Hi, Here is a little patch series to kick off a discussion on pre-generated initrd images and unified kernels. Lets start with a description of the patches: Patch #1 adds a dracut config file, targeting virtual machines. Given that most physical machines have either sata or nvme disks these days it probably boots most physical systems too. Patch #2 adds a sub-package with an initrd image. Patch #3 adds a sub-package with an unified kernel. The goal is to move away from initrd images being generated on the installed machine. They are generated while building the kernel package instead. Main motivation for this move is to make the distro more robust and more secure. When shipping the initrd as rpm it is possible to check it with the usual tools ('rpm --verify' for example). TPM measurements are much more useful because it is possible to pre-calculate the PCR values for a given kernel version. When shipping a unified kernel image (containing kernel, initrd, cmdline and signature) we get the additional benefit that the initrd is covered by the signature so secure boot will actually be secure. So, while unified kernels are clearly the better approach it is also the one which needs some changes in various packages. For an initrd image the hooks needed are in place thanks to CoreOS shipping initrd images today. Opt-in by install the sub-rpm and everything JustWorks[tm]. To make unified kernels work smoothly a number of changes are needed (beside the kernel rpm changes): (1) Add support for unified kernels to the kernel update scripts. (/usr/lib/kernel/install.d/*). (2) Add boot loader support for unified kernel images: (a) either switch to sd-boot which already supports this. (b) or add support to grub2 (improve blscfg downstream patch). (3) Support /boot being vfat (depending on #2, sd-boot needs this). (4) Remove configuration information (and secrets) from initrd images and kernel command line. Most important item here is root the filesystem location, which should be doable using https://systemd.io/DISCOVERABLE_PARTITIONS/ for many use cases. Can initially be handled in anaconda kickstart %post scripts. Long-term we need proper support in anaconda (and any other tool used to install or generate cloud images), especially if we want make unified kernel images the default some day. (5) There might be more ... I think the best way forward is to skip the initrd image interim step and try go straight to unified kernel image support, starting with virtual machines & cloud images, when things are working smoothly there go expand to cover more use cases. I think it makes sense to start with the kernel changes. Comments? Reviews? Suggestions? thanks & take care, Gerd Daniel P. Berrangé (1): [testing] add a kernel-unified-virt sub-RPM Gerd Hoffmann (2): [testing] virtual machine dracut config [testing] add a kernel-initrd-virt sub-RPM dracut-virt.conf | 26 +++++++++++++++++++ kernel.spec | 65 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 91 insertions(+) create mode 100644 dracut-virt.conf -- 2.37.2