This article is more than 1 year old
Version 252 of systemd, as expected, locks down the Linux boot process
The init system that everybody loves to hate
The fall version of systemd is here, with support for increased boot security, including tightened full-disk encryption.
The 113th version has the usual long feature list of very specific, targeted elements outlined in the release announcement. However, as one might expect following recent events, several of the headline features relate to the new UKI fully signed boot process.
UKI is short for "Unified Kernel Image" and combines the Linux kernel and initrd into a single file, along with some other smaller components, allowing the whole thing to be cryptographically signed. The purpose is to tighten up security on the Linux boot process.
This version also has new functions and modules concerned with manipulating the Platform Configuration Registers (PCRs) of Trusted Platform Module 2.0 chips – as also favored by VMware as well as Windows Server and Windows 11, unless you use Rufus or other tools to turn this off.
The enhanced TPM2 support will enable linking a drive's encryption keys to the keys held in compatible firmware so that an encrypted disk can be unlocked automatically during boot – but can't be unlocked by other distros. The result will be improved security for users, especially corporate users, but we foresee this hindering data-recovery efforts.
There is improved support for picking up data from the hypervisor while VMs are starting, as well as for booting RISC-V machines. The systemd-boot module now supports starting a 64-bit kernel on 32-bit UEFI, which may help owners of older Intel Macs. Some early models, no longer supported by macOS, make it very tricky to run Linux. Not many distros use this, though. So far, The Reg FOSS desk has only seen it in Pop!_OS, though there could well be others.
- Microsoft's Lennart Poettering proposes tightening up Linux boot process
- OpenBSD 7.2: The other other FOSS xNix released, runs on Apple M2 Macs
- Ubuntu 22.10 is out, with an extra remix in the family: Unity
- Red Hat backs CNCF project, spills TEE support over Kubernetes
A new feature that will upset some but we feel could prove useful is detecting when the OS passes its end-of-life date then sets a "taint" flag called support-ended
. The date is picked up from a new field in the /etc/os-release
file.
The systemd project is now mature enough that old functionality is getting deprecated and removed. Support for version 1 of the cgroups feature, originally donated by Google, will be removed soon, and apps must move to cgroups 2, which appeared in 2016. Support for unmerged /usr
folders, as The Reg described when Debian adopted it, is also going away. Both are anticipated to be removed by the end of 2023.
Although Ubuntu's second release of the year has come and gone, there's a small chance that version 252 might still make it into Fedora 37, which has been delayed several weeks due to an OpenSSL security issue which turned out to be a damp squib. If not, this version will be in the spring releases of both Ubuntu and Fedora, as well as Debian 12. ®
Bootnote
This is actually the 113th release of systemd because when the project merged in the udev tool in 2012, its maintainers bumped the version number directly from 44 to 183 in order to match the version number of udev.
Far be it from us to suggest that anyone would bump a version number, say, to make it look more mature and trustworthy.