidential > virtual machine stack. On Azure today, if you request an Ubuntu > confidential VM, Azure will pre-encrypt the root filesystem and > seal the LUKS key against predicted TPM PCR values. It guarantees > that the root disk can only be decrypted by the specific VM > instance that is requested, when it is running in SecureBoot > mode with the expected measurments on AMD SEV-SNP confidential > hardware. The Ubuntu image in Azure already uses UKIs, and boots > them directly from shim, with no bootloader involved. The usage > of SecureBoot and TPMs is all transparent to the user, since all > the integration is handled by the OS vendor on their behalf. > Well, how is that relevant to Fedora? We don't have Azure images, and Red Hat still blocks us from meaningfully existing in that ecosystem, which is why we don't have official WSL images or Azure images.

> > With my FESCo hat on, I'm uneasy about this change. With my "Fedora > > user and advocate" hat on, I think that the UAPI group has failed to > > provide something useful to the Linux world here and I would be > > extremely apprehensive about Fedora adopting any portion of this > > stuff. > > As mentioned above, UKIs have provided a means to close the > SecureBoot hole with unsigned initrd content that has existed > in more or less every mainstream Linux distro. That is a > clearly useful outcome, regardless of whether Fedora is interested > in any other aspect of what that UAPI groups is proposing. > > In proposing the UKI support for Fedora, we're not coming at this > as representatives of the UAPI group or its vision. We're trying > to solve the problem of having a fully verified secureboot chain > for VMs with no unsigned content, and to be able to use this to > support confidential VMs with disk encryption sealed to TPMs, as > required by Azure today, and likely KVM in future. Yeah, I seriously doubt this. Linux's model for supporting confidential computing is not user-friendly, so I expect low adoption and resistance once the flaws become apparent to would-be users.

Daniel P. Berrangé wrote: > That is not correct. There are a number of benefits of UKIs. > > The most critical is that the initrd content and cmdline is > covered by the SecureBoot signature. From an end user point of view, having more stuff covered by Restricted Boot is not a benefit.

As someone whose day job involves working with teams who develop both Windows and Linux drivers (and in the past, even macOS drivers!), I can categorically say that Windows driver engineering processes are way friendlier than Linux ones, precisely because Windows drivers are deliberately not exposed to Secure Boot *at all*. Running development versions of drivers just requires installing a development certificate into the NT kernel certificate store. The equivalent process for Linux is to load a custom secure boot certificate into firmware, which is fraught with peril and potentially not even possible.

I cannot tell you how many times I've bricked a system by attempting to load another cert only to find out there's not enough space and the firmware didn't handle that well.

The immediate need for UKIs is indeed related to SecureBoot and TPMs. These are a core technology foundation of the confidential virtual machine stack. On Azure today, if you request an Ubuntu confidential VM, Azure will pre-encrypt the root filesystem and

seal the LUKS key against predicted TPM PCR values. It guarantees that the root disk can only be decrypted by the specific VM instance that is requested, when it is running in SecureBoot mode with the expected measurments on AMD SEV-SNP confidential hardware.

I think UKIs are fundamentally flawed and are an idea that came out of a group that doesn't really interact with real users enough to understand how much of a problem they actually are. I realize that this Change is only about VMs, but since it explicitly talks about it being "phase 1", the implication is that future Changes are coming to switch fully over. Consequently, I'm going to provide much more holistic feedback instead of just nitpicking on this case.

In the Fedora case, things are simpler right up until we hit graphics drivers. This is also a problem for VMs too, because GPU passthrough is a common case for scientific and gaming workloads. As long as the NVIDIA driver remains dominant in Linux, UKIs cannot work because by design you cannot load anything that isn't part of the kernel image. For bare metal, we *need* these drivers in early boot, though.

And that's another problem: no third-party early boot drivers. Even if you solve the signing issue, you need to introduce some kind of two-stage OS boot process so we can bring up the bare minimum to load a second image containing all the remaining drivers. And at that point, you've defeated the purpose of UKIs. I've heard from some people that system extensions (sysexts) would be a way to solve this, and maybe it is.

But again, we've eliminated the value of UKIs by doing so.

Speaking more broadly, there are also problems that will be introduced as this trickles down from Fedora into prominent downstreams (assuming this is accepted). In the RHEL case, you've basically broken driver disks completely.

