Fedora Linux 40 to Implement Modernized Download Process
In the release of Fedora Linux 40, plans have been made to implement a modernized download process proposed by Lennart Pottering. The proposal aims to reduce the differences from the classical load by using the Unified Kernel Image (UKI) nucleus instead of the INITRD image formed on a local system during package installation. The UKI nucleus, which is generated in the distribution infrastructure and certified by the digital signature of the distribution, has not yet been considered by the Fedora Engineering Steering Committee (FESCO).
The UKI image combines a processor for loading a nucleus from UEFI (UEFI Boot Stub), the Linux nucleus, and an Initrd system loaded in memory. The use of the UKI image allows for the verification of the integrity and reliability of both the nucleus and the Initrd contents. This is particularly important as the keys are extracted in this environment to decipher the root fs.
In Fedora Linux 38, the first stage of UKI implementation was completed. This involved adding UKI support to the bootloader, implementing the tool for installing and updating the UKI, and creating the UKI experimental image for loading virtual machines with a limited set of components and drivers.
In the second stage of implementation, Fedora Linux plans to add the capability to live boot the UKI from the SIM.Efi UEFI module without the need for a separate bootloader. Additionally, they aim to enable the use of UKI on the Aarch64 architecture and prepare an UKI-image option for cloud circles and Protected virtual machines.