Bug 922502

Summary:	sys-kernel/gentoo-kernel + sys-kernel/installkernel[systemd] result in unbootable UKI on arm64
Product:	Gentoo Linux	Reporter:	Michael Jones <gentoo>
Component:	Current packages	Assignee:	Distribution Kernel Project <dist-kernel>
Status:	RESOLVED CANTFIX
Severity:	normal	CC:	gentoo, nowa
Priority:	Normal
Version:	unspecified
Hardware:	ARM64
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=897684
Whiteboard:
Package list:		Runtime testing required:	---

Description Michael Jones 2024-01-19 15:30:27 UTC

I'm trying to use the `installkernel` ebuild to generate a UKI for an aarch64 virtual machine.

The VM is using virt-manager and qemu/kvm, nothing complicated just all default options in the setup wizard other than using uefi.

The uefi implementation is able to load the systemd-boot efi stub bootloader without issue, and systemd-boot tries to load the kernel with an error like "Bad kernel image, load error".

Watching the generation of the uki with `emerge --config gentoo-kernel` i see that it's picking up /usr/src/linux-6.1.69-gentoo-dist/arch/arm64/boot/Image.gz as the kernel image, but this bug report from systemd implies that compressed kernels are not supported on aarch64 by neither the kernel nor systemd https://github.com/systemd/systemd/issues/23788

Inspecting /usr/src/linux-6.1.69-gentoo-dist/arch/arm64/boot/ shows that there isn't an uncompressed kernel (e.g. vmlinuz or similar) just the Image.gz that the installkernel[systemd] program picked up.


I'm not sure where the bug is. It could be in my own configuration files. I tried to follow https://wiki.gentoo.org/wiki/Unified_kernel_image as best I could. It could also be that the kernel for aarch64 needs to produce an uncompressed kernel, either by default, or with a config option added to /etc/kernel/, or maybe something is wrong with installkernel[systemd].







Reproducible: Always







The image is built with this build script: https://github.com/GenPi64/Build.Dist/blob/master/config/pyconfig/GenPi64OsuoslConfig.py , the equivalent for x86_64 works fine, it's only aarch64 that isn't booting.


i have versions:

sys-kernel/gentoo-kernel: 6.1.69

sys-kernel/installkernel[systemd]: 16

sys-kernel/dracut: 060_pre20240104

sys-apps/systemd: 255.2-r2


emerge --info:

Portage 3.0.61 (python 3.11.7-final-0, default/linux/arm64/17.0/systemd/merged-usr, gcc-13, glibc-2.38-r9, 6.6.5-gentoo aarch64)
=================================================================
System uname: Linux-6.6.5-gentoo-aarch64-with-glibc2.38
KiB Mem:   131013460 total,  16064016 free
KiB Swap:          0 total,         0 free
Timestamp of repository gentoo: Fri, 19 Jan 2024 01:33:19 +0000
Head commit of repository gentoo: 53bb5488137fb420ace22bd3333ab712614f006c

sh bash 5.1_p16-r6
ld GNU ld (Gentoo 2.41 p2) 2.41.0
app-misc/pax-utils:        1.3.7::gentoo
app-shells/bash:           5.1_p16-r6::gentoo
dev-build/autoconf:        2.71-r6::gentoo
dev-build/automake:        1.16.5-r1::gentoo
dev-build/cmake:           3.27.9::gentoo
dev-build/libtool:         2.4.7-r1::gentoo
dev-build/make:            4.4.1-r1::gentoo
dev-build/meson:           1.3.0-r2::gentoo
dev-lang/perl:             5.38.2-r1::gentoo
dev-lang/python:           3.11.7::gentoo, 3.12.1_p1::gentoo
dev-lang/rust-bin:         1.74.1::gentoo
sys-apps/baselayout:       2.14-r1::gentoo
sys-apps/sandbox:          2.38::gentoo
sys-apps/systemd:          255.2-r2::gentoo
sys-devel/binutils:        2.41-r2::gentoo
sys-devel/binutils-config: 5.5::gentoo
sys-devel/gcc:             13.2.1_p20230826::gentoo
sys-devel/gcc-config:      2.11::gentoo
sys-kernel/linux-headers:  6.1::gentoo (virtual/os-headers)
sys-libs/glibc:            2.38-r9::gentoo
Repositories:

gentoo
    location: /var/db/repos/gentoo
    sync-type: git
    sync-uri: https://github.com/gentoo-mirror/gentoo
    priority: -1000
    volatile: False
    sync-git-verify-commit-signature: true