The crux of the problem here is *signing*. All of this is tied up in Secure Boot and TPM, which is the wrong place to actually handle this.

I think UKIs are fundamentally flawed and are an idea that came out of a group that doesn't really interact with real users enough to understand how much of a problem they actually are.

In the Fedora case, things are simpler right up until we hit graphics drivers. This is also a problem for VMs too, because GPU passthrough is a common case for scientific and gaming workloads. As long as the NVIDIA driver remains dominant in Linux, UKIs cannot work because by design you cannot load anything that isn't part of the kernel image.

For bare metal, we *need* these drivers in early boot, though. And that's another problem: no third-party early boot drivers. Even if you solve the signing issue, you need to introduce some kind of two-stage OS boot process so we can bring up the bare minimum to load a second image containing all the remaining drivers.

And at that point, you've defeated the purpose of UKIs. I've heard from some people that system extensions (sysexts) would be a way to solve this, and maybe it is. But again, we've eliminated the value of UKIs by doing so.

Speaking more broadly, there are also problems that will be introduced as this trickles down from Fedora into prominent downstreams (assuming this is accepted). In the RHEL case, you've basically broken driver disks completely. In the UKI model, there's no way to incorporate early boot storage, network, and graphics drivers.

The crux of the problem here is *signing*. All of this is tied up in Secure Boot and TPM, which is the wrong place to actually handle this.

In other operating systems (notably Windows), Secure Boot certificates are not used for blocking or enabling kernel-level drivers. Instead, there's a kernel-level certificate store that is used to validate and enable drivers, allowing everything to be managed in a hardware platform agnostic way.

I've also yet to hear of a decent reason for TPM measurements too. Block or filesystem verity provides similar guarantees to provide tamper resistance and are both much easier to debug than TPM interfaces.

With my FESCo hat on, I'm uneasy about this change. With my "Fedora user and advocate" hat on, I think that the UAPI group has failed to provide something useful to the Linux world here and I would be extremely apprehensive about Fedora adopting any portion of this stuff.

So I think the first big barrier to entry is answering the questions: * Enhance parted/libparted to support arbitrary GUIDs and enhance blivet to understand the full listing of GUIDs? Or * Enhance parted/libparted to support full listing of GUIDs? Or * switch anaconda/blivet to using fdisk/libfdisk? It already supports pretty much all GPT partition type GUIDs and receives regular updates with additions; I'm not sure if it supports arbitrary GUIDs, the CLI tool seems not to support it but maybe fdisk does.

On Tue, Dec 20, 2022, at 10:22 AM, Ben Cotton wrote: > == Detailed Description == > The goal is to move away from initrd images being generated on the > installed machine. They are generated while building the kernel > package instead, then shipped as part of a unified kernel image. > > A unified kernel image is an all-in-one efi binary containing kernel, > initrd, cmdline and signature. The secure boot signature covers > everything, specifically the initrd is included which is not the case > when the initrd gets loaded as separate file from /boot. > > Main motivation for this move is to make the distro more robust and more secure. > > Switching the whole distro over to unified kernels quickly is not > realistic though. Too many features are depending on the current > workflow with a host-specific initrd (and host-specific kernel command > line), which is fundamentally incompatible with unified kernels where > everybody will have the same initrd and command line. Thats why there > is 'Phase 1' in title, so we can have more Phases in future releases > 😃 > > A host-specific initrd / command line is needed today for: > > * features needing optional dracut modules (initrd rebuild needed to > enable them). > * configuration / secrets baked into the initrd (booting from iscsi > for example). > * configuration being specified on the kernel command line. > ** root filesystem being the most important one. > [https://systemd.io/DISCOVERABLE_PARTITIONS/ Discoverable partitions] > allow to remove this. Discoverable partitions is the first barrier in the proposal. I agree with everything up to this point. I like discoverable partitions specification, the gotcha is there is the significant amount of inertia still against trusting GPT partition type GUIDs. They tend to be entirely ignored in Linux. Yes systemd honors them, but the installer is pretty weak in its understanding of them, and by extention parted/libparted lacks support for (a) the entire discoverable partitions spec's listing of type GUIDs (b) arbitrary GUIDs. So I think the first big barrier to entry is answering the questions: * Enhance parted/libparted to support arbitrary GUIDs and enhance blivet to understand the full listing of GUIDs? Or

