Introduction
A number of Ubuntu products are using kernel and initrd in a form of a single kernel.efi binary. This binary combined a kernel image, initrd, and other optional components. I.e. cmdline, sbat.txt, device-tree, logo, CPU microcode and possibly more. kernel.efi is also sometimes called UKI - universal kernel image.
Here is how to inspect which portions are available in the kernel.efi and how to extract them.
First off ensure you have a kernel.efi image downloaded and available for inspection for example:
$ snap download --revision 1384 pc-kernel
$ unsquashfs pc-kernel_1384.snap
Alternatively download the relevant kernel.efi for you, possibly using --channel 22/stable option, and specifying architecture with environment variable UBUNTU_STORE_ARCH=arm64
How to list kernel.efi sections?
Using objdump one can view all the available sections
$ objdump -h squashfs-root/kernel.efi
squashfs-root/kernel.efi: file format pei-x86-64
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 0000bdc0 0000000000004000 0000000000004000 00000400 2**4
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .reloc 0000000c 0000000000010000 0000000000010000 0000c200 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .data 00003288 0000000000011000 0000000000011000 0000c400 2**4
CONTENTS, ALLOC, LOAD, DATA
3 .dynamic 00000110 0000000000015000 0000000000015000 0000f800 2**2
CONTENTS, ALLOC, LOAD, DATA
4 .rela 00000e58 0000000000016000 0000000000016000 0000fa00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
5 .dynsym 00000690 0000000000017000 0000000000017000 00010a00 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
6 .sdmagic 00000027 0000000000019000 0000000000019000 00011200 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
7 .sbat 000000ff 000000000001a000 000000000001a000 00011400 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
8 .linux 00b12160 000000000001b000 000000000001b000 00011600 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
9 .initrd 0251b395 0000000000b2e000 0000000000b2e000 00b23800 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
How to list kernel.efi signature?
Using sbverify tool one can list details of the secureboot signature.
$ sbverify --list --verbose --verbose squashfs-root/kernel.efi
warning: data remaining[50590608 vs 50603920]: gaps between PE/COFF sections?
signature 1
image signature issuers:
- /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
image signature certificates:
- subject: /C=GB/ST=Isle of Man/O=Canonical Ltd./OU=Secure Boot/CN=Canonical Ltd. Secure Boot Signing (Ubuntu Core 2021 v1)
issuer: /C=GB/ST=Isle of Man/L=Douglas/O=Canonical Ltd./CN=Canonical Ltd. Master Certificate Authority
certificate store:
How to extract vmlinuz from kernel.efi?
Using objcopy one can extract any section. For vmlinuz extract and inspect .linux section like so
$ objcopy -O binary -j.linux squashfs-root/kernel.efi vmlinuz
$ file vmlinuz
vmlinuz: Linux kernel x86 boot executable bzImage, version 5.15.0-82-generic (buildd@lcy02-amd64-027) #91-Ubuntu SMP Mon Aug 14 14:14:14 UTC 2023, RO-rootFS, swap_dev 0XB, Normal VGA
How to extract and unpack initrd from kernel.efi?
Using objcopy one can extract any section. For initrd extract .initrd section and then use unmkinitramfs to unpack it like so
$ objcopy -O binary -j.initrd squashfs-root/kernel.efi initrd
$ unmkinitramfs initrd unpack-initrd
$ ls unpack-initrd/
early main
Early initrd contains CPU microcode for Intel & AMD processors on x86_64 architecture. Main directory contains the usual contents of the initrd - the init system, and units that are executed. Note that on Ubuntu initrd is usually systemd-based as produced by core-initrd project, rather than initramfs-tools based one