Unified Kernel Images (UKI)

Linux

Published

February 15, 2024

Modified

February 15, 2024

Unified Kernel Images

UKI ¹ ² …Linux kernel + initrd + kernel command line

…packed as UEFI PE binary
…systemd-stub glued in front
…includes boot splash, DeviceTree image, OS information
…single file …self-contained …signed as a whole
…enumerable in ESP/XBOOTLDR boot menu implementation

Why use UKIs?

…fully-signed and fully-measured execution path for the system boot
…rollback protections …more simple and robust updates

Components used to boot UKI

flowchart LR
    A[EFI] --> B
    B[shim] --> C
    C[systemd-stub] --> D
    D[UKI]

`systemd-boot`

Not a bootloader …boot menu …chain loads other UEFI binaries

…configured by drop-in files …sorted by version
…list items in menu …boots latest
UEFI only…
- …implements UAPI bootloader specifications ³
- …can be signed by shim …can include UKI menu items
- …supports APIs to user-space (boot selection, etc)

bootctl …CLI to interact with systemd-boot:

…select & list menu entries
…update random seed and bootloader in ESP

`systemd-stub`

UEFI binary …invoked by UEFI firmware

…transitions into the payload Linux kernel
…runs first in UEFI mode …hands control to Linux kernel
…measures UKI components …reads credentials …system extensions
- …passed to kernel by on-the-fly generated initrd cpio archive
- …random seed management (always after boot)

Portable Executable (PE) …standard executable format in EFI environments:

Section	Description
`.linux`	ELF Linux kernel images
`.osrel`	OS release information
`.initrd`	init root file-system
`.cmdline`	Linux kernel command line

Built around TPM 2.0 functionality

…supports TPM measurement & signatures
…stores to PCR 11-13 ⁴ …signature embedded in UKI
…results in a reasonably safe unattended disk encryption
systemd-measure …generates PCR signatures

Footnotes

UKI, UAPI Group Specifications
https://uapi-group.org/specifications/specs/unified_kernel_image/↩︎
Brave New Trusted Boot World, 2022
https://0pointer.net/blog/brave-new-trusted-boot-world.html ↩︎
Boot Loader Specification, UAPI Group Specifications
https://uapi-group.org/specifications/specs/boot_loader_specification ↩︎
Linux TPM PCR Registry, UAPI Group Specifications
https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/↩︎

--- title: Unified Kernel Images (UKI) categories: - Linux date: 2024/02/15 date-modified: 2024/02/15 toc-expand: 3 --- # Unified Kernel Images UKI [^RaqwF] [^O2wbZ] ...Linux kernel + initrd + kernel command line - ...packed as UEFI PE binary - ...`systemd-stub` glued in front - ...includes boot splash, DeviceTree image, OS information - ...single file ...self-contained ...signed as a whole - ...enumerable in ESP/XBOOTLDR boot menu implementation [^RaqwF]: UKI, UAPI Group Specifications <https://uapi-group.org/specifications/specs/unified_kernel_image/> [^O2wbZ]: Brave New Trusted Boot World, 2022 <https://0pointer.net/blog/brave-new-trusted-boot-world.html> Why use UKIs? - …fully-signed and fully-measured execution path for the system boot - …rollback protections …more simple and robust updates Components used to boot UKI ```{mermaid} flowchart LR A[EFI] --> B B[shim] --> C C[systemd-stub] --> D D[UKI] ``` ## `systemd-boot` Not a bootloader …boot menu …chain loads other UEFI binaries - …configured by drop-in files …sorted by version - …list items in menu …boots latest - UEFI only… - …implements UAPI bootloader specifications [^0d0CN] - …can be signed by shim …can include UKI menu items - …supports APIs to user-space (boot selection, etc) [^0d0CN]: Boot Loader Specification, UAPI Group Specifications <https://uapi-group.org/specifications/specs/boot_loader_specification> `bootctl` …CLI to interact with `systemd-boot`: - …select & list menu entries - …update random seed and bootloader in ESP ## `systemd-stub` UEFI binary ...invoked by UEFI firmware - ...transitions into the payload Linux kernel - ...runs first in UEFI mode ...hands control to Linux kernel - ...measures UKI components ...reads credentials ...system extensions - ...passed to kernel by on-the-fly generated initrd cpio archive - ...random seed management (always after boot) Portable Executable (PE) …standard executable format in EFI environments: Section | Description --------|------------- `.linux`| ELF Linux kernel images `.osrel`| OS release information `.initrd`| init root file-system `.cmdline`| Linux kernel command line Built around TPM 2.0 functionality - ...supports TPM measurement & signatures - ...stores to PCR 11-13 [^5dBPN] ...signature embedded in UKI - ...results in a reasonably safe unattended disk encryption - `systemd-measure` ...generates PCR signatures [^5dBPN]: Linux TPM PCR Registry, UAPI Group Specifications <https://uapi-group.org/specifications/specs/linux_tpm_pcr_registry/>