> Phase 1 goals (high priority): > > * Ship a unified kernel image as (optional) kernel sub-rpm. Users can > opt-in to use that kernel by installing the sub-rpm. Initial focus is > on booting virtual machines where we have a relatively small and well > defined set of drivers / features needed. Supporting modern physical > machines with standard setup (i.e. boot from local sata/nvme storage) > too should be easy. I like the focus on VM's so long as it drives us forward incrementally in a way we can then converge baremetal back toward rather than fragmenting. I'm skeptical this is going to be easy to do on baremetal... more in a bit.

> * Add bootloader support for unified kernel images. Add > [https://systemd.io/BOOT_LOADER_SPECIFICATION/#type-2-efi-unified-kernel-i... > unified kernel bls support] to grub2, or support using systemd-boot, > or both. Great. Just be aware the bootloader team is somewhere between disinterested in Boot Loader Specification, and hostile to it. They support the BLS snippet file format. Beyond that, there is defiance of the specification as an actual bonefide spec that Fedora does or even should support. And because of that you can expect breakage. For example: https://bugzilla.redhat.com/show_bug.cgi?id=2120845 For that matter, grubby likewise steps on *all* BLS snippets found in /boot/loader/entries when using the --update=ALL flag, not just the BLS snippets

> * Add proper systemd-boot support to installers. Great. The gotcha though is this in effect requires a change in the file system currently mounted at /boot, which is ext4. And ext4 isn't supported by sd-boot or UEFI firmware. So if you're going to support sd-boot, the installer needs to be aware that either the ESP is big enough to be used as /boot, or if it's not big enough then it will be mounted on /efi *and* a new partition XBOOTLDR formatted as FAT will be used as /boot.

> * Better secure boot support (specifically the initrd is covered by > the signature). We need to solve the glaring hole that is the initrd. There's no question about it. I can't really assess if this feature is the best way to do that. Or if it would be adequate for dracut to self-sign every locally generated initrd with a unique key pair and throw away the private key after each initrd is generated.

Or if we could do enough strict standardization in the boot chain with a possibly larger kernel to avoid needing an initrd, i.e. get to sysroot mount faster thereby obviating the need for a large initrd.

On Tue, Dec 20, 2022 at 01:56:57PM -0500, Chris Murphy wrote: > Or if we could do enough strict standardization in > the boot chain with a possibly larger kernel to avoid > needing an initrd, i.e. get to sysroot mount faster > thereby obviating the need for a large initrd. Completely eliminating the need for an initrd is an interesting option. I'm not sure that would be a thing that can be delivered in a practical timeframe though, given its potential impact on the distro as a whole. UKIs have the benefit that they have near zero impact on anything that's done today. They're just enabling new use cases that aren't possible today. The main burden of course is the need to support them as a concept in parallel with existing local initrds. I think that burden is quite modest though, and offset by the use cases they unlock.

Once upon a time, Zbigniew Jędrzejewski-Szmek <zbyszek(a)in.waw.pl&gt; said: > Without an initrd we immediately have the following limitations: > - all kernel modules needed to mount root must be compiled in > - all that code is always loaded and remains in unswappable memory > - root= syntax is limited to what the kernel understands, i.e. > no root=UUID=… o root=/dev/disk/by-path/… or other udev links, > no encryption or dm-verity. > - no bluetooth keyboards or other fancy peripherals > - recovery is pretty hard Also, the security lock-down for the kernel command line means: - no network root filesystem - no boot-time-only kernel/module configuration The idea of switching from grub2 to sd-boot would also drop network boot and BIOS support. Supporting boot loaders seems to be a bit of a issue sometimes, so trying to support multiple boot loaders seems like a bad idea to me.

Once upon a time, Zbigniew Jędrzejewski-Szmek <zbyszek(a)in.waw.pl&gt; said: > Without an initrd we immediately have the following limitations: > - all kernel modules needed to mount root must be compiled in > - all that code is always loaded and remains in unswappable memory > - root= syntax is limited to what the kernel understands, i.e. > no root=UUID=… o root=/dev/disk/by-path/… or other udev links, > no encryption or dm-verity. > - no bluetooth keyboards or other fancy peripherals > - recovery is pretty hard Also, the security lock-down for the kernel command line means: - no network root filesystem - no boot-time-only kernel/module configuration The idea of switching from grub2 to sd-boot would also drop network boot and BIOS support. Supporting boot loaders seems to be a bit of a issue sometimes, so trying to support multiple boot loaders seems like a bad idea to me.