Binary Repositories:

gentoobinhost
    priority: 1
    sync-uri: https://gentoo.osuosl.org/releases/arm64/binpackages/17.0/arm64

ACCEPT_KEYWORDS="arm64"
ACCEPT_LICENSE="@FREE"
CBUILD="aarch64-unknown-linux-gnu"
CFLAGS="-O2 -ftree-vectorize -O2 -pipe"
CHOST="aarch64-unknown-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d"
CXXFLAGS="-O2 -ftree-vectorize -O2 -pipe"
DISTDIR="/var/cache/distfiles"
EMERGE_DEFAULT_OPTS="--jobs --newrepo --newuse --changed-use --changed-deps --changed-slot --deep --tree --unordered-display --nospinner --backtrack=3000 --complete-graph --with-bdeps=y --rebuild-if-new-rev --rebuild-if-new-ver --rebuild-if-unbuilt --rebuilt-binaries --binpkg-respect-use=y --binpkg-changed-deps=y --usepkg=y --buildpkg-exclude='virtual/*' --buildpkg-exclude='sys-kernel/*-sources' --buildpkg-exclude='*/*-bin' --buildpkg-exclude='acct-user/*' --buildpkg-exclude='acct-group/*' --buildpkg-exclude='dev-perl/*' --usepkg-exclude='virtual/*' --usepkg-exclude='sys-kernel/*-sources' --usepkg-exclude='*/*-bin' --usepkg-exclude='acct-user/*' --usepkg-exclude='acct-group/*' --usepkg-exclude='dev-perl/*' --usepkg-exclude='sys-apps/systemd'"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GDK_PIXBUF_MODULE_FILE GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR XDG_STATE_HOME"
FCFLAGS="-O2 -ftree-vectorize -O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs binpkg-multi-instance buildpkg buildpkg-live ccache clean-logs compress-build-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict news parallel-fetch parallel-install pkgdir-index-trusted preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch usersync xattr"
FFLAGS="-O2 -ftree-vectorize -O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="C.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LEX="flex"
MAKEOPTS="-j4 -l4"
PKGDIR="/var/cache/binpkgs"
PORTAGE_COMPRESS="zstd"
PORTAGE_COMPRESS_FLAGS="-15"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="acl arm64 bindist boot bzip2 cli crypt dri fortran gdbm gnuefi iconv ipv6 kernel-install libtirpc ncurses nls openmp pam pcre readline seccomp ssl systemd test-rust udev unicode xattr zlib" ADA_TARGET="gnat_2021" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_anon authn_dbm authn_file authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter headers include info log_config logio mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_ARM="edsp v8 vfp vfp-d32 vfpv3 vfpv4" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 ntrip navcom oceanserver oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 tsip tripmate tnt ublox" INPUT_DEVICES="libinput" KERNEL="linux" LCD_DEVICES="bayrad cfontz glk hd44780 lb216 lcdm001 mtxorb text" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php8-1" POSTGRES_TARGETS="postgres15" PYTHON_SINGLE_TARGET="python3_11" PYTHON_TARGETS="python3_11" RUBY_TARGETS="ruby31" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipp2p iface geoip fuzzy condition tarpit sysrq proto logmark ipmark dhcpmac delude chaos account"
Unset:  ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPROF, INSTALL_MASK, LC_ALL, LD, LFLAGS, LIBTOOL, LINGUAS, MAKE, MAKEFLAGS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_RSYNC_EXTRA_OPTS, PYTHONPATH, RANLIB, READELF, RUSTFLAGS, SHELL, SIZE, STRINGS, STRIP, YACC, YFLAGS

Comment 1 Michael Jones 2024-01-19 15:31:22 UTC

I can provide a copy of the virtual machine's disk image on request, it's built with a script so it has no personal configuration or data.

Comment 2 Nowa Ammerlaan gentoo-dev

2024-01-19 16:26:51 UTC

Is the UKI being generated with dracut or with ukify?

I suspect the issue is that the krnel version you are using does not have CONFIG_EFI_ZBOOT. If this option is set the built kernel image will be vmlinuz.efi instead of Image.gz. Could you retry with the 6.6 series? These version have this config option enabled by default.

Comment 3 Michael Jones 2024-01-19 16:57:23 UTC

(In reply to Andrew Ammerlaan from comment #2)
> Is the UKI being generated with dracut or with ukify?

dracut.



