Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp2860532rdb; Tue, 12 Sep 2023 14:40:10 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGXpnx+dIVQQ09N36NKzq1LCILFxIG9cdu1cX1a5MZe1qouvIblx2Q+Bm4ZufFNZBck46MI X-Received: by 2002:a05:6a20:7351:b0:154:d3ac:2076 with SMTP id v17-20020a056a20735100b00154d3ac2076mr773123pzc.40.1694554810439; Tue, 12 Sep 2023 14:40:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694554810; cv=none; d=google.com; s=arc-20160816; b=pQkJM+D0X+yMMIL1biGvNmYoHZSTDcNRAhJomX59lgz1zHg1bSKrD4wJaaqL0gRC/R zXXA7oWBU9qUrBniRrv2FHQ4ZiVIVTLMYSdSnjt9KFU6C2EoAluWfDNBB2baxWnDxKPF 7fS6f71Rcl/H5pLC1qLyl4jr2qXa6KHtW+7z9IZnXLQII7QTj2JJj8JMvxVRYypul6jJ xDotm2Ka9R0wz8hrxZfwFWa95sDRMDC2OI2V8MmcC09ks62eh64zXAHeRrA1KBg29Vbk 4nSODTR8GSm82wsarFvYPhl6f5vRDbzn/qnj6OlkfUkgb+HuTxd6OT52yvIlk/p1D3tX jXVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:subject:cc:to:from:date:references:in-reply-to :message-id:mime-version:user-agent:feedback-id:dkim-signature :dkim-signature; bh=KOz5h3i0laQ2JDFHsBvYcLYWW5n6o1vdglgxXAJAFV4=; fh=/432v05sqPj0UH4nYk1OXFnOvcSCL/oJzvWg8TBNcvw=; b=rATB0BPkr8hAhjrFZlwoPpDUHcIXLL9K/KfuI7KjAWR3ymvDHOg5/GR9JFbQ6LbE5r pQ3cG4Pxm+lyueLPk8kngzn9wPLV5YDyoNtBI1ZwieQT1O1w+nLaOf60M2dXcmP7HF+q Ji4VP71zq5VQe2TtdFey2ZNuqev94h4UYgt3yoNoVeejTbZFGT7ieMXgrPVeS9eg5JNc 86vc+TT3A93DgJsXKc85fl9eNeDmmZX8QFZiu00aIjaJ2XIdYn9FQ1MoGwmTCWSHpqid CTLj8IrT08iqrZYF3QeISfYEK0iWGD9imogj/XXBRpjpa+ajNMIMhZIarJprDC4/E1jV UHzA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@jfarr.cc header.s=fm3 header.b=TtPPo6Zo; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=N3byRdtH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=jfarr.cc Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id s34-20020a056a0017a200b0068fcc67e73asi3647014pfg.18.2023.09.12.14.40.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 14:40:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@jfarr.cc header.s=fm3 header.b=TtPPo6Zo; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=N3byRdtH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=jfarr.cc Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id A5A8C8253FD3; Tue, 12 Sep 2023 08:33:59 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236394AbjILPd5 (ORCPT + 99 others); Tue, 12 Sep 2023 11:33:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36340 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236368AbjILPdu (ORCPT ); Tue, 12 Sep 2023 11:33:50 -0400 Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D2B0010E5; Tue, 12 Sep 2023 08:33:46 -0700 (PDT) Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id 7A89D3200980; Tue, 12 Sep 2023 11:33:43 -0400 (EDT) Received: from imap49 ([10.202.2.99]) by compute6.internal (MEProxy); Tue, 12 Sep 2023 11:33:44 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jfarr.cc; h=cc :cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm3; t=1694532822; x=1694619222; bh=KO z5h3i0laQ2JDFHsBvYcLYWW5n6o1vdglgxXAJAFV4=; b=TtPPo6ZoKzSk7P4qDt jDuj0AN0PfaC9W+XHhwpWgwYMNPxzijHDCn0Vl+WsV8QoHZ79H08dC9uB0a82I2U 1pywhW7Po5LVgnWlbvnFGqbScLWKgwBXi1qRGRU6MlZkoqGof1AreiEqqaUdErV3 p534KN+KOrn73q4t1S4YxPCM0AbL/qMxYA7nA1IXJniCwHBUFEioNPvmrCrC6HXx +IXQXKnCmoS9tyLjAaGz41x8PB2V2q0VqEhGYP2eibg3C1GWOiQrQJQeSP9TwV7p G4Y1W3I7fugPC131JQw1aenqaR4HxMxtxrPPzWQ//xjnpOolS17/Zfzb/avjWBY5 gM7A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; t=1694532822; x=1694619222; bh=KOz5h3i0laQ2J DFHsBvYcLYWW5n6o1vdglgxXAJAFV4=; b=N3byRdtHn3WQe+Q8zV36ZVWcMVjMI WCNxG+CuN/Bso3xbNBwrnsvMbSLphtivO+/EgviLdXiQoj5yKbANla4CM1eJZBmt 3fQeMDSFFFJRdw2ez29AELn678XkKihqqi9hS3ClLGSYMr40xTyHWiKPRgG6/Hch 9kd5MglSh2BQnpglt5lbsN/KBsYYPqWAxwo+uCQl852vSBieDVJoqIQ+ZWjiSRtH 6Ws/NP0z/YXc83SgnIV5gptrB5Yz2C0sFlh6ywYj+JtnF6X6NypcFPs0Wmg6c2D5 9jRk7LgPzWuNqkwu/5ZywhoNObmxAep22z5AbDW7DP2VRNoWKEMTHjlVA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedviedrudeiiedgkeelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne