<div dir="auto"><div>Secureboot allows kexec, when using the recentish kexec_file_load syscall which performs kernel image signature verification.</div><div dir="auto"> </div><div dir="auto">All of this just works under secureboot.</div><div dir="auto"> <div class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr">On Fri, 24 Feb 2023, 20:20 Aaron Rainbolt, <<a href="mailto:arraybolt3@ubuntu.com">arraybolt3@ubuntu.com</a>> wrote: </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On 2/24/23 11:51, Dan Bungert wrote: >>> On Fri, 24 Feb 2023 at 04:54, Aaron Rainbolt <<a href="mailto:arraybolt3@ubuntu.com" target="_blank" rel="noreferrer">arraybolt3@ubuntu.com</a>> wrote: >>>> I've seen more than one person annoyed by the fact that the mini.iso >>>> netinstaller is no more. >>>> The "flavor" would be able to be held in a >>>> very small ISO file (preferably CD sized), and it would download and >>>> install all of the packages that make up the Ubuntu system at runtime. >>>> This would allow a user to install Ubuntu or any desired flavor thereof >>>> using a single installation medium, rather than having to flash an ISO >>>> every time they want to make a drive install a different flavor. The new >>>> installation would be entirely up-to-date from the get-go, and it would >>>> enable the use of existing small storage media for those users who don't >>>> have sufficiently sized optical discs or flash drives. > Hi Aaron, > > As Lukasz mentioned, I've been looking at relevant things, and expect that we > can have the first version of ubuntu-mini-iso running this cycle. I missed > feature freeze, so I'll be filing that exception :). > > Lukasz wrote a perfect summary of the work so far, so I'll quote it here: >>> The ubuntu-mini-iso is a small bootable iso that can be either >>> downloaded and used on a CD/USB-drive or even via UEFI HTTP that >>> brings up a dynamic TUI menu of what Ubuntu images you want to >>> download/install to your target system. It uses simplestreams to >>> select which images, so it'll be quite customizable regarding the >>> selection. The difference is that it then downloads the >>> iso-of-interest into memory and chain-boots into it, allowing the >>> installation of any image as one would normally do. This has some >>> limitations of course, since it needs sufficiently enough RAM. > So I think that will address much of what you were aiming for. > > Size: the bootleg builds I'm doing of this are around 140 MiB, I expect the > official builds to produce a similar answer. It could potentially be smaller, > the size today is dominated by use of the existing Ubuntu initrd with a few > things added on top. (compare to the size of /boot/initrd.img) > > Download at runtime: ubuntu-mini-iso achieves this by presenting a menu of ISOs > that we could download, then with the user selection, reserving some memory, > downloading that ISO, and then kexecing to it. This makes good sense to me. The concern I'm noticing here is that Secure Boot activates a kernel lockdown mode that prohibits kexec. One workaround may be to have the user choose the release of Ubuntu to install at a GRUB menu so that a pre-existing kernel and initrd can be loaded, but this would bloat the ISO and complicate its use. Another possible solution might be to use mokutil to disable Secure Boot verification in the shim (essentially turning Secure Boot off without needing to get the BIOS involved), then rebooting the system. Then Secure Boot can be re-enabled with mokutil and then the ISO downloaded and kexec'd. When the user finishes installation and reboots, Secure Boot will be active again. This might complicate things with third-party drivers though. Perhaps we just live with no Secure Boot support? > ISOs in the menu: there is a casper hook that downloads simplestream json data > and hands it to the menu application, a small ncurses app that analyzes the > json, finds what ISOs to offer, and does so. The user chooses an entry from > the menu, that info is handed back to the casper scripts, which download it and > we chain boot. > > That menu could be extended for Flavors support, perhaps conceptually similar > to how flavors are shown today on <a href="https://releases.ubuntu.com/" rel="noreferrer noreferrer" target="_blank">https://releases.ubuntu.com/</a>. The relevant > code is at: <a href="https://github.com/canonical/mini-iso-tools" rel="noreferrer noreferrer" target="_blank">https://github.com/canonical/mini-iso-tools</a> > It's not necessary to build an ISO to start playing with the menu, if you > download that, get the dependencies installed, `make run`, and you can see what > the menu looks like. > > If you're interested to help, Aaron, a good starting point would be to add > entries to <a href="https://github.com/canonical/mini-iso-tools/blob/main/json.c#L27" rel="noreferrer noreferrer" target="_blank">https://github.com/canonical/mini-iso-tools/blob/main/json.c#L27</a> to > teach the menu how to read the simplestreams for the flavors. > > The existing menu can fit on a single screen, so if we start adding flavors I > think it will need some nested menu support, but that's achievable. > > I have done a hacked test run of having this new mini-iso chainboot to lubuntu > 22.04.2 and it all works fine. Nice, sounds awesome. Thank you for the info, and I'll see if I can hack on this at some point! > -Dan -- Aaron Rainbolt Lubuntu Developer <a href="https://github.com/ArrayBolt3" rel="noreferrer noreferrer" target="_blank">https://github.com/ArrayBolt3</a> <a href="https://launchpad.net/~arraybolt3" rel="noreferrer noreferrer" target="_blank">https://launchpad.net/~arraybolt3</a> @arraybolt3:<a href="http://lubuntu.me" rel="noreferrer noreferrer" target="_blank">lubuntu.me</a> on Matrix, arraybolt3 on irc.libera.chat -- ubuntu-devel mailing list <a href="mailto:ubuntu-devel@lists.ubuntu.com" target="_blank" rel="noreferrer">ubuntu-devel@lists.ubuntu.com</a> Modify settings or unsubscribe at: <a href="https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel" rel="noreferrer noreferrer" target="_blank">https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel</a> </blockquote></div></div></div>