Once upon a time, Zbigniew Jędrzejewski-Szmek <zbyszek(a)in.waw.pl&gt; said: > Without an initrd we immediately have the following limitations: > - all kernel modules needed to mount root must be compiled in > - all that code is always loaded and remains in unswappable memory > - root= syntax is limited to what the kernel understands, i.e. > no root=UUID=… o root=/dev/disk/by-path/… or other udev links, > no encryption or dm-verity. > - no bluetooth keyboards or other fancy peripherals > - recovery is pretty hard Also, the security lock-down for the kernel command line means: - no network root filesystem - no boot-time-only kernel/module configuration The idea of switching from grub2 to sd-boot would also drop network boot and BIOS support. Supporting boot loaders seems to be a bit of a issue sometimes, so trying to support multiple boot loaders seems like a bad idea to me.

For the general case we need some other option. Could be just stick to grub2 for those cases (we'll continue to need grub2 anyway for bios boot and ppc64le). Or drop an ext4 driver to /boot/efi/EFI/systemd/drivers, for example this one: https://github.com/tianocore/edk2-platforms/tree/master/Features/Ext4Pkg

> At least for the systemd stuff, we carefully made sure that our access > patterns to the ESP both from sd-boot/sd-stub and from userspace are > by default as minimal and robust as we can make them, to minimize > chance of corruption, given that vfat is not particularly good with > that. (i.e. we sync a lot, and the whole ESP mount is by default an > autofs instance with an extremely short idle timeout so that it > basically remains unmounted — and thus — clean during almost all > times). > > Anyway, if you want to know more about choice of the fs for /boot/, > see my ideas here: > > https://0pointer.net/blog/linux-boot-partitions.html > > Lennart Does vfat support atomic rename? Is it possible to atomically upgrade a bootloader/UKI/etc?

Great. The gotcha though is this in effect requires a change in the file system currently mounted at /boot, which is ext4. And ext4 isn't supported by sd-boot or UEFI firmware. So if you're going to support sd-boot, the installer needs to be aware that either the ESP is big enough to be used as /boot, or if it's not big enough then it will be mounted on /efi*and* a new partition XBOOTLDR formatted as FAT will be used as /boot.

We should not endeavor to create more problems by putting more stuff in the ESP.

No matter what boot manager we use, we should not be required to give that up. We already have efifs[1] packaged in Fedora, let's use that.

On 20/12/2022 19:56, Chris Murphy wrote: > Great. The gotcha though is this in effect requires a change in the file system currently mounted at /boot, which is ext4. And ext4 isn't supported by sd-boot or UEFI firmware. So if you're going to support sd-boot, the installer needs to be aware that either the ESP is big enough to be used as /boot, or if it's not big enough then it will be mounted on /efi*and* a new partition XBOOTLDR formatted as FAT will be used as /boot. Nobody should use FAT for /boot. efifs[1] should be used instead.

systemd-boot can load these drivers from ESP out of the box[2].

On 21/12/2022 12:38, Daniel P. Berrangé wrote: > Why shouldn't FAT be used for /boot. In an EFI world, /boot > is used for the same functional pupose as the ESP, which is > already going to use FAT. Doesn't support links, lournaling and ACLs.

Everyone can do whatever they want with the files,

> And journaling actually is more a problem than a solution due to > firmware (or grub) filesystem drivers often not having full support for > the journal. Luckily this is rarely a problem in practice because /boot > is rarely written to. We could just make those read-only from the bootloader side then. I have /boot on btrfs, which grub/efifs doesn't support writing to at all anyway. Write grubenv settings into the BIOS boot partition or ESP rather than /boot.

> sd-boot implements boot counting by stashing the counter inside the > UKI (or bootspec type #1 conf file) file name, so that the counter is > impossible to ever get lost, pile up or so. Because the ESP is intended to be shared, and these days /boot is not. Unshared boot content should not be in a shared space.

We can only really have one boot manager, especially with how broken multiple ESPs on a system are.

