Secureboot allows kexec, when using the recentish kexec_file_load syscall which performs kernel image signature verification.
All of this just works under secureboot. On Fri, 24 Feb 2023, 20:20 Aaron Rainbolt, <arraybo...@ubuntu.com> wrote: > > On 2/24/23 11:51, Dan Bungert wrote: > >>> On Fri, 24 Feb 2023 at 04:54, Aaron Rainbolt <arraybo...@ubuntu.com> > wrote: > >>>> I've seen more than one person annoyed by the fact that the mini.iso > >>>> netinstaller is no more. > >>>> The "flavor" would be able to be held in a > >>>> very small ISO file (preferably CD sized), and it would download and > >>>> install all of the packages that make up the Ubuntu system at runtime. > >>>> This would allow a user to install Ubuntu or any desired flavor > thereof > >>>> using a single installation medium, rather than having to flash an ISO > >>>> every time they want to make a drive install a different flavor. The > new > >>>> installation would be entirely up-to-date from the get-go, and it > would > >>>> enable the use of existing small storage media for those users who > don't > >>>> have sufficiently sized optical discs or flash drives. > > Hi Aaron, > > > > As Lukasz mentioned, I've been looking at relevant things, and expect > that we > > can have the first version of ubuntu-mini-iso running this cycle. I > missed > > feature freeze, so I'll be filing that exception :). > > > > Lukasz wrote a perfect summary of the work so far, so I'll quote it here: > >>> The ubuntu-mini-iso is a small bootable iso that can be either > >>> downloaded and used on a CD/USB-drive or even via UEFI HTTP that > >>> brings up a dynamic TUI menu of what Ubuntu images you want to > >>> download/install to your target system. It uses simplestreams to > >>> select which images, so it'll be quite customizable regarding the > >>> selection. The difference is that it then downloads the > >>> iso-of-interest into memory and chain-boots into it, allowing the > >>> installation of any image as one would normally do. This has some > >>> limitations of course, since it needs sufficiently enough RAM. > > So I think that will address much of what you were aiming for. > > > > Size: the bootleg builds I'm doing of this are around 140 MiB, I expect > the > > official builds to produce a similar answer. It could potentially be > smaller, > > the size today is dominated by use of the existing Ubuntu initrd with a > few > > things added on top. (compare to the size of /boot/initrd.img) > > > > Download at runtime: ubuntu-mini-iso achieves this by presenting a menu > of ISOs > > that we could download, then with the user selection, reserving some > memory, > > downloading that ISO, and then kexecing to it. > > This makes good sense to me. The concern I'm noticing here is that > Secure Boot activates a kernel lockdown mode that prohibits kexec. One > workaround may be to have the user choose the release of Ubuntu to > install at a GRUB menu so that a pre-existing kernel and initrd can be > loaded, but this would bloat the ISO and complicate its use. > > Another possible solution might be to use mokutil to disable Secure Boot > verification in the shim (essentially turning Secure Boot off without > needing to get the BIOS involved), then rebooting the system. Then > Secure Boot can be re-enabled with mokutil and then the ISO downloaded > and kexec'd. When the user finishes installation and reboots, Secure > Boot will be active again. This might complicate things with third-party > drivers though. > > Perhaps we just live with no Secure Boot support? > > > ISOs in the menu: there is a casper hook that downloads simplestream > json data > > and hands it to the menu application, a small ncurses app that analyzes > the > > json, finds what ISOs to offer, and does so. The user chooses an entry > from > > the menu, that info is handed back to the casper scripts, which download > it and > > we chain boot. > > > > That menu could be extended for Flavors support, perhaps conceptually > similar > > to how flavors are shown today on https://releases.ubuntu.com/. The > relevant > > code is at: https://github.com/canonical/mini-iso-tools > > It's not necessary to build an ISO to start playing with the menu, if you > > download that, get the dependencies installed, `make run`, and you can > see what > > the menu looks like. > > > > If you're interested to help, Aaron, a good starting point would be to > add > > entries to > https://github.com/canonical/mini-iso-tools/blob/main/json.c#L27 to > > teach the menu how to read the simplestreams for the flavors. > > > > The existing menu can fit on a single screen, so if we start adding > flavors I > > think it will need some nested menu support, but that's achievable. > > > > I have done a hacked test run of having this new mini-iso chainboot to > lubuntu > > 22.04.2 and it all works fine. > Nice, sounds awesome. Thank you for the info, and I'll see if I can hack > on this at some point! > > -Dan > > -- > Aaron Rainbolt > Lubuntu Developer > https://github.com/ArrayBolt3 > https://launchpad.net/~arraybolt3 > @arraybolt3:lubuntu.me on Matrix, arraybolt3 on irc.libera.chat > > -- > ubuntu-devel mailing list > ubuntu-devel@lists.ubuntu.com > Modify settings or unsubscribe at: > https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel >
-- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