gfrhhlucfvnfffucdluddtmdenucfjughrpefofgggkfgjfhffhffvvefutgesthdtredt reertdenucfhrhhomhepfdflrghnucfjvghnughrihhkucfhrghrrhdfuceokhgvrhhnvg hlsehjfhgrrhhrrdgttgeqnecuggftrfgrthhtvghrnhepjedtjeetteeftdejgeejjeef hfdvhfehtefghfdtlefhheekueejtdeggeetffegnecuffhomhgrihhnpehfvgguohhrrg hprhhojhgvtghtrdhorhhgpdgrrhgthhhlihhnuhigrdhorhhgpdhfrhgvvgguvghskhht ohhprdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homhepkhgvrhhnvghlsehjfhgrrhhrrdgttg X-ME-Proxy: Feedback-ID: i0fc947c4:Fastmail Received: by mailuser.nyi.internal (Postfix, from userid 501) id 85E3215A008E; Tue, 12 Sep 2023 11:33:41 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.9.0-alpha0-745-g95dd7bea33-fm-20230905.001-g95dd7bea Mime-Version: 1.0 Message-Id: <9580df76-c143-4077-8a39-b1fcc0ed37bd@app.fastmail.com> In-Reply-To: References: <20230909161851.223627-1-kernel@jfarr.cc> <1d974586-1bf7-42e8-9dae-e5e41a3dbc9f@app.fastmail.com> Date: Tue, 12 Sep 2023 17:32:41 +0200 From: "Jan Hendrik Farr" To: "Jarkko Sakkinen" , linux-kernel@vger.kernel.org Cc: kexec@lists.infradead.org, x86@kernel.org, tglx@linutronix.de, dhowells@redhat.com, vgoyal@redhat.com, keyrings@vger.kernel.org, akpm@linux-foundation.org, "Baoquan He" , bhelgaas@google.com, lennart@poettering.net, "Luca Boccassi" Subject: Re: [PATCH 0/1] x86/kexec: UKI support Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Tue, 12 Sep 2023 08:34:00 -0700 (PDT) X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email On Tue, Sep 12, 2023, at 12:33 PM, Jarkko Sakkinen wrote: > On Tue Sep 12, 2023 at 1:54 AM EEST, Jan Hendrik Farr wrote: >> > What the heck is UKI? >> >> UKI (Unified Kernel Image) is the kernel image + initrd + cmdline (+ >> some other optional stuff) all packaged up together as one EFI >> application. >> >> This EFI application can then be launched directly by the UEFI without >> the need for any additional stuff (or by systemd-boot). It's all self >> contained. One benefit is that this is a convenient way to distribute >> kernels all in one file. Another benefit is that the whole combination >> of kernel image, initrd, and cmdline can all be signed together so >> only that particular combination can be executed if you are using >> secure boot. > > Is this also for generic purpose distributions? I mean it is not > uncommon having to tweak the command-line in a workstation. This is for generic purpose distributions. See fedora's planned rollout: https://fedoraproject.org/wiki/Changes/Unified_Kernel_Support_Phase_1 Or Arch: https://wiki.archlinux.org/title/Unified_kernel_image There are UKI addons that help you achieve this. These are additional PE files that contain for example additional cmdline parameters. On a generic Linux distro doing secure boot you'd generally use shim, could enroll MOK and use that to sign an addon for your machine. This patch currently does not support addons. The plan would be to support them in the future though. I personally always run my own compiled kernel and build a UKI from that so I can obviously tweak the cmdline that way and sign the UKI with my own secure boot key. >> The format itself is rather simple. It's just a PE file (as required >> by the UEFI spec) that contains a small stub application in the .text, >> .data, etc sections that is responsible for invoking the contained >> kernel and initrd with the contained cmdline. The kernel image is >> placed into a .kernel section, the initrd into a .initrd section, and >> the cmdline into a .cmdline section in the PE executable. > > How does this interact with the existing EFI stub support in linux? It doesn't. During normal boot of a UKI the stub in it is used (systemd-stub, see: https://www.freedesktop.org/software/systemd/man/systemd-stub.html). The kernel's own EFI stub will still be in the binary inside the .linux section but not used. Now in this patch (also see v2 I already posted) obviously non of the stubs are used.