> I suspect the issue is that the krnel version you are using does not have
> CONFIG_EFI_ZBOOT. If this option is set the built kernel image will be
> vmlinuz.efi instead of Image.gz. Could you retry with the 6.6 series? These
> version have this config option enabled by default.


Ok, i will try that, thank you.

Comment 4 Michael Jones 2024-01-20 01:04:54 UTC

Sadly that didn't seem to be the trick to it.

Here's emerge --config gentoo-kernel with a 6.6 kernel.


emerge --config gentoo-kernel


Configuring pkg...

Warning: ccache requested but no masquerade dir can be found in /usr/lib*/ccache/bin
 * Your boot partition was detected as being mounted at /boot.
 * Files will be installed there for gentoo-kernel to function correctly.
 * Installing the kernel via installkernel ...
Loading /etc/kernel/install.conf…
layout=uki set via /etc/kernel/install.conf
INITRD_GENERATOR (dracut) set via /etc/kernel/install.conf.
UKI_GENERATOR (dracut) set via /etc/kernel/install.conf.
Loaded /etc/kernel/install.conf.
MACHINE_ID=b45911259b79b01e08fe894a65a15cfa set via /etc/machine-id.
Found container virtualization systemd-nspawn.
Using XBOOTLDR partition at /boot as $BOOT_ROOT.
Using entry token: b45911259b79b01e08fe894a65a15cfa
kernel version (6.6.12-gentoo-dist) set via command line.
kernel image file (/usr/src/linux-6.6.12-gentoo-dist/arch/arm64/boot/Image.gz) set via command line.
File lacks MZ executable header.
Using ENTRY_DIR=/boot/b45911259b79b01e08fe894a65a15cfa/6.6.12-gentoo-dist
Using plugins:
  /usr/lib/kernel/install.d/00-00machineid-directory.install
  /usr/lib/kernel/install.d/10-copy-prebuilt.install
  /usr/lib/kernel/install.d/50-depmod.install
  /usr/lib/kernel/install.d/50-dracut.install
  /usr/lib/kernel/install.d/51-dracut-rescue.install
  /usr/lib/kernel/install.d/90-loaderentry.install
  /usr/lib/kernel/install.d/90-uki-copy.install
Plugin environment:
  LC_COLLATE=C.UTF-8
  KERNEL_INSTALL_VERBOSE=1
  KERNEL_INSTALL_IMAGE_TYPE=unknown
  KERNEL_INSTALL_MACHINE_ID=b45911259b79b01e08fe894a65a15cfa
  KERNEL_INSTALL_ENTRY_TOKEN=b45911259b79b01e08fe894a65a15cfa
  KERNEL_INSTALL_BOOT_ROOT=/boot
  KERNEL_INSTALL_LAYOUT=uki
  KERNEL_INSTALL_INITRD_GENERATOR=dracut
  KERNEL_INSTALL_UKI_GENERATOR=dracut
  KERNEL_INSTALL_STAGING_AREA=/tmp/kernel-install.staging.AAr5Ic
Plugin arguments: add 6.6.12-gentoo-dist /boot/b45911259b79b01e08fe894a65a15cfa/6.6.12-gentoo-dist /usr/src/linux-6.6.12-gentoo-dist/arch/arm64/boot/Image.gz
Successfully forked off '(sd-exec-strv)' as PID 125.
PR_SET_MM_ARG_START failed, attempting PR_SET_MM_ARG_END hack: Invalid argument
PR_SET_MM_ARG_END hack failed, proceeding without: Invalid argument
About to execute /usr/lib/kernel/install.d/00-00machineid-directory.install add 6.6.12-gentoo-dist /boot/b45911259b79b01e08fe894a65a15cfa/6.6.12-gentoo-dist /usr/src/linux-6.6.12-gentoo-dist/arch/arm64/boot/Image.gz
Successfully forked off '(direxec)' as PID 127.
/usr/lib/kernel/install.d/00-00machineid-directory.install succeeded.
About to execute /usr/lib/kernel/install.d/10-copy-prebuilt.install add 6.6.12-gentoo-dist /boot/b45911259b79b01e08fe894a65a15cfa/6.6.12-gentoo-dist /usr/src/linux-6.6.12-gentoo-dist/arch/arm64/boot/Image.gz
Successfully forked off '(direxec)' as PID 131.
/usr/lib/kernel/install.d/10-copy-prebuilt.install succeeded.
About to execute /usr/lib/kernel/install.d/50-depmod.install add 6.6.12-gentoo-dist /boot/b45911259b79b01e08fe894a65a15cfa/6.6.12-gentoo-dist /usr/src/linux-6.6.12-gentoo-dist/arch/arm64/boot/Image.gz
Successfully forked off '(direxec)' as PID 138.
+depmod -a 6.6.12-gentoo-dist
/usr/lib/kernel/install.d/50-depmod.install succeeded.
About to execute /usr/lib/kernel/install.d/50-dracut.install add 6.6.12-gentoo-dist /boot/b45911259b79b01e08fe894a65a15cfa/6.6.12-gentoo-dist /usr/src/linux-6.6.12-gentoo-dist/arch/arm64/boot/Image.gz
Successfully forked off '(direxec)' as PID 142.
