Red Hat SummitChapter 9. Configuring RHEL on Public Cloud Platforms with UKI
To ensure that a Red Hat Enterprise Linux (RHEL) instance has a secured boot process from an untrusted storage such as confidential virtual machine (CVM) on a public cloud platform, use Unified Kernel Image (UKI).
9.1. Introduction to Unified Kernel Image
To extend the secure boot protection throughout the entire boot chain, use Unified Kernel Image (UKI).
- Components of UKI
Unified Kernel Image (UKI) is a Unified Extensible Firmware Interface (UEFI) Portable Executable (PE) binary for the UEFI firmware environment, which bundles the essential components of an operating system. UKI binary components extend the Secure Boot mechanism with
initramfsand the kernel command line.Initramfsis a part of the Linux startup process, while the kernel command line gives you limited access to define parameters. Components are as follows:-
The
.linuxsection stores the Linux kernel image. -
The
.initrdsection stores the initial RAM filesysteminitramfs. -
The
.cmdlinesection stores the kernel command line. -
Additional sections, such as
.sbat. - The Red Hat signature.
-
The
- Features of RHEL UKI with pre-built
initramfs - Prohibits any malicious agent or component to alter any objects in the boot chain.
-
Due to pre-built
initramfs, the user does not need to build its custominitramfs, which results in a faster kernel installation. -
Provides support for the pre-built
initramfssystems as it is similar in all installations such as virtual machine (VMs), containers, or cloud instances. -
Provides support for the
x86_64architecture. -
Includes the
kernel-uki-virtpackage. - Built for virtual machines and cloud instances.
- Limitation of UKI because of the reduced flexibility of the boot process
-
When building the UKI, the operating system vendor creates
initramfs. As a consequence, the listed and included kernel modules are static. You can use thesystemdsystem and configuration extensions to address this limitation. - The kernel command line parameters are static, which limits the use of parameters for different instance sizes or debugging options.
-
When building the UKI, the operating system vendor creates
You can use the UKI command line extensions to overcome this limitation.
9.2. Understanding the UKI secure boot process
To protect your system against unauthorized boot-time modifications, use the secure boot mechanism with Unified Kernel Image (UKI).
When using UKI with secure boot, the system verifies each component in the boot chain to ensure system integrity and prevent malicious code execution.
Procedure
- UEFI Firmware: The boot process starts from the Unified Extensible Firmware Interface (UEFI) firmware. For boot, Red Hat Enterprise Linux (RHEL) UKI requires UEFI firmware, because legacy basic input/output system (BIOS) firmware is not supported.
-
Shim boot loader: Use the
shimboot loader for booting rather than directly booting the UKI from the UEFI firmware.shimincludes additional security mechanisms such as Machine Owner Key (MOK) and Secure Boot Advanced Targeting (SBAT). -
Signature verification (Secure Boot UEFI mechanism): During boot,
shimreads the UKI binary and the secure boot UEFI mechanism verifies the signature of UKI against trusted keys stored in the Secure Boot Allowed Signature Database (db) of the system, theMOKdatabase, and the built-in database of theshimbinary. If the signature key is valid, the verification passes. SBAT verification: Immediately after signature verification, the
shimboot loader verifies the SBAT rules at startup.During SBAT verification, the system compares generation numbers, for components such as
systemd.rhelorlinux.rhel, embedded in the UKI by using the.sbatsection against values in theshimboot loader. If the generation number for a component in theshimis higher than the generation number in the UKI, the binary gets automatically discarded, even if it was signed by a trusted key.Note that the generation number is a version identifier for UEFI applications, such as
shimandgrub.-
Unpacking and Execution: If verification passes, control passes from
shimto thesystemd-stubcode in the UKI to continue the boot process. systemd-stub add-ons: During execution,
systemd-stubunpacks and extracts the contents of the.cmdlinesection, the plain text kernel command line, and the.initrdsection, the temporary root file system, for the boot process.Note that
systemd-stubreads UKI add-ons and verifies their signatures to safely extend the kernel command line of UKI by appending the.cmdlinecontent from add-ons.systemd-stubreads add-ons from two locations:-
Global (UKI-independent) add-ons from the
/loader/addons/directory on the Extensible Firmware Interface (EFI) System Partition (ESP). -
Per-UKI add-ons from the
/EFI/Linux/<UKI-name>.extra.d/directory on the ESP.
-
Global (UKI-independent) add-ons from the
Control passes from
systemd-stubto the Linux kernel and the operating system boot process continues.From this point, secure boot with UKI mechanisms follows the standard kernel boot process.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}