> And journaling actually is more a problem than a solution due to > firmware (or grub) filesystem drivers often not having full support for > the journal. Luckily this is rarely a problem in practice because /boot > is rarely written to. The journal is very useful when writing kernels there.

On 21/12/2022 12:38, Daniel P. Berrangé wrote: > Why shouldn't FAT be used for /boot. In an EFI world, /boot > is used for the same functional pupose as the ESP, which is > already going to use FAT. Doesn't support links, lournaling and ACLs.

Everyone can do whatever they want with the files, and a trivial power outage can easily wipe out all of its contents.

> > > Why shouldn't FAT be used for /boot. In an EFI world, /boot > > > is used for the same functional pupose as the ESP, which is > > > already going to use FAT. > > > > Doesn't support links, lournaling and ACLs. > > What you want in a boot loader: native read access, write access. Actually no, I don't want the boot loader / boot manager writing anything.

> And similar for server/embedded stuff. If fedora wants to be deployed > in such worlds, it's kinda nice if we can automatically recover from > hosed updates. None of those things require us to write data to /boot. Even in your model, if you *must* write to a filesystem, the counters can live on the ESP even if all the system-installed content exists in /boot. I'm sure you could envision a simple file in the ESP for that. None of that is permanent configuration, just transient stuff.

This is a rare but real problem.

On 22/12/2022 21:29, Chris Murphy wrote: > This is a rare but real problem. I don't think so. Power outage is a very common problem in some countries. I still remember how unreliable FAT32 was in the Windows 9x era. You needed to run a scandisk check after every power failure or pressing the reset button. And sometimes your documents or other files disappeared. I really don't want a repeat of this.

On 20/12/2022 19:56, Chris Murphy wrote: > Great. The gotcha though is this in effect requires a change in the file system currently mounted at /boot, which is ext4. And ext4 isn't supported by sd-boot or UEFI firmware. So if you're going to support sd-boot, the installer needs to be aware that either the ESP is big enough to be used as /boot, or if it's not big enough then it will be mounted on /efi*and* a new partition XBOOTLDR formatted as FAT will be used as /boot. Nobody should use FAT for /boot. efifs[1] should be used instead. systemd-boot can load these drivers from ESP out of the box[2].

On 22/12/2022 21:18, Chris Murphy wrote:

> XBOOTLDR in practice needs to be FAT. I don't like it. But I like > it better than choosing batshit as the alternative, and having a > bunch of signed efifs drivers on the ESP per distro sounds like > batshit to me. And not in the good way. I don't think so. XBOOTLDR on FAT32 should be rejected as a defective by design due to a FAT32 unreliability.

I doubt that Fedora's shim+grub2 can boot Ubuntu kernels in Secure Boot mode and vice versa.

> * Better secure boot support (specifically the initrd is covered by > the signature). We need to solve the glaring hole that is the initrd. There's no question about it. I can't really assess if this feature is the best way to do that. Or if it would be adequate for dracut to self-sign every locally generated initrd with a unique key pair and throw away the private key after each initrd is generated. Or if we could do enough strict standardization in the boot chain with a possibly larger kernel to avoid needing an initrd, i.e. get to sysroot mount faster thereby obviating the need for a large initrd.

I note that taking away the kernel command line is indeed a clearly stated goal, which will limit Fedora to simple, appliance-like uses.

On Tue, 2022-12-20 at 20:42 +0100, Björn Persson wrote: > I note that taking away the kernel command line is indeed a clearly > stated goal, which will limit Fedora to simple, appliance-like uses. And if you chose your HW carefully you may even be able to register your own public keys, generate and sign your own built UKIs and re- enable SecureBoot after that... your choice!

Gerd Hoffmann wrote: > On Tue, Dec 20, 2022 at 04:31:20PM -0500, Simo Sorce wrote: > > And if you chose your HW carefully you may even be able to register > > your own public keys, generate and sign your own built UKIs and re- > > enable SecureBoot after that... your choice! > > And when your hardware doesn't allow that you can still add your own > keys with mokutil so shim.efi will accept your self-signed UKIs. I'll see when I can take the time for a research project to figure out how customized UKIs can be produced, and develop a tool to do that. Probably never, because I have way too much to do already. Apparently there is no such tool and no plan to provide one, because surely that would have been mentioned under "User Experience".

