systemd 253: You’re looking at the future of enterprise Linux boot processes

The first systemd release of 2023 is here, and it introduces a brand spanking new tool for building Unified Kernel Image (UKI) files.

Fresh versions of systemd appear roughly twice a year, apart from release candidates. We reported on the last version, systemd 252, in November last year. As we said at the time, systemd 252 brought in support for Agent P’s new, more secure Linux boot process. Those two stories have details of the UKI boot files and how they work.

The support and tooling for UKI continues to improve, and one of the headline features in version 253 is a tool for building these unified kernel images, which is called ukify. As the systemd release notes say:

From the new program’s manual page:

Like it or not, it certainly seems likely that UKIs will become the standard way to start many enterprise Linux distros, if only because of their support for automatically unlocking drives using Full Disk Encryption (FDE) by retrieving keys from the machines’ integrated TPM2 chips. Three of the last four new laptops that have landed on The Reg FOSS desk came with Windows’ Bitlocker FDE turned on by default. (The only one that didn’t was Tuxedo Computers’ Stellaris gen 4, a gaming laptop with a multicolor illuminated mechanical keyboard. As a machine intended to run Linux, that’s not really a surprise.)

Many users might never even notice it, unless they try to dual-boot the computer with a non-Windows OS and find that nothing else can read the disk. Never fear: we have described how to turn it off and make such a machine ready to dual-boot.

There are of course lots of other changes, but they should be less visible to most people. There’s a new option to limit the amount of memory assigned to the compression pool if you use zswap swap area compression, a feature added to “Linux for Workgroups”, AKA kernel 3.11 way back in 2013. We suggested enabling this last year as a way to improve the performance of desktops or laptops with limited RAM, and it can help quite a lot, but the price of reduced swap usage is increased CPU strain and the need for a block of memory for the compressed cache.

As described in some kernel patches last year, zswap is a complicated tool and its interactions on a system running lots of cgroup2 containers is not easy to debug.

Tweaks to the systemd OOM killer suggest that this is still causing issues, as it did even back in Fedora 33, which is why Linux Mint 21 disabled it altogether.

The systemd-boot tool, which is used in Pop!_OS and caused us grief, now supports other ways of loading the kernel in the Xen hypervisor and QEMU hypervisor/emulator, such as from locations other than the UEFI ESP.

Handling of several file system issues has been improved. If systemd finds a swap volume with a different page size to the one that system needs, it will automatically reformat it, and it has better handling of an initrd that isn’t a pure RAMdisk, such as an overlayfs. There’s also direct support for a technology we’d not met before: HS SRE, or to give it its full name, Lockheed-Martin Hardened Security for Intel processors.

Many won’t like it, but expect systemd 253 to appear in the next version of most mainstream distros. If that thought is too much to bear, there are still a decent selection of distros that don’t have it. ®