dracut[I]: Executing: /usr/bin/dracut -f --noimageifnotneeded --verbose --kernel-image /usr/src/linux-6.6.12-gentoo-dist/arch/arm64/boot/Image.gz --uefi --kver 6.6.12-gentoo-dist /tmp/kernel-install.staging.AAr5Ic/uki.efi
dracut[I]: Module 'dash' will not be installed, because command 'dash' could not be found!
dracut[I]: Module 'mksh' will not be installed, because command 'mksh' could not be found!
dracut[I]: Module 'systemd-integritysetup' will not be installed, because command '/usr/lib/systemd/systemd-integritysetup' could not be found!
dracut[I]: Module 'systemd-integritysetup' will not be installed, because command '/usr/lib/systemd/system-generators/systemd-integritysetup-generator' could not be found!
dracut[I]: Module 'systemd-pcrphase' will not be installed, because command '/usr/lib/systemd/systemd-pcrphase' could not be found!
dracut[I]: Module 'systemd-pcrphase' will not be installed, because command '/usr/lib/systemd/systemd-pcrextend' could not be found!
dracut[I]: Module 'systemd-veritysetup' will not be installed, because command '/usr/lib/systemd/systemd-veritysetup' could not be found!
dracut[I]: Module 'systemd-veritysetup' will not be installed, because command '/usr/lib/systemd/system-generators/systemd-veritysetup-generator' could not be found!
dracut[I]: Module 'modsign' will not be installed, because command 'keyctl' could not be found!
dracut[I]: Module 'busybox' will not be installed, because command 'busybox' could not be found!
dracut[I]: Module 'dbus-broker' will not be installed, because command 'dbus-broker' could not be found!
dracut[I]: Module 'rngd' will not be installed, because command 'rngd' could not be found!
dracut[I]: Module 'connman' will not be installed, because command 'connmand' could not be found!
dracut[I]: Module 'connman' will not be installed, because command 'connmanctl' could not be found!
dracut[I]: Module 'connman' will not be installed, because command 'connmand-wait-online' could not be found!
dracut[I]: Module 'network-legacy' will not be installed, because command 'dhclient' could not be found!
dracut[I]: Module 'network-manager' will not be installed, because command 'NetworkManager' could not be found!
dracut[I]: 62bluetooth: Could not find any command of '/usr/lib/bluetooth/bluetoothd /usr/libexec/bluetooth/bluetoothd'!
dracut[I]: Module 'lvmmerge' will not be installed, because command 'lvm' could not be found!
dracut[I]: Module 'lvmthinpool-monitor' will not be installed, because command 'lvm' could not be found!
dracut[I]: Module 'btrfs' will not be installed, because command 'btrfs' could not be found!
dracut[I]: 90crypt: Could not find any command of '/usr/lib/systemd/systemd-cryptsetup cryptsetup'!
dracut[I]: Module 'dm' will not be installed, because command 'dmsetup' could not be found!
dracut[I]: Module 'dmraid' will not be installed, because command 'dmraid' could not be found!
dracut[I]: Module 'dmsquash-live-ntfs' will not be installed, because command 'ntfs-3g' could not be found!
dracut[I]: Module 'lvm' will not be installed, because command 'lvm' could not be found!
dracut[I]: Module 'mdraid' will not be installed, because command 'mdadm' could not be found!
dracut[I]: Module 'multipath' will not be installed, because command 'multipath' could not be found!
dracut[I]: Module 'pcsc' will not be installed, because command 'pcscd' could not be found!
dracut[I]: Module 'tpm2-tss' will not be installed, because command 'tpm2' could not be found!
dracut[I]: Module 'cifs' will not be installed, because command 'mount.cifs' could not be found!
dracut[I]: Module 'fcoe' will not be installed, because command 'dcbtool' could not be found!
dracut[I]: Module 'fcoe' will not be installed, because command 'fipvlan' could not be found!
dracut[I]: Module 'fcoe' will not be installed, because command 'lldpad' could not be found!
dracut[I]: Module 'fcoe' will not be installed, because command 'fcoemon' could not be found!
dracut[I]: Module 'fcoe' will not be installed, because command 'fcoeadm' could not be found!
