On Tue Sep 12, 2023 at 1:54 AM EEST, Jan Hendrik Farr wrote: > > What the heck is UKI? > > UKI (Unified Kernel Image) is the kernel image + initrd + cmdline (+ > some other optional stuff) all packaged up together as one EFI > application. > > This EFI application can then be launched directly by the UEFI without > the need for any additional stuff (or by systemd-boot). It's all self > contained. One benefit is that this is a convenient way to distribute > kernels all in one file. Another benefit is that the whole combination > of kernel image, initrd, and cmdline can all be signed together so > only that particular combination can be executed if you are using > secure boot. Is this also for generic purpose distributions? I mean it is not uncommon having to tweak the command-line in a workstation. > The format itself is rather simple. It's just a PE file (as required > by the UEFI spec) that contains a small stub application in the .text, > .data, etc sections that is responsible for invoking the contained > kernel and initrd with the contained cmdline. The kernel image is > placed into a .kernel section, the initrd into a .initrd section, and > the cmdline into a .cmdline section in the PE executable. How does this interact with the existing EFI stub support in linux? > If we want to kexec a UKI we could obviously just have userspace pick > it apart and kexec it like normal. However in lockdown mode this will > only work if you sign the kernel image that is contained inside the > UKI. The problem with that is that anybody can then grab that signed > kernel and launch it with any initrd or cmdline. So instead this patch > makes the kernel do the work instead. The kernel verifies the > signature on the entire UKI and then passes its components on to the > normal kexec bzimage loader. > > Useful Links: > UKI format documentation: https://uapi-group.org/specifications/specs/unified_kernel_image/ > Arch wiki: https://wiki.archlinux.org/title/Unified_kernel_image > Fedora UKI support: https://fedoraproject.org/wiki/Changes/Unified_Kernel_Support_Phase_1 BR, Jarkko _______________________________________________ kexec mailing list kexec@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/kexec
