Red Hat SummitChapter 7. Managing kernel command-line parameters with UKI
Unified Kernel Image (UKI) combines the kernel, initial RAM disk (initrd), and boot command line into a single executable binary.
7.1. Understanding kernel command-line parameters with UKI
With UKI, systemd-boot, specifically systemd-stub, handles the kernel command-line parameters. The UKI delivered by Red Hat includes the basic kernel command-line parameter console=tty0 console=ttyS0.
You can add additional kernel command-line parameters by using UKI add-ons. Alternatively, you can generate your own UKI to contain any arguments you require.
Secure Boot revokes improperly signed UKIs and add-ons. These signatures can also alter PCR measurements of TPM which can potentially affect boot sequence.
7.2. Understanding boot entries
You manage boot entries directly in UEFI NVRAM. This means they are no longer stored on disk. You can use tools such as kernel-bootcfg or efibootmgr to alter boot entries directly.
The following is an example of a boot entry:
Boot0001* redhat HD(1,GPT,9192a707-8768-4c9f-bb11-fdd7c7e307e7,0x800,0x100000)/\EFI\redhat\shimx64.efi\EFI\Linux\ffffffffffffffffffffffffffffffff-6.12.0-174.el10.x86_64.efi7.3. Acquire UKI add-ons to add kernel command-line parameters
To add kernel command-line parameters, you can acquire officially signed add-ons delivered by Red Hat in the kernel-uki-virt-addons packages. These add-ons are signed by the same certificates as their associated UKIs. The default installation path is /lib/modules/$(uname -r)/vmlinuz-virt.efi.extra.d/.
You must copy these add-ons to the appropriate locations for them to take effect.
If you need add-ons other than these or prefer signing them on your own, you can create them with tools such as systemd-ukify or dracut.
Procedure
Create a new add-on:
# ukify build --cmdline "emergency" --output emergency.unsigned.addon.efi
7.4. Changing kernel command-line parameters for all boot entries
To change kernel command-line parameters for all boot entries, add the UKI add-ons to the global add-ons directory /boot/efi/loader/addons/.
Prerequisites
- You have root permissions on the system.
-
You have
.addon.efifile.
Procedure
Copy the add-on file to the
/boot/efi/loader/addons/directory:# cp <my-addon>.addon.efi /boot/efi/loader/addons/Reboot the system:
# reboot
Verification
Verify the new parameter depends on the type of the added add-on. For example, check the kernel command line:
# cat /proc/cmdline
7.5. Changing kernel command-line parameters for a single UKI
To change kernel command-line parameters for a single UKI, manage the add-ons on a per-UKI basis. The revocation mechanism applies to UKI and its associated add-ons locally.
By default, UKIs are located at the following path:
/boot/efi/EFI/Linux/<machine_id>-<kernel_version>.efi
The effective add-ons designated to this UKI are located at the following path:
/boot/efi/EFI/Linux/<machine_id>-<kernel_version>.efi.extra.d/
Prerequisites
- You have root permissions on the system.
-
You have
.addon.efifile.
Procedure
Identify the running kernel version and machine ID:
# uname -r # cat /etc/machine-idCopy the add-on file to the specific directory associated with the UKI:
# cp <my-addon>.addon.efi /boot/efi/EFI/Linux/<machine_id>-<kernel_version>.efi.extra.d/Reboot the system:
# reboot
Verification
Verify the new parameter depends on the type of the added add-on. For example, check the kernel command line:
# cat /proc/cmdline
When you update the kernel-uki-virt package, the system installs a new UKI version. The update also copies the currently effective add-ons to the directory for the new UKI, provided that the kernel-uki-virt-addons package is installed at the same time. This happens automatically, for example, when you run dnf update.
7.6. Creating UKI to contain customized kernel command-line parameters
To customize the Linux kernel, initial RAM disk, or initrd, and kernel command-line parameters, you can create your own UKI by using tools such as systemd-ukify or dracut.
Procedure
For example, to create a custom UKI by using
systemd-ukify:# ukify build --initrd /boot/initramfs-$(uname -r).img --linux /lib/modules/$(uname -r)/vmlinuz --uname $(uname -r) --cmdline "console=tty0 console=ttyS0 emergency" --output uki.unsigned.efi
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}