From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id B283515803E for ; Tue, 2 Jan 2024 11:43:01 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9C57E2BC03F; Tue, 2 Jan 2024 11:42:57 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 20C512BC013; Tue, 2 Jan 2024 11:42:57 +0000 (UTC) Message-ID: <191261da-d4da-428c-a4f1-390ae8dbb3e9@gentoo.org> Date: Tue, 2 Jan 2024 12:42:52 +0100 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US, nl-NL To: gentoo-dev@lists.gentoo.org, gentoo-dev-announce@lists.gentoo.org From: Andrew Ammerlaan Subject: [gentoo-dev] Testing request: sys-kernel/gentoo-kernel-bin[generic-uki] Autocrypt: addr=andrewammerlaan@gentoo.org; keydata= xsBNBF3n3cUBCAC6uoDZ0XzaO29l8AzUblXQ5rxZI7nbGEnfFqjEQCK3oEXxsDa9Ez1myx3M ir53Vyx64Iz1Bq/TOS/PttgguPpiLggCpTTD2vavp5SwFmg272+P8bUJVJF2mMRm0OR/YPiA B5dNfcoLqKIj+ZMOtrZ72B7agkUn+iDt8lB2fZ7XhfZMyQBXICYSe+EiJJmTuvIhHhOn7GCT VjpwGYCCSw3F/j2VPmJPUftz6Nb4oWaiaJ6ZwroS2ECYqZKeo+dXCsmB/LZWYqIFSSPILTLZ f1Hh/TklnQqkNVO+nY/B/o9RVYAhWJbl/F4VaKlRXemE+pDZIALlK8kt0IFU6liUOHHlABEB AAHNLUFuZHJldyBBbW1lcmxhYW4gPGFuZHJld2FtbWVybGFhbkBnZW50b28ub3JnPsLAlwQT AQgAQQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAIZARYhBAb/U0G9gF2wvH0HpqGfY2zU 7bzRBQJlNiYEBQkJL3u/AAoJEKGfY2zU7bzRUeYH/33eX3sOyo3++xcqR/KrTNodkgWAknPe Jl8BiYdIn7zEgif5Fz6Uu8IzjfDpPd8uR82sbV2uQWarrpNmnPrAACKuAuYN9vnuLZ+9UWz6 ybGqMm545+qsFtUTTzdveMPEWr2nr+payfxthK6OdgZU5ZseLxDS9KYmBeAC7RVnIWMVDn9n opmuFK5iGxIUvIbYIl/xrk2HPAIsh1ScLBy4z7r8PFmWT1XGC0Na6PJyEG2KiQXwjKxwsljQ 6mKEAkKOkbifD0CSO8eg56ccf8WYo0s/+SiYjBjI9SEhbgZbiUbpTSw3eT/g4V2SKX1CYs1z 717XjlMKzqBNaw+AzWgrk0TOwE0EXefdxQEIAJtT7965MCxOTic3mISWSI6Z3mFFYmUkxQt8 gBVsTAezOrkd6xEt/HnFPZqeGnbSiV8gMFPKv4RkaXxWfQYKm+9/12qJNEFdVop1rpe77lU2 h0elVXuWiWsNmwqEhQcs1mq/awzO81Lyob9Miai2qNQ9MBikmFAp9c4n8C42kPLVrTKPmemI 95gZ1Y830W+udYg1jNqLF2ucMDUX1M1U2EfazWI0pNCwPoKnOqAJS+VQbyxtJ1IlE3+9sk+6 hjlTTF+RDYGv5hUoWkmcXDM2X/Cl0XB4XYOWr17Wa6+WXC+80/iLxxolMqM4KfuIR5OizbqK 2CRAJY7la7TSv1lTD1cAEQEAAcLAfAQYAQgAJgIbDBYhBAb/U0G9gF2wvH0HpqGfY2zU7bzR BQJlNiHABQkJL3d7AAoJEKGfY2zU7bzRjDwH/1fp/87km2YYVgrfP1aWLjAA/TwcEVycRJQQ S9Q6xuzgD5AYhjzBSONoN46cwf+gla6xndY0lCawsZN7whtJ/DhqSZEfL0HgHkJ6T8FCXexf n1s6XmIAxqIrMmfsuOkAPLJIHzAAGzQX8DXcRSj1cIDUpa1Uy7ncVvI4EzJBRtJVJXIbl+53 NGauXU8ZuprPYkMSPuW3eHATFc0F5DhmlFUXh+HYYK+2QTO73TENMhngkrYcw63je5bRp/+f 72XFKlf1gXHK1ivg8nYueyUfrxZTBGKagusOiQeOao2I1uYcHoFhPYJrQWePMyZiYyB6PR0K DR4B/Ulo3v0eBXaaYzo= Organization: Gentoo Linux Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Archives-Salt: b0aae2e8-6eda-4bef-9592-bbf59e24f117 X-Archives-Hash: a8a383fe979c153ff01b405c12595c05 Dear all, First of all happy new year! Those of you that have already synced the tree this year might have already noticed that gentoo-kernel(-bin) has gained two new USE flags yesterday. The first (USE=modules-compress) I think is pretty self-explanatory, it installs all modules xz compressed. The second new USE flag is USE=generic-uki, this will install the kernel along with a prebuilt, experimental(!), generic initramfs and unified kernel image. Let me explain first why this is something you might want to use. A Unified Kernel Image[1] combines the initramfs, cmdline, kernel and some other things into a single EFI executable. This is great because it allows the whole thing to be signed, and verified when booting with Secure Boot[2] enabled. Whereas in the usual plain kernel image + initramfs configuration, only the former is verified, leaving the possibility of injecting something malicious into the initramfs. We have supported generating your own Unified Kernel Images for some time now. However, since building the UKI must always happen after building the initramfs, which happens locally in postinst, this has so far always relied on users generating and protecting their own UKI-signing key. This is where