On Mo, 04.12.23 17:40, Emanuele Giuseppe Esposito (eespo...@redhat.com) wrote:
> Hello everyone,
>
> As the title suggests, I am trying to extend an UKI initrd via
> systemd-sysext addons/extensions.
>
> I contributed to the systemd-stub UKI addons to extend the kernel
> command line, so I know how they works and planning to give a talk about
> them soon. However, I would like to get the full picture by using the
> same mechanism but with systemd-sysext addons to extend also initrd.
>
> As I understood, a systemd-sysext addon in
> /boot/efi/EFI/Linux/.efi.extra.d will be put in /.extra/sysext
> by systemd-stub, and then will be picked up by systemd-sysext to be
> added into the initrd.
>
> I am using Fedora, I created my UKI devel.efi, and made sure (just for
> safety) that the initrd contains the systemd-sysext module, as I
> generated it with dracut.
>
> The UKI is created with freshly compiled systemd-stub from commit
> 5808300c44. Kernel is 6.6.0-0.rc1.20230915git9fdfb15a3dbf.17.fc40.x86_64
>
> Then, I created a super dumb extension and put it in the right location:
> mkdir extension
> cd extension/
> vi ciao.txt
> mkdir usr
> cp ciao.txt usr/ciao2.txt
> cat /etc/os-release
> mkdir -p usr/lib/extension-release.d/
> echo ID=fedora > usr/lib/extension-release.d/extension-release.extension
> echo VERSION_ID=40 >>
> usr/lib/extension-release.d/extension-release.extension
> cat usr/lib/extension-release.d/extension-release.extension
> cd ..
> mksquashfs extension extension.raw
> mv extension.raw /boot/efi/EFI/Linux/devel.efi.extra.d/
The image must come with verity + signature, we'll not allow unsigned
extensions by default. (you could relax the image policy if you want,
or disable it but I'd advise you not to. The env var
SYSTEMD_DISSECT_VERITY_SIGNATURE=0 tells sysext to not validate images)
With upcoming systemd v255 just use "systemd-repart --make-ddi=sysext"
to generate a sysext image with verity and signing. mkosi can help you
too.
You either need to install your signature public key in the kernel's
own keychain somehow, or drop suitable certficates into
{/etc,/run}/verity.d/*.crt. The latter is a bit
underdocumented. (There was hope we could drop this again because it
would become easier to install stuff into the kernel keychain, but
that's still a mess, hence this userspace validation is probably going
to stay for good).
Ultimately if distros ship this in final products they really should
use the kernel keyring for this. That's how MSFT uses this for
example.
> Supposing I manage to do all of the above, my next question would be
> how/if to override the /lib folder instead of the traditional /usr or
> /opt, as for example I might want to add another kernel module into
> the UKI.
/lib/ is 1990's Linux. On modern distros, such as Fedora it has long
been replaced by a symlink to /usr/lib/. Hence if you want to drop
stuff into /lib/ then just drop it into /usr/lib/ instead.
> Last but not least is where is the documentation for this. I couldn't
> find anything at all about systemd-sysext, and therefore I would be very
> very happy to write (other than presenting it) some doc to make the life
> easier to anyone like me that is looking forward to using these new
> features.
So there's the man page of systemd-sysext and systemd-repart.
Flatcar has some docs:
https://www.flatcar.org/docs/latest/provisioning/sysext/
There is a video from ASG how this fits together:
https://www.youtube.com/watch?v=XTy3scX6rF4
There's no tutorial how to put this together though. Contributing that
would be very welcome of course!
Lennart
--
Lennart Poettering, Berlin
