Giving bootloaders the boot with nmbl

https://www.linuxboot.org/

People really should take a step back and wonder why they want a boot loader at all. Some reasons I can think of:

1. To interactively allow users to pick one of many OSes installed
2. To interactively allow users to pick one of many versions of the same OS kernel installed
3. To automatically (i.e. non-interactively) pick the newest version of an OS that is installed, and fall back to an older version if it fails

Now, is the nmbl concept good at the first item above? Well, uh, kexec is highly problematic if you care about Secure Boot of other Linuxes, doesn't really work for booting Windows at all, and completely useless if you care about Measured Boot. Maybe I am biased but all of these things matter a lot, and should be at the core of how you design the boot logic of a modern OS.

Is nmbl good at the second item above? Well, the boot loader is a kernel/initrd in this model already, and apparently one with quite some bells and whistles, with networking, complex storage, cryptography, http client, ca store and stuff (I mean, that's how I understand it, i.e. it should be able to load kernels from sources that require all that). It hence will need require regular updating (as much as the 2nd stage kernel most likely, if not more often, since it probably needs ca store built in), and quite possibly will break every now and then nonetheless, because it's basically a full OS you are boot as first stage. So does nmbl allow you to select the nmbl kernel itself interactively? Nope, it certainly does not, how could it, it can't be a menu that allows selecting versions of itself. Sure, it can then chainload, but why would anyone assume that the nmbl kernel is so simple that it doesn't break as often or as seldom as the chainloaded kernel? Here's a little secret I learnt from developing an init system, and being heavily involved with making systems boot: Probably more than half of all fuckups with low level subsystems already take place at boot, at initialization: so if the nbml that is supposed to put a frickin menu on screen is already so complex with networking, complex storage, disk encryption and so on, then yes, that's the part you actually need have a scheme for so that the user (or better the system) can fallback to older versions to make things work again.

Is nmbl good at the third item above? Nah, not at all, not any better than the 2nd thing. In fact you just made everything worse: for automatic fallback to older versions of things you need to keep state, write somewhere that you are about to try booting some item, so that on next boot you can determine if boot failed or not and then not consider it anymore. This information you need to store as early as possible, i.e. *before* you try the first things that is risky, that might hang. So, given that nmbl is a full kernel with complex storage/blabla, you better do it before. But you cannot do that, since the initrd has no access to any storage until it actually did its things and found storage (yes, it could write to efi vars, but typically that's something you might not want to do on every boot, because those memory chips supposedly are not high quality enough to allow that, and firmwares are shit and have bad wear level/write strategies and so on).

So, I really don't get this idea at all. It seems this approach simply doesn't deliver anything that you actually want in a boot loader.

I mean, there's are reasons why systemd-boot is what systemd-boot is: just a dumb boot menu that runs in uefi mode and basically just allows you to pick another uefi binary to chainload: it's about placing the choice of what to boot into *early* in the boot chain, before you do complex storage, networking, crypto and what not. And using what the firmware already provides for this, in a minimal fashion. And then providing an API for it for userspace, and doing boot counting and things before we go down the risky path.

Hence, I'd really suggest people to think a bit about:

1. First and foremost: how is this stuff supposed to be measured (as in TPM PCR extensions) reasonably, i.e. deterministic, stable, and predictable from userspace, so that you can bind security policies to. How do you guarantee integrity of the boot process for SecureBoot. I wished in 2024 people would understand that this item here *cannot* be an afterthought if you want reasonably OS security. It should instead be one of the *first* things you think about, because it has implications for so much else.
2. Where to place the selection logic for which boot path to boot, how early can you make it
3. Where to place the complex parts of finding your root disk, how late you can make it
4. How to deliver boot counting/automatic fallback, where to store the counters
5. How you get away with maintaining the least amount of code, without having to reimplement Linux' storage stack. If you have to stick some boot phase between firmware and OS kernel, how do you minimize the code footprint on that.

I mean, don't get me wrong, I think there are many scenarios where something like systemd-boot is unnecessary. For example if you boot your OS in VMs only and hence instead of choosing between multiple versions of a kernel inside the VM you can just choose between multiple versions of the whole VM image, then why bother with systemd-boot. But for physical devices, for anything more generic, you do need something *before* you invoke your first kernel I am very sure. (And yeah, I think systemd-boot is really what you want there.)

I do appreciate that this proposal uses UKIs and systemd-stub and all, but hey, if you want a frickin boot menu, then use a fricking boot menu, and don't boot a full OS-in-a-cpio just to put some ncurses UI on screen, thank you very much.

Yeah, I guess I should put together a blog story or so one day that gives a better explanation of why systemd-boot and systemd-stub do what they do the way they do, and what implications boot integrity has on literally *everything* that comes later.

Lennart

The process from the blog for maintaining a Secure Boot root of trust, removing Microsoft's keys and substituting them with some of your own, is an exciting (if daunting and tedious) prospect. Similar in scope to setting up a PGP messaging system or a local Certificate Authority (or chaining a bunch of "openssl" commands together, setting the expiry dates decades into the future, and hoping for the best).

"Most commodity PCs sold today include keys that Microsoft controls. In fact, Microsoft's keys are the only ones that are more-or-less guaranteed to be installed in your firmware, at least on desktop and laptop computers." - Rod Smith. I'd like to learn more of the lore about how this situation came about, and how Microsoft is still relied on to create things such as the signed shim.

"If you remove the Microsoft CA Certificate from your machine, you will no longer be able to boot binaries signed by Microsoft with Secure Boot enabled. Likewise with other certificates. If you strip signatures from binaries, you are removing that root of trust from those binaries." - Marta Lewandowska. This sounds like a good antidote to the feeling some systems are designed to give these days: that the user is not meant to be administering the system they happen to have purchased.

UEFI for multi-OS boot, and Linux boots itself from UEFI. This sounds like a great idea. Frankly any time you can replace hundreds of thousands of lines of code with hundreds, I am tempted to say the world is telling you something... You had really better get a LOT for those hundreds of thousands of lines.

To use this in the embedded world would require:

* extending drivers to do some sort of "partial init" when the kernel is used as a bootloader.

* making it possible to build even more tiny kernel images that can fit in limited on-chip SRAM.

* adding support for early boot tasks like initialising DRAM and relocating the image.

Adding these features to the kernel would increase the complexity and maintenance overhead in ways that I'm not sure would be welcome. So, I expect there will be a place for bootloaders like U-Boot for some time yet.

This is multiple steps backwards, more rigid everywhere, and seemingly in favour of only the Restricted Boot theatre.