What is the status of providing uki

Unified kernel in fedora was a plan as far as i know…
What is the status of it as i no longer hear anything about that afterward …

It looks like there have been several issues that have cropped up surrounding dracut and crypto support: F40 Change Proposal: Unified Kernel Support Phase 2 (System-Wide)

I’m guessing there are other blockers that need to be addressed.

Lots of interesting uki stuff in systemd 257 that was just released.

Lwn.net has a nice write up https://lwn.net/Articles/1001730/ buts it for subscribers only for a week.

There is another article https://lwn.net/Articles/979789/ which seems to be a Redhat project. Whether this will be the future way of doing things, or if the systemd-boot way of doing it, remains to be seem.

The package systemd-ukify.noarch contains a mechanism to build and sign an uki image with your own signing key.

There is a UKI-based cloud image available (see Fedora Cloud | The Fedora Project).

Manually switching systems to use UKIs still works (using the phase 2 instructions), in which case the UKI is booted directly (shim.efi → UKI.efi).

A bunch of small steps on improving UKI support happened over time in the config tooling:

  • systemd-boot can be used now: uki-direct.rpm detects systemd-boot being used and in that case simply depends on systemd-boot selecting a kernel instead of updating UEFI boot configuration on kernel updates.
  • shim.efi is optional now, in case secure boot is disabled and shim.efi is not present the UKI can be loaded directly without shim.efi in the chain.
  • uki-direct.rpm picks up the kernel command line from /etc/kernel/cmdlne and adds it to the UEFI boot entries (works only with secure boot turned off, otherwise systemd-stub will not pass on the command line to the linux kernel).

The upstream changes (especially in systemd) obviously also help moving things forward.

So, there is progress, but no step big enough for a “phase 3” change. Maybe that comes when we finally have systemd-boot with a proper secure boot signature (see Issue #10765: secure boot signing for systemd-boot - releng - Pagure.io) so we can switch the UKI cloud image to use systemd-boot.

1 Like