systemd 253 arrives with UKI, support improvements and more

After three and a half months of development, the release of the new version of systemd 253 was announced, a version in which the utility 'ukify' is included to compile, verify and generate signatures for unified kernel images (UKI, Unified Kernel Image), combining a driver for loading the kernel from UEFI (UEFI boot stub), a Linux kernel image, and a system environment loaded into the initrd memory used for initial initialization in the stage before mount the FS root.

Utility replaces functionality previously provided by the 'dracut –uefi' command and complements it with features for automatically calculating offsets in PE files, initrd merging, signing embeddable kernel images, creating merged images with sbsign, heuristics for determining the kernel name, image verification with a boot screen, and the addition of signed PCR policies generated by the systemd-measure utility.

Another change that stands out is that systemd-boot modified initialization for pseudorandom number generators kernel and for the disk backend. Added support for loading the kernel not only from ESP (EFI System Partition), for example, from firmware or directly for QEMU. In addition, analysis of SMBIOS parameters was provided to determine the launch in a virtualization environment. A new "if secure" mode has been implemented where the certificate for UEFI Secure Boot is loaded from ESP only if it is considered secure (running in a virtual machine).

Utility bootctl implements system token generation on all EFI systems, except in virtualization environments. Added 'kernel-identify' and 'kernel-inspect' commands to display kernel image type and information about command line options and kernel version, 'unlink' to remove the file associated with the first boot record type, "cleanup" to remove all files from the "entry-token" directory on ESP and XBOOTLDR, not associated with the first boot entry type. Handling of the KERNEL_INSTALL_CONF_ROOT variable is provided.

Parameter "OpenFile" has been added to the services for opening arbitrary files in the FS (or connect to Unix sockets) and pass the associated file descriptors to the running process (for example, when you need to organize access to a file for an unprivileged user).

En systemd-cryptenroll, by registering new keys, it is possible to unlock encrypted partitions using FIDO2 tokens (–unlock-fido2-device) without the need to enter a password. Stores a user-specified PIN with salt to make brute-force determination more difficult.

Of the other changes that stand out:

• Added support for out-of-memory initrd environments that use overlayfs instead of tmpfs. For such environments, systemd does not remove all files in the initrd after a root filesystem change.
• Added ReloadLimitIntervalSec and ReloadLimitBurst settings, as well as kernel command line options (systemd.reload_limit_interval_sec and /systemd.reload_limit_burst) to limit the background process restart rate.
• For drives, the "MemoryZSwapMax" option is implemented to set the memory.zswap.max property, which determines the maximum zswap size.
• For units, the "LogFilterPatterns" option is implemented, which allows you to set regular expressions to filter the information displayed in the log (can be used to exclude certain output or save only certain data).
• The 'systemctl list-dependencies' command now handles the '–type' and '–state' options, and the 'systemctl kexec' command adds support for Xen hypervisor-based environments.
• Added support for the SocketPriority and QuickAck options, RouteMetric=high|medium|low, to the .network files in the [DHCPv4] section.
• systemd-journal-remote allows MaxUse, KeepFree, MaxFileSize, and MaxFiles settings to limit disk space consumption.
• Added support for systemd-cryptsetup to send proactive requests to FIDO2 tokens to determine their presence prior to authentication.
• Added new parameters tpm2-measure-bank and tpm2-measure-pcr to crypttab.

Finally, if you are interested in knowing more about it, you can consult the details in the following link.