USE=generic-uki comes in, it allows users to take full advantage of the extra verification UKIs offer, without the hassle of managing and protecting a custom signing key. Though I know this works in my setups, there are still some open questions and more testing in different setups is needed to determine how generic our generic image actually is. We include many things in this generic initramfs, but it is not feasible for me to test all of the possible booting scenarios, so this is where we can use the help of the community. Some of the open questions are: - OpenRC compatibility: Since this is a generic image and because it is not possible to override a UKIs cmdline at boot when secure boot is enabled, we cannot rely on root= to tell us where the root partition is. Instead we rely on systemd-gpt-auto-generator[3] to dynamically determine the correct partition layout. To what extent the inclusion of systemd and its utilities in the initramfs impacts the possibility of booting an openrc system with the generic UKI is still unknown. (Though I have a suspicion that systemd will not be happy about handing over control to another init system, and that therefore it might not work at all.) - Network booting: We include the dracut modules that should in theory make the resulting UKI support network booting. However this is still untested. - Measured Boot: Ukify does the systemd-measure magic that should in theory make it possible to unlock secrets conditionally on whether the PCR registers match the predetermined value (i.e. Measured Boot). This has not yet been tested (mostly because the TPM on my system is behaving a bit odd, and I lack the experience with TPMs to determine why and how to resolve it). It would be great if folks could give our generic-uki a test drive to help us explore what works, and what does not. All feedback is welcome on #gentoo-dist-kernel or via bug report. Here's a brief list of steps to set this up: - Enable USE=generic-uki on gentoo-kernel-bin - If installkernel-systemd is used, configure it as follows in /etc/kernel/install.conf: layout=uki uki_generator=none initrd_generator=none - If installkernel-gentoo is used, enable USE=uki - (re-)emerge gentoo-kernel-bin - If shim/mokutil is used, import our certificate: mokutil --import /usr/src/linux-6.6.9-gentoo-dist/certs/signing_key.x509 - If shim/mokutil is not used, but secureboot is still desired, ensure our certificate will be accepted by the UEFI (steps depend on the vendor) - Ensure a known-working alternative kernel/UKI is also present - If refind is used, configure it to find the new UKI. If systemd-boot is used it will be auto-discovered and no further setup is required. - Reboot If any of the documentation on the wiki is unclear, then please also let me know so I can improve it. Some frequently asked questions: - What bootloaders are supported?: systemd-boot, refind. And possibly version 2.12 and up of grub. - Can I use the prebuilt generic initramfs image, without using the generic UKI, or use the generic initramfs to generate my own custom UKI?: Yes, see [5]. - Can I combine this with USE=modules-compress?: Yes - Are boot splashes supported?: No, including plymouth in the initramfs requires including the gpu drivers and firmware as well. These files are huge and they are many. At this time the cost of the increased uki and gpkg size is not something we are willing to pay. If there are any other questions feel free to drop by #gentoo-dist-kernel. Best regards, Andrew [1] https://wiki.gentoo.org/wiki/Unified_kernel_image [2] https://wiki.gentoo.org/wiki/Secure_Boot [3] https://wiki.gentoo.org/wiki/Systemd#Automatic_mounting_of_partitions_at_boot [4] https://wiki.gentoo.org/wiki/User:Ajak/Measured_Boot [5] https://wiki.gentoo.org/wiki/Project:Distribution_Kernel#Generic_UKI