The Fedora 38 release proposes to implement the first step of migrating to the upgraded boot process previously proposed by Lennart Pottering to provide a full verified boot that covers all steps from firmware to userspace, not just kernel and bootloader. The proposal has not yet been reviewed by the FESCo (Fedora Engineering Steering Committee), which is responsible for the technical part of the development of the Fedora distribution.
The components for implementing the proposed idea are already integrated into systemd 252 and come down to using, instead of the initrd image generated on the local system when installing the kernel package, the unified kernel image UKI (Unified Kernel Image), generated in the distribution infrastructure and certified by the digital signature of the distribution. UKI combines a handler for booting the kernel from UEFI (UEFI boot stub), a Linux kernel image, and an initrd system environment loaded into memory in one file. When calling the UKI image from UEFI, it is possible to check the integrity and validity of the digital signature of not only the kernel, but also the contents of the initrd, the validation of which is important because in this environment keys are extracted to decrypt the root FS.
Due to significantly upcoming changes, the implementation is planned to be divided into several stages. In the first stage, UKI support will be added to the bootloader and the publication of an optional UKI image will begin, which will focus on booting virtual machines with a limited set of components and drivers, as well as tools associated with installing and updating UKI. At the second and third stages, it is planned to avoid passing settings on the kernel command line and stop storing keys in the initrd.
Source: opennet.ru