Gregory's Server…on a single kernel command line, single initrd and so on. Which is good, because it increases boot-time security and reproducibility. But it's also bad, because you cannot even use it to boot into a recovery mode or so if your install is hosed – unless you install multiple UKIs. But given that UKIs are large (they contain a full initrd, and a full set of kernel drivers after all), this typically is not what you want to do. (You could also turn off SecureBoot, …
|
3 comments
 This way you could have one regular boot UKI profile, plus one that implements a recovery mode, another one that implements factory reset, and a fourth one that maybe boots into storage target mode. systemd-boot has been updated to synthesize multiple menu items from a single UKI – one for each profile defined in the UKI. While I'd expect that the primary use for multi-profile UKIs is to have a single set of kernel + initrd, plus a separate command line for each profile, … … the concept is actually ore flexible than that. You could also have a profile that picks a different initrd, or a different devicetree or a different boot splash or anything else that is embeddable into a UKI. And that's it for today. |
… but that is not great for security.) With systemd v257, we provide a middle ground now: UKIs may now contain multiple "profiles": multiple sets of PE sections can be combined in different ways and then labelled as different profiles. Typically this would be used to build a single UKI that contains 1 kernel and 1 initrd, but 4 different kernel command lines, which would then be combined in 4 profiles, always combining the kernel/initrd and a different command line.