On Wed, Dec 21, 2022 at 06:56:05PM +0100, Björn Persson wrote: > Gerd Hoffmann wrote: > > On Tue, Dec 20, 2022 at 04:31:20PM -0500, Simo Sorce wrote: > > > And if you chose your HW carefully you may even be able to register > > > your own public keys, generate and sign your own built UKIs and re- > > > enable SecureBoot after that... your choice! > > > > And when your hardware doesn't allow that you can still add your own > > keys with mokutil so shim.efi will accept your self-signed UKIs. > > I'll see when I can take the time for a research project to figure out > how customized UKIs can be produced, and develop a tool to do that. > Probably never, because I have way too much to do already. > > Apparently there is no such tool and no plan to provide one, because > surely that would have been mentioned under "User Experience". The tools are already there. Essentially, any tool used in koji by the official builds is also available to you on your machine. There are at three ways that are used: 'dracut --uefi', systemd's ukify, and a manual objcopy invocation. The first two are wrappers around objcopy. I'm biased because I wrote 'ukify', but I think that's the way to go. What dracut does is somewhat primitive and doesn't get the offsets right. Obviously it could be improved, but putting the code to generate UKIs inside of an initrd generator is a historical accident, and bash is not the nicest language to do offset calculations. Thus I hope we can standarize on ukify instead.

In particular, if some functionality is missing from ukify, feel free to submit a PR or an issue. It's in Python, so fairly nice to modify. So far it's been written to take a kernel and an initrd and the stub, and produce an efi binary.

On Do, 22.12.22 14:49, Daniel P. Berrangé (berrange(a)redhat.com) wrote: > When you say it dooesn't get the offsets right, can you elaborate ? dracut uses fixed offsets for the sections to be placed in memory in. The values are simply hardcoded, literally specified address offsets, that worked for the original authors. This typically works – as long as your sections are not much larger than they were for the people wo came up with these offsets initially. But as it turns out this doesn't work for some cases. In such cases the sections will be loaded into memory overlapped and bad things happen. ukify hence calculates the offsets manually (by adding up the section sizes so that this cannot happen.

> There are at three ways that are used: 'dracut --uefi', systemd's ukify, and a > manual objcopy invocation. The first two are wrappers around objcopy. I'm biased > because I wrote 'ukify', but I think that's the way to go. What dracut does is > somewhat primitive and doesn't get the offsets right. Obviously it could be > improved, but putting the code to generate UKIs inside of an initrd generator is > a historical accident, and bash is not the nicest language to do offset > calculations. Thus I hope we can standarize on ukify instead. When you say it dooesn't get the offsets right, can you elaborate ? We've been using dracut --uefi to build the UKIs in koji and they appear to work as expected. Are the offsets only incorrect in certain circumstances.

On Tue, Dec 20, 2022 at 08:42:14PM +0100, Björn Persson wrote: > > Switching the whole distro over to unified kernels quickly is not > > realistic though. Too many features are depending on the current > > workflow with a host-specific initrd (and host-specific kernel command > > line), which is fundamentally incompatible with unified kernels where > > everybody will have the same initrd and command line. Thats why there > > is 'Phase 1' in title, so we can have more Phases in future releases > > 😃 > > Whew! So usable kernels won't go away in F38. I only have to worry > about being forced to build my own kernels in some unspecified future > phase. Doom is still coming but no one knows when. That's *such* a > relief. Note the proposal talks about adding support for ukis, not about removing support for current separate kernel+initrd setup.

The root filesystem is also relevant for troubleshooting, when I take a storage device out of a broken computer and connect it to another computer to inspect it. Suddenly there are two "discoverable" root partitions, and the kernel parameter is necessary to specify which one is the root filesystem, as stated under "Doesn’t this break multi-boot scenarios?": https://uapi-group.org/specifications/specs/discoverable_partitions_speci...

How do you plan to handle system recovery?  For VMs this is much less of a concern, but on bare metal there needs to be a way for a local, authenticated administrator to obtain a root shell on the system console even if the root filesystem cannot be mounted. This has saved my system more than once. Also, how will Xen be supported in this model?  Will the hypervisor be part of an alternate UKI?  CCing Marek Marczykowski-Gorécki of Qubes OS.

