RFE: Add support for direct UKI boot

[Conan-Kudo]

Problem description

As part of the effort to support UKIs in Fedora Cloud, we need to be able to create images that either generate UKIs or use pre-generated UKIs to boot the system (UEFI->shim->UKI or UEFI->UKI).

I suspect the way to solve this would be to add a uki "bootloader" which would force UEFI only mode and do the minimal effort required to configure the image to boot. We'd want to detect if there's already a UKI built as /boot/efi/EFI/*/vmlinuz-$(uname -r).efi to use or /lib/modules/$(uname -r)/*.efi to copy and install. If one doesn't exist, we should use dracut --uefi to generate one.

An example of a dracut --uefi call (ripped from the Fedora kernel package that produces kernel-virt-uki):

dracut --conf=/path/to/dracut/uki-config.conf \
       --confdir="$(mktemp -d)" \
       --verbose \
       --kver "$(uname -r)" \
       --kmoddir "/lib/modules/$(uname -r)/" \
       --logfile="$(mktemp)" \
       --uefi \
       --kernel-image "/lib/modules/$(uname -r)/vmlinuz" \
       --kernel-cmdline 'console=tty0 console=ttyS0' \
       "/boot/efi/EFI/Linux/vmlinuz-$(uname -r).efi"

Sample dracut uki config:

# generic + compressed please
hostonly="no"
compress="xz"

# VMs can't update microcode anyway
early_microcode="no"

# modules: basics
dracutmodules+=" base systemd systemd-initrd dracut-systemd dbus dbus-broker usrmount shutdown "

# modules: storage support
dracutmodules+=" dm lvm rootfs-block fs-lib "

# modules: tpm and crypto
dracutmodules+=" crypt crypt-loop tpm2-tss "

# drivers: virtual buses, pci
drivers+=" virtio-pci virtio-mmio "      # qemu-kvm
drivers+=" hv-vmbus pci-hyperv "         # hyperv
drivers+=" xen-pcifront "                # xen

# drivers: storage
drivers+=" ahci nvme sd_mod sr_mod "     # generic
drivers+=" virtio-blk virtio-scsi "      # qemu-kvm
drivers+=" hv-storvsc "                  # hyperv
drivers+=" xen-blkfront "                # xen

# root encryption
drivers+=" dm_crypt "

# filesystems
filesystems+=" vfat btrfs ext4 xfs overlay "

# systemd-pcrphase
install_items+=" /lib/systemd/system/systemd-pcrphase-initrd.service /usr/lib/systemd/systemd-pcrphase /usr/lib/systemd/system/initrd.target.wants/systemd-pcrphase-initrd.service "

Unlike with the shim+grub situation, we will want a way to force generating UKIs because a different cmdline or module bundle may be desired, since there's no way to pass kernel cmdlines from UEFI to boot the OS.

OS and Software information

• KIWI version: 9.25.16
• Operating system host version: Fedora Linux 40
• Operating system target version: Fedora Linux 40
• Open Build Service version (N/A if not using OBS): N/A
• Koji version (N/A if not using Koji): 1.33.1

[Conan-Kudo]

cc: @davide125, @davdunc, @DaanDeMeyer, @kraxel

[kraxel]

I don't think kiwi should generate UKIs. Either the distro provides UKIs, then just use them. Or use traditional kernel + initrd. Everything else is asking for trouble when it comes to kernel updates.

Supporting UKIs essentially needs: (a) copying the UKI to the ESP, and (b) generating BOOT.CSV.

See https://pagure.io/fork/kraxel/fedora-kiwi-descriptions/blob/kraxel/f/uki-setup.sh