Unified Kernel Image

A unified kernel image (UKI) is a single executable which can be booted directly from UEFI firmware, or automatically sourced by boot-loaders with little or no configuration.

An unified kernel image allows to incorporate all or a subset of the following:

• a EFI stub loader like systemd-stub,
• the kernel command line,
• Microcode,
• an initramfs image,
• a kernel image,
• a splash screen.

The resulting executable, and therefore all these elements together can then be easily signed for use with Secure Boot.

Configuration

Generating a Unified Kernel Image can be done either with Dracut or with systemd's ukify tool. The latter does not generate an initramfs, this will have to be done separately with e.g. Dracut.

The systemd kernel-install implementation provided by sys-apps/systemd or sys-apps/systemd-utils[boot] can be configured to install kernels in the UKI format:

layout=uki

Dracut

As of sys-kernel/dracut version 059-r4 the Dracut kernel-install plugin will automatically pick up the layout setting and generate an uki instead of an initrd when used with the systemd kernel-install implementation. The resulting image will then be installed to the EFI System Partition.

The kernel build system will call kernel-install automatically when running make install. Therefore no additional configuration is required for users of manually configured kernels such as sys-kernel/gentoo-sources. Users who wish to use the pre-configured sys-kernel/gentoo-kernel instead will have to explicitly configure Dracut to generate UKIs:

layout=uki
uki_generator=dracut
initrd_generator=dracut

uefi="yes"
kernel_cmdline="..."

Secure Boot

To automatically sign the generated UKI for use with Secure Boot:

uefi_secureboot_cert="..." 
uefi_secureboot_key="..."

To use a PKCS11 URI instead of a plain key file:

uefi_secureboot_cert="..." 
uefi_secureboot_key="pkcs11:..."
uefi_secureboot_engine="pkcs11"

Ukify

As of sys-apps/systemd version 254, the ukify kernel-install plugin can be used to generate the unified kernel image. To configure kernel-install to use it:

layout=uki
uki_generator=ukify
initrd_generator=dracut

[UKI]
Cmdline=...

uefi="no"

Secure Boot

To automatically sign the generated UKI for use with Secure Boot:

[UKI]
SecureBootSigningTool=sbsign
SecureBootPrivateKey=...
SecureBootCertificate=...

To use a PKCS11 URI instead of a plain key file:

[UKI]
SecureBootSigningTool=sbsign
SecureBootPrivateKey=pkcs11:...
SecureBootCertificate=...
SigningEngine=pkcs11

Measured Boot

To instruct ukify to pre-calculate and sign PCR values for use with Measured Boot:

[PCRSignature:initrd]
PCRPrivateKey=...
PCRPublicKey=...
Phases=enter-initrd

[PCRSignature:system]
PCRPrivateKey=...
PCRPublicKey=...
Phases=enter-initrd:leave-initrd
       enter-initrd:leave-initrd:sysinit
       enter-initrd:leave-initrd:sysinit:ready

Boot Loaders

Boot Loaders with support for unified kernel images dynamically detect UKIs in the Linux directory on the EFI System Partition, no further configuration is required. Currently the following boot loaders support unified kernel images:

• systemd-boot
• rEFInd
• GRUB (version 2.12 and up)

Unified kernel images can also be booted directly from UEFI firmware without any boot loader. Efibootmgr can be used to add or remove boot menu entries for unified kernel images:

See also

• UEFI — a firmware standard for boot ROM designed to provide a stable API for interacting with system hardware. On x86 it replaced the legacy BIOS.
• Efibootmgr — a tool for managing UEFI boot entries.
• Secure Boot — an enhancement the security of the pre-boot process of a UEFI system.
• Dracut — an initramfs infrastructure and aims to have as little as possible hard-coded into the initramfs.
• EFI stub — provides instructions on configuring and installing kernels in the EFI System Partition (ESP) of a computer running in EFI mode