Julian Sikorski <belegdol@xxxxxxxxx> writes:
> Am 05.08.24 um 11:07 schrieb Vitaly Kuznetsov:
>> Julian Sikorski <belegdol@xxxxxxxxx> writes:
>>
>>> Hi list,
>>>
>>> I recently got curious about unified kernel images and what they bring
>>> to the table. While informing myself about these, the following
>>> questions came to mind:
>>> - ESP partition size: my laptop has it set at 260 MB by the laptop
>>> vendor, my desktop has it at 100 MB. Recommendation is 200 to 500 MB
>>> [0]. This seems too little, given that now the /boot partition on my
>>> desktop is 512 MB full with 3 kernels installed. Or are the UKIs packed
>>> more efficiently? Moreover, resizing ESP is somewhat challenging due to
>>> a parted bug [1][2]. Are there plans to make this more user-friendly
>>> once UKIs become more prevalent?
>>
>> Hey Julian,
>>
>> are you trying 'kernel-uki-virt' package or building your own UKI? With
>> 'kernel-uki-virt' we're mostly targeting virtualized and cloud
>> environments but bare metal can certainly be tried too! The size of the
>> packaged vmlinuz-virt.efi is 68Mb now so if you keep three of them in
>> your ESP, you need 210Mb or so. 256 MB feels limiting but I don't think
>> anything prevents from creating a bigger ESP. I'm not sure about
>> resizing partitions but if you're ready to wipe out your hard drive
>> completely, it should work.
>>
>
> Hi Vitaly,
>
> I was referring to trying out `kernel-uki-virt`. I have now bit the
> bullet and installed it on my laptop with 260 MiB ESP. System has booted
> normally, except that there was a lot more console output than with
> grub. I guess this make sense if cloud images are the primary target
> here.
Yes, the kernel command line we have is 'console=tty0 console=ttyS0'
and we don't do boot splash.
> With one UKI kernel I am already at 100 MiB full, meaning that trying
> that on my desktop is out of question for the moment as I do not have
> the spare capacity to wipe out the entire drive. On my desktop I have
> actually already increased the partition to 500 MiB, but due to the bug
> mentioned earlier the filesystem is still at 100 MiB. Looks like it
> might need to be looked into if the UKI is ever considered default for
> Workstation. 100 MiB is lower than current Microsoft default, but I
> guess it was the default for 512 byte sector drives back when I
> installed it. I am guessing nobody cared for the parted bug until now
> because except for the ESP, dealing with tiny FAT16 partitions is hardly
> a frequent use case.
>
>>> - does UKI work with third-party kernel modules like nvidia?
>>
>> Yes, there's no difference between the traditional kernel layout and UKI
>> if you want to use third party modules. The only issue (not specific to
>> UKI) is SecureBoot. If you want to keep it on, you may need to either
>> enroll your key into SecureBoot 'db' (possible on virtualized and cloud
>> environments) or deal with 'MOK' (the only sane option for bare metal).
>
> I am already doing it for my desktop machine for nvidia and xone modules
> so I am happy to hear it should keep working as expected. Does mokutil
> enroll MOKs in a way that they are also usable by the direct boot
> option? I could never see my MOK key listed in the UEFI setup yet it was
> working as expected.
If by 'direct boot' you mean 'shim -> UKI' then yes, MOK should work the
exact same way. You won't see MOK keys in the UEFI setup as MOK is a
feature of shim, not your firmware's. In case you do 'direct' boot of
the UKI from the firmware, MOK won't work.
Also, I'm not sure how you're managing your UEFI variables, but we now
have 'kernel-bootcfg' tool ('python3-virt-firmware' package) which makes
it really convenient. In particular, it can automate A/B booting (the
new UKI is tried once and becomes the default if it boots successfully).
>
>>
>>> - grub-less UKIs mean updating efivars with every kernel update. GRUB
>>> developers expressed concerns this might wear down the NVRAM chips. Was
>>> this ever looked into in more detail?
>>
>> With 'kernel-uki-virt' we're targeting virtualized and cloud
>> environments where NVRAM is virtual so it's not an issue. It may (in
>> theory) represent a problem for certain bare metal scenarios, in that
>> case I would recommend using a bootloader between UEFI and UKI. As grub
>> is not capable of booting UKIs (I remember seeing patches doing this but
>> I'm not sure they were merged upstream/in Fedora) something like
>> systemd-boot can be used. The merging 'nmbl' bootloader should also be
>> capable of booting UKIs from day 1 (AFAIU).
>>
>> (Personally, I'm not sure NVRAM wear is a real world problem. AFAIU,
>> different NVRAMs support 10000 to 500000 write cycles. For example, koji
>> tells we that there were 173 kernel built for Fedora-39. Even 10000
>> cycles will allow you to use 57 Fedora versions and this is likely
>> beyond the life expectancy of any hardware.)
>>
>
> I was thinking about bare metal. Fair enough. The only reason for my
> paranoia is that once NVRAM stops working, the machine is realistically
> a paperweight. In other words, once one realizes that the manufacturer
> has used subpar nvram, it is effectively too late. Having said that,
> having efivars updated twice per kernel update could be fewer writes
> than every time Windows is booted, depending on how often one actually
> boots Windows.
Yea, we don't want to be all over the internet with 'Linux breaks
laptops!!!' of course :-)
>
> In any case, it is an exciting new development and I am interested to
> experience what it brings in the future.
Good to know someone is trying UKIs outside of the limited "Confidential
VM" use-case!
--
Vitaly
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
