CONFIG_EFI_ZBOOT causing missing vmlinuz from tarball builds

Veronika Kabatova vkabatov at redhat.com
Tue Dec 13 09:28:40 PST 2022 

On Tue, Dec 13, 2022 at 6:04 PM Ard Biesheuvel <ardb at kernel.org> wrote:
>
> (cc Will)
>
> On Tue, 13 Dec 2022 at 17:56, Veronika Kabatova <vkabatov at redhat.com> wrote:
> >
> > Hello!
> >
> > We (CKI Project) have recently tried a kernel build with the
> > CONFIG_EFI_ZBOOT option enabled, and got surprised by
> > our kernel install and boot scripts getting unhappy. After some
> > debugging it seems like the reason is the combination of the
> > option with the tarball build target.
> >
> >
> > When the option is enabled, Image.gz doesn't get generated
> > and vmlinuz.efi binary is created instead. This binary name is
> > not in the list of binaries that get packaged into the tarball:
> >
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/scripts/package/buildtar#n125
> >
> > My noob solution would be to add vmlinuz.efi into the list of
> > acceptable files in the line above, but I'm not familiar with
> > the functionality this new binary offers and whether that is
> > an acceptable solution. I can send a patch if it is, but if there
> > is more nuance to the fix could someone please take a look?
> >
>
> Hello Veronika,
>
> Thanks for the report.
>
> I agree adding vmlinuz.efi to the tarball seems like a sensible
> solution here, but I'm not 100% sure I understand how this tarball is
> consumed.
>
> The EFI zboot target needs testing coverage as well, of course, so I
> am happy that you are looking into this. But for actual production
> use, it is mostly intended for distros that only support EFI boot and
> want to sign the bootable images for EFI secure boot, which is
> currently a bit of a pain with the plain gzip'ed images. So whether or
> not building the tarball with the EFI zboot image is a meaningful
> combination is not 100% clear to me.

It wasn't exactly on purpose :) We use Fedora rawhide configs to
build the upstream kernels, and this config option got enabled there.
Fedora uses RPM built kernels but we build upstream kernels as
tarballs, and thus we ended in this situation. The option is currently
disabled again for Fedora, but I suspect we're not the only ones
using distribution configs for testing and that others may run into a
similar problem sooner or later. It's less about signing tarballs and
more about the keeping the kernel builds working.


Veronika

>
> Kind regards,
> Ard.
>

More information about the linux-arm-kernel mailing list