Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passing Kernel Params from systemd-boot for Secure Boot UKI #10635

Open
yockgen opened this issue Oct 5, 2024 · 2 comments
Open

Passing Kernel Params from systemd-boot for Secure Boot UKI #10635

yockgen opened this issue Oct 5, 2024 · 2 comments
Labels
question Further information is requested

Comments

@yockgen
Copy link

yockgen commented Oct 5, 2024
edited
Loading

My Mariner OS is built with following features:

1, Unified Kernel Image (kernel+initrd+cmdline)
2. Systemd-boot as boot loader
3. Secure Boot enabled
4. Multi boot

Systemd-boot config files looks like below

root@YockgenOS [ ~ ]# cat /boot/efi/loader/entries/sos1.conf
Title   Yockgen OS1 UKI
efi     /EFI/Linux/linux-6.1.0-0.efi.signed
options root=PARTUUID=xxxxx-xxxx-xxxxa ro quiet yockgen=1

root@YockgenOS [ ~ ]# cat /boot/efi/loader/entries/sos2.conf
Title   Yockgen OS2 UKI
efi     /EFI/Linux/linux-6.1.0-1.efi.signed
options root=PARTUUID=xxxxx-xxxx-xxxxa  ro quiet yockgen=2

With Secure Boot enabled, the /proc/cmdline is no longer overwritten by the systemd-boot configuration. The cmdline is shown those params during UKI built time.

Runtime logs as below:

root@YockgenOS [ ~ ]# cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-6.6.43-1.cm2       rd.auto=1 root=PARTUUID=21f13e53-110f-4be5-b18a-fed745cacc87 init=/lib/systemd/systemd ro loglevel=3 no-vmw-sta crashkernel=256M lockdown=integrity lockdown=integrity sysctl.kernel.unprivileged_bpf_disabled=1 net.ifnames=0 plymouth.enable=0 systemd.legacy_systemd_cgroup_controller=yes systemd.unified_cgroup_hierarchy=0

root@YockgenOS [ ~ ]# cat /boot/efi/loader/entries/sos1.conf
Title   Yockgen OS1 UKI
efi     /EFI/Linux/linux-6.1.0-0.efi.signed
options root=PARTUUID=xxxxx-xxxx-xxxxa  ro quiet yockgen=1


root@YockgenOS [ ~ ]# cat /boot/efi/loader/entries/sos2.conf
Title   Yockgen OS2 UKI
efi     /EFI/Linux/linux-6.1.0-1.efi.signed
options root=PARTUUID=xxxxx-xxxx-xxxxa  ro quiet yockgen=2

I couldn't hardcode the 'yockgen' parameter during the build process, as its value depends on the runtime environment. This value needs to be assessed by a custom Dracut module during the initrd stage to mount specific devices.

What could be the possible solution for this?

Thanks a lot of any guidance!
@yockgen yockgen added the question Further information is requested label Oct 5, 2024
@trungams
Copy link
Member

Hi @yockgen, would UKI addons be something you are looking for?

https://uapi-group.org/specifications/specs/unified_kernel_image/#pe-addons

@yockgen
Copy link
Author

yockgen commented Oct 10, 2024

Thanks @trungams , Yes, PE addon is one of possible solutions, however, there is a rigid security requirement for my project that if the PE addon EFI could be copied and pasted to other UKIs in the device to overwrite the cmdline, according to my understanding, this is possible. What is your suggestion on this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@trungams @yockgen