1. Forum
  2. Usenet
  3. LINUX.GENTOO.DEV

  • [gentoo-dev] Testing request: sys-kernel/gentoo-kernel-bin[generic-uki]

    From Andrew Ammerlaan@21:1/5 to All on Tue Jan 2 12:50:01 2024
    Dear all,

    First of all happy new year!

    Those of you that have already synced the tree this year might have
    already noticed that gentoo-kernel(-bin) has gained two new USE flags yesterday. The first (USE=modules-compress) I think is pretty
    self-explanatory, it installs all modules xz compressed.

    The second new USE flag is USE=generic-uki, this will install the kernel
    along with a prebuilt, experimental(!), generic initramfs and unified
    kernel image. Let me explain first why this is something you might want
    to use.

    A Unified Kernel Image[1] combines the initramfs, cmdline, kernel and
    some other things into a single EFI executable. This is great because it
    allows the whole thing to be signed, and verified when booting with
    Secure Boot[2] enabled. Whereas in the usual plain kernel image +
    initramfs configuration, only the former is verified, leaving the
    possibility of injecting something malicious into the initramfs.

    We have supported generating your own Unified Kernel Images for some
    time now. However, since building the UKI must always happen after
    building the initramfs, which happens locally in postinst, this has so
    far always relied on users generating and protecting their own
    UKI-signing key. This is where USE=generic-uki comes in, it allows users
    to take full advantage of the extra verification UKIs offer, without the
    hassle of managing and protecting a custom signing key.

    Though I know this works in my setups, there are still some open
    questions and more testing in different setups is needed to determine
    how generic our generic image actually is. We include many things in
    this generic initramfs, but it is not feasible for me to test all of the possible booting scenarios, so this is where we can use the help of the community.

    Some of the open questions are:
    - OpenRC compatibility: Since this is a generic image and because it is
    not possible to override a UKIs cmdline at boot when secure boot is
    enabled, we cannot rely on root= to tell us where the root partition is. Instead we rely on systemd-gpt-auto-generator[3] to dynamically
    determine the correct partition layout. To what extent the inclusion of
    systemd and its utilities in the initramfs impacts the possibility of
    booting an openrc system with the generic UKI is still unknown. (Though
    I have a suspicion that systemd will not be happy about handing over
    control to another init system, and that therefore it might not work at
    all.)

    - Network booting: We include the dracut modules that should in theory
    make the resulting UKI support network booting. However this is still
    untested.

    - Measured Boot: Ukify does the systemd-measure magic that should in
    theory make it possible to unlock secrets conditionally on whether the
    PCR registers match the predetermined value (i.e. Measured Boot). This
    has not yet been tested (mostly because the TPM on my system is behaving
    a bit odd, and I lack the experience with TPMs to determine why and how
    to resolve it).

    It would be great if folks could give our generic-uki a test drive to
    help us explore what works, and what does not. All feedback is welcome
    on #gentoo-dist-kernel or via bug report.
    Here's a brief list of steps to set this up:
    - Enable USE=generic-uki on gentoo-kernel-bin
    - If installkernel-systemd is used, configure it as follows in /etc/kernel/install.conf:
    layout=uki
    uki_generator=none
    initrd_generator=none
    - If installkernel-gentoo is used, enable USE=uki
    - (re-)emerge gentoo-kernel-bin
    - If shim/mokutil is used, import our certificate:
    mokutil --import /usr/src/linux-6.6.9-gentoo-dist/certs/signing_key.x509
    - If shim/mokutil is not used, but secureboot is still desired, ensure
    our certificate will be accepted by the UEFI (steps depend on the vendor)
    - Ensure a known-working alternative kernel/UKI is also present
    - If refind is used, configure it to find the new UKI. If systemd-boot
    is used it will be auto-discovered and no further setup is required.
    - Reboot

    If any of the documentation on the wiki is unclear, then please also let
    me know so I can improve it.

    Some frequently asked questions:
    - What bootloaders are supported?: systemd-boot, refind. And possibly
    version 2.12 and up of grub.

    - Can I use the prebuilt generic initramfs image, without using the
    generic UKI, or use the generic initramfs to generate my own custom
    UKI?: Yes, see [5].

    - Can I combine this with USE=modules-compress?: Yes

    - Are boot splashes supported?: No, including plymouth in the initramfs requires including the gpu drivers and firmware as well. These files are
    huge and they are many. At this time the cost of the increased uki and
    gpkg size is not something we are willing to pay.

    If there are any other questions feel free to drop by #gentoo-dist-kernel.

    Best regards,
    Andrew

    [1] https://wiki.gentoo.org/wiki/Unified_kernel_image
    [2] https://wiki.gentoo.org/wiki/Secure_Boot
    [3] https://wiki.gentoo.org/wiki/Systemd#Automatic_mounting_of_partitions_at_boot [4] https://wiki.gentoo.org/wiki/User:Ajak/Measured_Boot
    [5] https://wiki.gentoo.org/wiki/Project:Distribution_Kernel#Generic_UKI

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)