dracut[I]: Module 'fcoe-uefi' will not be installed, because command 'dcbtool' could not be found!
dracut[I]: Module 'fcoe-uefi' will not be installed, because command 'fipvlan' could not be found!
dracut[I]: Module 'fcoe-uefi' will not be installed, because command 'lldpad' could not be found!
dracut[I]: Module 'iscsi' will not be installed, because command 'iscsi-iname' could not be found!
dracut[I]: Module 'iscsi' will not be installed, because command 'iscsiadm' could not be found!
dracut[I]: Module 'iscsi' will not be installed, because command 'iscsid' could not be found!
dracut[I]: Module 'nbd' will not be installed, because command 'nbd-client' could not be found!
dracut[I]: 95nfs: Could not find any command of 'rpcbind portmap'!
dracut[I]: Module 'nvmf' will not be installed, because command 'nvme' could not be found!
dracut[I]: Module 'nvmf' will not be installed, because command 'jq' could not be found!
dracut[I]: Module 'biosdevname' will not be installed, because command 'biosdevname' could not be found!
dracut[I]: Module 'memstrack' will not be installed, because command 'memstrack' could not be found!
dracut[I]: memstrack is not available
dracut[I]: If you need to use rd.memdebug>=4, please install memstrack and procps-ng
dracut[I]: Module 'squash' will not be installed, because command 'mksquashfs' could not be found!
dracut[I]: Module 'squash' will not be installed, because command 'unsquashfs' could not be found!
dracut[I]: *** Including module: systemd ***
dracut[I]: *** Including module: systemd-initrd ***
dracut[I]: *** Including module: systemd-journald ***
dracut[I]: *** Including module: systemd-pstore ***
dracut[I]: *** Including module: systemd-repart ***
dracut[I]: *** Including module: systemd-sysusers ***
dracut[I]: *** Including module: systemd-tmpfiles ***
dracut[I]: *** Including module: systemd-udevd ***
dracut[I]: *** Including module: i18n ***
dracut[I]: *** Including module: kernel-modules ***
dracut[I]: *** Including module: kernel-modules-extra ***
dracut[D]:   kernel-modules-extra: configuration source "/run/depmod.d" does not exist
dracut[D]:   kernel-modules-extra: configuration source "/etc/depmod.d" does not exist
dracut[D]:   kernel-modules-extra: configuration source "/lib/depmod.d" does not exist
dracut[I]: *** Including module: nvdimm ***
dracut[I]: *** Including module: qemu ***
dracut[I]: *** Including module: qemu-net ***
dracut[I]: *** Including module: lunmask ***
dracut[I]: *** Including module: resume ***
dracut[I]: *** Including module: rootfs-block ***
dracut[I]: *** Including module: terminfo ***
dracut[I]: *** Including module: udev-rules ***
dracut[I]: *** Including module: virtiofs ***
dracut[I]: *** Including module: dracut-systemd ***
dracut[I]: *** Including module: usrmount ***
dracut[I]: *** Including module: base ***
dracut[I]: *** Including module: fs-lib ***
dracut[I]: *** Including module: shutdown ***
dracut[I]: *** Including modules done ***
dracut[I]: *** Installing kernel module dependencies ***
dracut[I]: *** Installing kernel module dependencies done ***
dracut[I]: *** Resolving executable dependencies ***
dracut[I]: *** Resolving executable dependencies done ***
dracut[I]: *** Hardlinking files ***
dracut[D]: Mode:                     real
dracut[D]: Method:                   sha256
dracut[D]: Files:                    2493
dracut[D]: Linked:                   4 files
dracut[D]: Compared:                 0 xattrs
dracut[D]: Compared:                 404 files
dracut[D]: Saved:                    6.9 KiB
dracut[D]: Duration:                 0.021532 seconds
dracut[I]: *** Hardlinking files done ***
dracut[I]: *** Generating early-microcode cpio image ***
dracut[I]: *** Store current command line parameters ***
dracut[I]: *** Stripping files ***
dracut[I]: *** Stripping files done ***
dracut[I]: *** Creating image file '/tmp/kernel-install.staging.AAr5Ic/uki.efi' ***
dracut[I]: Using auto-determined compression method 'gzip'

