Hi,
Here is a little patch series to kick off a discussion on pre-generated
initrd images and unified kernels. Lets start with a description of the
patches:
Patch #1 adds a dracut config file, targeting virtual machines. Given
that most physical machines have either sata or nvme disks these days
it probably boots most physical systems too.
Patch #2 adds a sub-package with an initrd image.
Patch #3 adds a sub-package with an unified kernel.
The goal is to move away from initrd images being generated on the
installed machine. They are generated while building the kernel package
instead. Main motivation for this move is to make the distro more
robust and more secure.
When shipping the initrd as rpm it is possible to check it with the
usual tools ('rpm --verify' for example). TPM measurements are much
more useful because it is possible to pre-calculate the PCR values for a
given kernel version.
When shipping a unified kernel image (containing kernel, initrd, cmdline
and signature) we get the additional benefit that the initrd is covered
by the signature so secure boot will actually be secure.
So, while unified kernels are clearly the better approach it is also the
one which needs some changes in various packages. For an initrd image
the hooks needed are in place thanks to CoreOS shipping initrd images
today. Opt-in by install the sub-rpm and everything JustWorks[tm].
To make unified kernels work smoothly a number of changes are needed
(beside the kernel rpm changes):
(1) Add support for unified kernels to the kernel update scripts.
(/usr/lib/kernel/install.d/*).
(2) Add boot loader support for unified kernel images:
(a) either switch to sd-boot which already supports this.
(b) or add support to grub2 (improve blscfg downstream patch).
(3) Support /boot being vfat (depending on #2, sd-boot needs this).
(4) Remove configuration information (and secrets) from initrd images
and kernel command line.
Most important item here is root the filesystem location, which
should be doable using https://systemd.io/DISCOVERABLE_PARTITIONS/
for many use cases.
Can initially be handled in anaconda kickstart %post scripts.
Long-term we need proper support in anaconda (and any other tool
used to install or generate cloud images), especially if we want
make unified kernel images the default some day.
(5) There might be more ...
I think the best way forward is to skip the initrd image interim step
and try go straight to unified kernel image support, starting with
virtual machines & cloud images, when things are working smoothly there
go expand to cover more use cases. I think it makes sense to start with
the kernel changes.
Comments? Reviews? Suggestions?
thanks & take care,
Gerd
Daniel P. Berrangé (1):
[testing] add a kernel-unified-virt sub-RPM
Gerd Hoffmann (2):
[testing] virtual machine dracut config
[testing] add a kernel-initrd-virt sub-RPM
dracut-virt.conf | 26 +++++++++++++++++++
kernel.spec | 65 ++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 91 insertions(+)
create mode 100644 dracut-virt.conf
--
2.37.2
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