On 12/20/22 10:22, Ben Cotton wrote: > https://fedoraproject.org/wiki/Changes/Unified_Kernel_Support_Phase_1 > > This document represents a proposed Change. As part of the Changes > process, proposals are publicly announced in order to receive > community feedback. This proposal will only be implemented if approved > by the Fedora Engineering Steering Committee. > > > == Summary == > Add support for unified kernels images to Fedora. > > == Owner == > * Name: [[User:kraxel| Gerd Hoffmann]] > * Email: kraxel(a)redhat.com > > > == Detailed Description == > The goal is to move away from initrd images being generated on the > installed machine. They are generated while building the kernel > package instead, then shipped as part of a unified kernel image. > > A unified kernel image is an all-in-one efi binary containing kernel, > initrd, cmdline and signature. The secure boot signature covers > everything, specifically the initrd is included which is not the case > when the initrd gets loaded as separate file from /boot. > > Main motivation for this move is to make the distro more robust and more secure. > > Switching the whole distro over to unified kernels quickly is not > realistic though. Too many features are depending on the current > workflow with a host-specific initrd (and host-specific kernel command > line), which is fundamentally incompatible with unified kernels where > everybody will have the same initrd and command line. Thats why there > is 'Phase 1' in title, so we can have more Phases in future releases > 😃 > > A host-specific initrd / command line is needed today for: > > * features needing optional dracut modules (initrd rebuild needed to > enable them). > * configuration / secrets baked into the initrd (booting from iscsi > for example). > * configuration being specified on the kernel command line. > ** root filesystem being the most important one. > [https://systemd.io/DISCOVERABLE_PARTITIONS/ Discoverable partitions] > allow to remove this. > > Phase 1 goals (high priority): > > * Ship a unified kernel image as (optional) kernel sub-rpm. Users can > opt-in to use that kernel by installing the sub-rpm. Initial focus is > on booting virtual machines where we have a relatively small and well > defined set of drivers / features needed. Supporting modern physical > machines with standard setup (i.e. boot from local sata/nvme storage) > too should be easy. > * Update kernel install scripts so unified kernels are installed and > updated properly. > * Add bootloader support for unified kernel images. Add > [https://systemd.io/BOOT_LOADER_SPECIFICATION/#type-2-efi-unified-kernel-i... > unified kernel bls support] to grub2, or support using systemd-boot, > or both. > > Phase 1 goals (lower priority, might move to Phase 2): > > * Add proper discoverable partitions support to installers (anaconda, > image builder, ...). > ** Temporary workaround possible: set types using sfdisk in %post script. > ** When using btrfs: configure 'root' subvolume as default volume. > * Add proper systemd-boot support to installers. > ** Temporary workaround possible: run 'bootctl install' in %post script. > * Better measurement and remote attestation support. > ** store kernel + initrd hashes somewhere (kernel-hashes.rpm ?) to > allow pre-calculate TPM PCR values. > ** avoid using grub2 (measures every config file line executed which > is next to impossible to pre-calculate). > * Switch cloud images to use unified kernels. How do you plan to handle system recovery? For VMs this is much less of a concern, but on bare metal there needs to be a way for a local, authenticated administrator to obtain a root shell on the system console even if the root filesystem cannot be mounted. This has saved my system more than once.

Also, how will Xen be supported in this model? Will the hypervisor be part of an alternate UKI? CCing Marek Marczykowski-Gorécki of Qubes OS.

But why start doing UKI without first fixing the need of host specific initrd and commandline.

I am sure even non-UEFI users will be better of of not having a host specific initrd. We should first start working on shipping initrd on dedora as an rpm with atleast one use which can be extended by sysext or someother mechanism without the need of UKI first.

Once That is possible that UKI can be easily be intgrated and tested. We will be also provide a subset of benefits to the non-UEFI users(for example on other arches).

