Passing Kernel Params from systemd-boot for Secure Boot UKI

[yockgen]

My Mariner OS is built with following features:

1, Unified Kernel Image (kernel+initrd+cmdline)
2. Systemd-boot as boot loader
3. Secure Boot enabled
4. Multi boot

Systemd-boot config files looks like below

root@YockgenOS [ ~ ]# cat /boot/efi/loader/entries/sos1.conf
Title   Yockgen OS1 UKI
efi     /EFI/Linux/linux-6.1.0-0.efi.signed
options root=PARTUUID=xxxxx-xxxx-xxxxa ro quiet yockgen=1

root@YockgenOS [ ~ ]# cat /boot/efi/loader/entries/sos2.conf
Title   Yockgen OS2 UKI
efi     /EFI/Linux/linux-6.1.0-1.efi.signed
options root=PARTUUID=xxxxx-xxxx-xxxxa  ro quiet yockgen=2

With Secure Boot enabled, the /proc/cmdline is no longer overwritten by the systemd-boot configuration. The cmdline is shown those params during UKI built time.

Runtime logs as below:

root@YockgenOS [ ~ ]# cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-6.6.43-1.cm2       rd.auto=1 root=PARTUUID=21f13e53-110f-4be5-b18a-fed745cacc87 init=/lib/systemd/systemd ro loglevel=3 no-vmw-sta crashkernel=256M lockdown=integrity lockdown=integrity sysctl.kernel.unprivileged_bpf_disabled=1 net.ifnames=0 plymouth.enable=0 systemd.legacy_systemd_cgroup_controller=yes systemd.unified_cgroup_hierarchy=0

root@YockgenOS [ ~ ]# cat /boot/efi/loader/entries/sos1.conf
Title   Yockgen OS1 UKI
efi     /EFI/Linux/linux-6.1.0-0.efi.signed
options root=PARTUUID=xxxxx-xxxx-xxxxa  ro quiet yockgen=1


root@YockgenOS [ ~ ]# cat /boot/efi/loader/entries/sos2.conf
Title   Yockgen OS2 UKI
efi     /EFI/Linux/linux-6.1.0-1.efi.signed
options root=PARTUUID=xxxxx-xxxx-xxxxa  ro quiet yockgen=2

I couldn't hardcode the 'yockgen' parameter during the build process, as its value depends on the runtime environment. This value needs to be assessed by a custom Dracut module during the initrd stage to mount specific devices.

What could be the possible solution for this?

Thanks a lot of any guidance!

[trungams]

Hi @yockgen, would UKI addons be something you are looking for?

https://uapi-group.org/specifications/specs/unified_kernel_image/#pe-addons

[yockgen]

Thanks @trungams , Yes, PE addon is one of possible solutions, however, there is a rigid security requirement for my project that if the PE addon EFI could be copied and pasted to other UKIs in the device to overwrite the cmdline, according to my understanding, this is possible. What is your suggestion on this?

[trungams]

Hi @yockgen, sorry for the delayed reply. I just learned that Red Hat has been able to extend their UKI using UKI addons. Their approach is described in this blog: https://www.redhat.com/en/blog/extending-red-hat-unified-kernel-images-using-addons. You may already be aware of this. If not, I think it should work for your use case?

[yockgen]

Thanks @thien Trung ***@***.***>! I do aware about the addone and works! Thanks again! From: Thien Trung Vuong ***@***.***> Sent: Wednesday, 15 January, 2025 1:47 AM To: microsoft/azurelinux ***@***.***> Cc: Mah, Yock Gen ***@***.***>; Mention ***@***.***> Subject: Re: [microsoft/azurelinux] Passing Kernel Params from systemd-boot for Secure Boot UKI (Issue #10635) Hi @yockgen<https://github.com/yockgen>, sorry for the delayed reply. I just learned that Red Hat has been able to extend their UKI using UKI addons. Their approach is described in this blog: https://www.redhat.com/en/blog/extending-red-hat-unified-kernel-images-using-addons. You may already be aware of this. If not, I think it should work for your use case? — Reply to this email directly, view it on GitHub<#10635 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJCC6QCDMLMV32GSL7OLFXD2KVEQ7AVCNFSM6AAAAABPNHTXM2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKOJQG4YDIMBUGQ>. You are receiving this because you were mentioned.Message ID: ***@***.******@***.***>>