Babu labarai da yawa akan Habré da aka keɓe ga tsarin aiki na Qubes, kuma waɗanda na gani ba su bayyana yawancin ƙwarewar amfani da shi ba. A ƙasa da yanke, Ina fatan in gyara wannan ta amfani da misali na yin amfani da Qubes a matsayin hanyar kariya (da) yanayin Windows kuma, a lokaci guda, ƙididdige yawan masu amfani da harshen Rashanci na tsarin.
Me yasa Qubes?
Labarin ƙarshen goyon bayan fasaha don Windows 7 da karuwar damuwa na masu amfani sun haifar da buƙatar tsara aikin wannan OS, la'akari da buƙatun masu zuwa:
- tabbatar da amfani da cikakken kunna Windows 7 tare da ikon mai amfani don shigar da sabuntawa da aikace-aikace daban-daban (ciki har da ta Intanet);
- aiwatar da cikakken ko zaɓin keɓance ma'amalar cibiyar sadarwa dangane da yanayi (aiki mai sarrafa kansa da yanayin tace zirga-zirga);
- ba da damar zaɓin haɗa kafofin watsa labarai da na'urori masu cirewa.
Wannan saitin ƙuntatawa yana ɗaukan mai amfani da aka shirya a sarari, tunda an ba da izinin gudanar da mulki mai zaman kansa, kuma ƙuntatawa ba su da alaƙa da toshe yuwuwar ayyukansa, amma don keɓance kurakurai masu yuwuwa ko tasirin software masu lalata. Wadancan. Babu wani mai laifi na ciki a cikin samfurin.
A cikin neman mafita, da sauri mun yi watsi da ra'ayin aiwatar da hane-hane ta amfani da ginanniyar ginanniyar kayan aikin Windows ko ƙarin, tunda yana da wahala sosai don hana mai amfani da haƙƙin gudanarwa, yana barin shi ikon shigar da aikace-aikacen.
Magani na gaba shine keɓancewa ta hanyar amfani da ƙira. Sanannun kayan aikin da aka sani don haɓaka aikin tebur (alal misali, kamar akwatin kama-da-wane) ba su dace ba don magance matsalolin tsaro kuma masu amfani da keɓaɓɓun hane-hane dole ne a yi su ta hanyar sauyawa ko daidaita kaddarorin injin kama-da-wane na baƙo (nan gaba ana magana da su. kamar VM), wanda ke ƙara haɗarin kurakurai.
A lokaci guda, mun sami gogewa ta amfani da Qubes azaman tsarin tebur na mai amfani, amma muna da shakku game da kwanciyar hankali na aiki tare da Windows baƙo. An yanke shawarar duba nau'in Qubes na yanzu, tun da iyakokin da aka bayyana sun dace sosai a cikin tsarin wannan tsarin, musamman aiwatar da samfuran injina da haɗin kai na gani. Na gaba, zan yi ƙoƙari in ɗan yi magana game da ra'ayoyi da kayan aikin Qubes, ta yin amfani da misalin warware matsalar.
Nau'o'in haɓakawa na Xen
Qubes ya dogara ne akan Xen hypervisor, wanda ke rage ayyukan sarrafa albarkatun sarrafawa, ƙwaƙwalwar ajiya da injunan kama-da-wane. Duk sauran aiki tare da na'urori an tattara su a cikin dom0 bisa tushen Linux kernel (Qubes don dom0 yana amfani da rarraba Fedora).