On Wed, Dec 21, 2022 at 11:56:32AM -0600, Dennis Gilmore via devel wrote: > In my case, I have Network Manager config files included in my initrd > and bootargs to bring up the network so that I get automatic disk > decryption while on my home network, and prompted for a password when > I am not at home. I think this a reasonable enough use case it should > be considered in the long term plan. There was an effort many years > ago that built the initramfs with the kernel, it was abandoned due to > not being able to guarantee sources for the binaries in the initramfs, If a UKI is built in koji, the initrd it embeds must also be built in koji. And when the initrd is built in koji, it is just taking some binaries from rpms and repacking them. We ensure that we have an srpm for any official srpm. Thus, going back from the UKI, you look up the initrd, and the logs for the initrd build, and get a list of rpms, and then look the appropriate srpms from that, and from the srpms you get the sources. There's a few more steps, but the availability of sources is guaranteed using the mechanism existing for normal rpms.

> trying to dig up the details I am having trouble finding it, but legal > blocked it there is a reference to it in an old FESCo meeting > https://lists.fedoraproject.org/pipermail/devel/2013-February/178220.html. > Additionally, we should also consider > https://fedoraproject.org/wiki/Features/DracutHostOnly and the size > implications and why we moved to have kernel-core, kernel-modules, and > kernel-modules-extra for cloud and different use cases. Yes. That's why this proposal explicitly targets a narrow use case which doesn't need many drivers and will support many different machines with the same (relatively small) initrd.

On Thu, Dec 22, 2022 at 12:42:38PM -0600, Dennis Gilmore wrote: Different architectures have different boot loaders. In particular, s390x and ppc64el are very different. The proposal is to add support for UKIs in grub2, so that we will cover UEFI and non-UEFI machines that use grub2. For other architectures, we can in principle do the same thing… After all, the UKI is just a binary with a few sections appended. But it seems to early to think such details far ahead. As extensively discussed, the support for separate initrds is not going anyway and the proposal only targets a small subset of the amd64 space.

In my case, I have Network Manager config files included in my initrd and bootargs to bring up the network so that I get automatic disk decryption while on my home network, and prompted for a password when I am not at home. I think this a reasonable enough use case it should be considered in the long term plan. There was an effort many years ago that built the initramfs with the kernel, it was abandoned due to not being able to guarantee sources for the binaries in the initramfs, trying to dig up the details I am having trouble finding it, but legal blocked it there is a reference to it in an old FESCo meeting https://lists.fedoraproject.org/pipermail/devel/2013-February/178220.html.

Additionally, we should also consider https://fedoraproject.org/wiki/Features/DracutHostOnly and the size implications and why we moved to have kernel-core, kernel-modules, and kernel-modules-extra for cloud and different use cases.

On Thu, Dec 22, 2022 at 6:40 AM Daniel P. Berrangé <berrange(a)redhat.com&gt; wrote: > > On Wed, Dec 21, 2022 at 11:56:32AM -0600, Dennis Gilmore via devel wrote: > > In my case, I have Network Manager config files included in my initrd > > and bootargs to bring up the network so that I get automatic disk > > decryption while on my home network, and prompted for a password when > > I am not at home. I think this a reasonable enough use case it should > > be considered in the long term plan. There was an effort many years > > ago that built the initramfs with the kernel, it was abandoned due to > > not being able to guarantee sources for the binaries in the initramfs, > > trying to dig up the details I am having trouble finding it, but legal > > blocked it there is a reference to it in an old FESCo meeting > > https://lists.fedoraproject.org/pipermail/devel/2013-February/178220.html. > > I can't see any legal problem with source provision for the > binaries inside the initramfs. We're building the initrds and > UKIs inside koji, so we have a clear record of exactly what > binary RPMs went into the package, and thus have knowledge > of what sources are involved. This is the same situation we > already have in Fedora with libguestfs, where we're building > a disk image inside Koji bundling various binaries. Or for > that matter, not really different from building cloud disk > images, or any other deliverable that bundles together some > binaries from other RPMs and spits out some kind of image > or archive. > > > Additionally, we should also consider > > https://fedoraproject.org/wiki/Features/DracutHostOnly and the size > > implications and why we moved to have kernel-core, kernel-modules, and > > kernel-modules-extra for cloud and different use cases. > > The UKI size for a VM should not be appreciably different from the > combination of the vmluinuz + locally generated initrd. The UKI > will contain a few more modules, as its initrd is built to cope > with Xen, VMware, HyperV + KVM[1], but this only adds a small amount > over a truly minimal initrd targetting 1 hypervisor. So I don't > expect the size of the UKI will be a problem. > You need to add VirtualBox too. That's an incredibly common platform for Fedora to run as a guest.