Comment 5 Michael Jones 2024-01-20 01:05:43 UTC

The error message in the uefi bootloader looks to be roughly the same.

Comment 6 Nowa Ammerlaan gentoo-dev

2024-01-20 08:24:23 UTC

Right, that is my mistake, I forgot we only enable CONFIG_EFI_ZBOOT if USE=secureboot is enabled. The kernel image file is still in the Image.gz format:

> kernel image file (/usr/src/linux-6.6.12-gentoo-dist/arch/arm64/boot/Image.gz) 

Could you try enabling USE+secureboot or overriding CONFIG_EFI_ZBOOT=y via /etc/kernel/config,d? You should see the name of the kernel image change to vmlinuz.efi.

Alternatively, for a quick test you can try gentoo-kernel-bin, those images are built with USE=secureboot enabled.

If it still does not work you could try generating the UKI with ukify instead of dracut, I haven't looked into the details but as I understand it ukify generates a slightly different UKI.

Comment 7 Michael Jones 2024-01-21 00:59:17 UTC

(In reply to Andrew Ammerlaan from comment #6)
> Right, that is my mistake, I forgot we only enable CONFIG_EFI_ZBOOT if
> USE=secureboot is enabled. The kernel image file is still in the Image.gz
> format:
> 
> > kernel image file (/usr/src/linux-6.6.12-gentoo-dist/arch/arm64/boot/Image.gz) 
> 
> Could you try enabling USE+secureboot or overriding CONFIG_EFI_ZBOOT=y via
> /etc/kernel/config,d? You should see the name of the kernel image change to
> vmlinuz.efi.
> 
> Alternatively, for a quick test you can try gentoo-kernel-bin, those images
> are built with USE=secureboot enabled.
> 
> If it still does not work you could try generating the UKI with ukify
> instead of dracut, I haven't looked into the details but as I understand it
> ukify generates a slightly different UKI.

I dropped a new config file /etc/kernel/config.d/EFI_ZBOOT.config with contents
```
CONFIG_EFI_ZBOOT=n
```

e.g.

drive /usr/src/linux-6.6.12-gentoo-dist # cat /etc/kernel/config.d/EFI_ZBOOT.config
CONFIG_EFI_ZBOOT=n



and then

emerge -C gentoo-kernel
emerge gentoo-kernel

I checked the resulting .config file

drive /usr/src/linux-6.6.12-gentoo-dist # grep EFI_ZBOOT -r .config
# CONFIG_EFI_ZBOOT is not set


but it looks like it still is producing the Image.gz

drive /usr/src/linux-6.6.12-gentoo-dist/arch/arm64/boot # ls
Image.gz  Makefile  dts




Did I perhaps have something wrong with my EFI_ZBOOT.config file?

Comment 8 Michael Jones 2024-01-21 02:14:54 UTC

Ah i tried with secureboot and signed-modules, but don't have a signing key, so it failed out.

Comment 9 Nowa Ammerlaan gentoo-dev

2024-01-21 06:30:33 UTC

It should be =y instead of =n. We need to *enable* this option so the kernel builds its own decompressor (zboot) and the (stub) bootloader is no longer responsible for decompressing the kernel image.

Comment 10 Michael Jones 2024-01-22 01:45:47 UTC

Ah, ok, thanks for the correction.

Changing to =y allowed me to boot with the resulting UKI.

Will this only work on 6.6? or will the stable 6.1 work with this config option?

Comment 11 Nowa Ammerlaan gentoo-dev

2024-01-22 08:51:07 UTC

(In reply to Michael Jones from comment #10)
> Ah, ok, thanks for the correction.
> 
> Changing to =y allowed me to boot with the resulting UKI.

Great!
 
> Will this only work on 6.6? or will the stable 6.1 work with this config
> option?

This config option was added in 6.1 so it should work, though we have only tried this in I think 6.3 and up. That being said, 6.6 is stable now.

Closing this, I think there's nothing we can do here other then document this requirement on the wiki (which I will do now).