Re: F38 proposal: Unified Kernel Support Phase 1 (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Di, 20.12.22 11:28, Neal Gompa (ngompa13@xxxxxxxxx) wrote:

> I think UKIs are fundamentally flawed and are an idea that came out of
> a group that doesn't really interact with real users enough to
> understand how much of a problem they actually are.

I presume this is supposed to be a comment on systemd upstream, which
includes me?

Dunno, I think I have quite a good idea how people use systemd, and
how general purpose distros like Fedora use it. Because I get the
firehose of feedback on it. From *all* distros, and from all ways how
peole use it.

> In the Fedora case, things are simpler right up until we hit graphics
> drivers. This is also a problem for VMs too, because GPU passthrough
> is a common case for scientific and gaming workloads. As long as the
> NVIDIA driver remains dominant in Linux, UKIs cannot work because by
> design you cannot load anything that isn't part of the kernel image.

That's simply not true. Along with UKIs we developed the "sysext"
concept, to make them extensible. Primary usecase: extend the basic
initrd with drivers/subsystems that you want on some systems but not all.

> For bare metal, we *need* these drivers in early boot, though. And
> that's another problem: no third-party early boot drivers. Even if you
> solve the signing issue, you need to introduce some kind of two-stage
> OS boot process so we can bring up the bare minimum to load a second
> image containing all the remaining drivers.

In the UKI model the UEFI stub (i.e. systemd-stub) actually loads the
sysext images from UEFI mode still, via UEFI fs APIs. i.e. they area
already in memory when the initrd initializes, and can be used
instantly. They are validated via verity/kernel certification
keyring.

> And at that point, you've
> defeated the purpose of UKIs. I've heard from some people that system
> extensions (sysexts) would be a way to solve this, and maybe it is.
> But again, we've eliminated the value of UKIs by doing so.

I don't see any value being "eliminated".

> Speaking more broadly, there are also problems that will be introduced
> as this trickles down from Fedora into prominent downstreams (assuming
> this is accepted). In the RHEL case, you've basically broken driver
> disks completely. In the UKI model, there's no way to incorporate
> early boot storage, network, and graphics drivers.

There is, sysext.

> The crux of the problem here is *signing*. All of this is tied up in
> Secure Boot and TPM, which is the wrong place to actually handle
> this.

sysext authentication is tied to kernel keyring authentication
actually, exactly like kernel modules.

The kernel keyring can be populated via mokutil.

> In other operating systems (notably Windows), Secure Boot certificates
> are not used for blocking or enabling kernel-level drivers. Instead,
> there's a kernel-level certificate store that is used to validate and
> enable drivers, allowing everything to be managed in a hardware
> platform agnostic way.

I think people currently accept that mokutil is the certificate store
for Linux. If you don't like that, I might even agree to some point
with that, but this isn't new in the context of UKIs or sysext, we
just use the very same infrastructure kmods use.

> I've also yet to hear of a decent reason for
> TPM measurements too. Block or filesystem verity provides similar
> guarantees to provide tamper resistance and are both much easier to
> debug than TPM interfaces.

Unlocking secrets via TPM is usually what you want for write
acccess. Verity is read-only only.

> With my FESCo hat on, I'm uneasy about this change. With my "Fedora
> user and advocate" hat on, I think that the UAPI group has failed to
> provide something useful to the Linux world here and I would be
> extremely apprehensive about Fedora adopting any portion of this
> stuff.

Umpfh. This is FUD. Please read up before writing scathing comments
like that.

Lennart

--
Lennart Poettering, Berlin
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux