Problem
bcvk does not currently support running aarch64 container images on native aarch64 hardware.
EFI zboot kernels
Fedora aarch64 kernels (since F37+) are packaged as EFI zboot images—a PE-format wrapper around a zstd-compressed kernel payload. QEMU's -kernel flag cannot load these directly and fails with:
unable to handle EFI zboot image with 'zstd' compression
x86_64 kernels are shipped uncompressed, so this issue doesn't occur there.
Credential injection with direct kernel boot
On aarch64 with direct kernel boot (-kernel), SMBIOS-based credential injection doesn't work because there's no UEFI firmware to expose SMBIOS tables. This breaks SSH key injection.
Proposed Solution
- Detect EFI zboot images by parsing the PE/zboot header
- Decompress zstd-compressed payloads before passing to QEMU
- Implement virtiofs-based credential injection (aligned with systemd upstream proposal)
A working implementation is available at: https://github.com/cverna/bcvk/tree/aarch64-support
Related
Problem
bcvkdoes not currently support running aarch64 container images on native aarch64 hardware.EFI zboot kernels
Fedora aarch64 kernels (since F37+) are packaged as EFI zboot images—a PE-format wrapper around a zstd-compressed kernel payload. QEMU's
-kernelflag cannot load these directly and fails with:x86_64 kernels are shipped uncompressed, so this issue doesn't occur there.
Credential injection with direct kernel boot
On aarch64 with direct kernel boot (
-kernel), SMBIOS-based credential injection doesn't work because there's no UEFI firmware to expose SMBIOS tables. This breaks SSH key injection.Proposed Solution
A working implementation is available at: https://github.com/cverna/bcvk/tree/aarch64-support
Related