Xen yana goyan bayan nau'ikan haɓakawa da yawa (Zan ba da misalai don gine-ginen Intel, kodayake Xen yana goyan bayan wasu):
- paravirtualization (PV) - yanayin kama-da-wane ba tare da amfani da tallafin kayan aiki ba, mai tunawa da haɓakar kwantena, ana iya amfani da shi don tsarin tare da kwaya mai daidaitacce (dom0 yana aiki a cikin wannan yanayin);
- cikakken haɓakawa (HVM) - a cikin wannan yanayin, ana amfani da tallafin kayan aiki don albarkatun sarrafawa, kuma duk sauran kayan aikin ana kwaikwaya ta amfani da QEMU. Wannan ita ce hanya mafi dacewa ta duniya don gudanar da tsarin aiki daban-daban;
- paravirtualization na hardware (PVH - ParaVirtualized Hardware) - yanayin haɓakawa ta amfani da tallafin kayan masarufi lokacin da, don aiki tare da kayan masarufi, kernel ɗin baƙo yana amfani da direbobi waɗanda suka dace da ƙarfin hypervisor (misali, ƙwaƙwalwar ajiya), kawar da buƙatar kwaikwayar QEMU. da haɓaka aikin I/O. Kernel na Linux wanda ya fara daga 4.11 zai iya aiki a wannan yanayin.
An fara da Qubes 4.0, saboda dalilai na tsaro, an yi watsi da amfani da yanayin paravirtualization (gami da lahani da aka sani a cikin gine-ginen Intel, waɗanda aka rage wani yanki ta amfani da cikakkiyar haɓakawa); Yanayin PVH ana amfani da shi ta tsohuwa.
Lokacin amfani da kwaikwaya (yanayin HVM), ana ƙaddamar da QEMU a cikin keɓewar VM da ake kira stubdomain, don haka rage haɗarin yin amfani da yuwuwar kurakurai a cikin aiwatarwa (aikin QEMU ya ƙunshi lamba da yawa, gami da dacewa).
A cikin yanayinmu, ya kamata a yi amfani da wannan yanayin don Windows.
Injin kama-da-wane sabis
A cikin gine-ginen tsaro na Qubes, ɗayan maɓalli na iyawar hypervisor shine canja wurin na'urorin PCI zuwa yanayin baƙi. Keɓance kayan aikin yana ba ku damar keɓance ɓangaren tsarin daga hare-haren waje. Xen yana goyan bayan wannan don yanayin PV da HVM, a cikin akwati na biyu yana buƙatar goyan baya ga IOMMU (Intel VT-d) - sarrafa ƙwaƙwalwar ajiyar hardware don na'urori masu ƙima.
Wannan yana haifar da injunan kama-da-wane da yawa:
- sys-net, wanda aka canja wurin na'urorin cibiyar sadarwa kuma ana amfani da su azaman gada ga sauran VMs, alal misali, waɗanda ke aiwatar da ayyukan wuta ko abokin ciniki na VPN;
- sys-usb, wanda kebul na USB da sauran masu kula da na'ura na gefe suna canjawa wuri;
- sys-firewall, wanda baya amfani da na'urori, amma yana aiki azaman bangon wuta don VMs masu alaƙa.
Don aiki tare da na'urorin USB, ana amfani da sabis na wakili, waɗanda ke samarwa, a tsakanin sauran abubuwa:
- don nau'in na'urar HID (na'urar keɓancewar mutum), aika umarni zuwa dom0;
- don kafofin watsa labarai masu cirewa, jujjuya juzu'in na'ura zuwa wasu VMs (banda dom0);
- turawa kai tsaye zuwa na'urar USB (ta amfani da USBIP da kayan haɗin kai).
A cikin irin wannan tsari, harin da aka yi nasara ta hanyar tarawar hanyar sadarwa ko na'urorin da aka haɗa zai iya haifar da rashin daidaituwa na VM mai gudana kawai, kuma ba duka tsarin gaba ɗaya ba. Kuma bayan sake kunna sabis ɗin VM, za a loda shi a ainihin yanayinsa.
Kayan aikin haɗin VM
Akwai hanyoyi da yawa don yin hulɗa tare da tebur na injin kama-da-wane - shigar da aikace-aikacen a cikin tsarin baƙo ko kwaikwayon bidiyo ta amfani da kayan aikin ƙirƙira. Aikace-aikacen baƙi na iya zama nau'ikan kayan aiki na nesa na duniya daban-daban (RDP, VNC, Spice, da dai sauransu) ko daidaita su zuwa takamaiman hypervisor (irin waɗannan kayan aikin galibi ana kiran su kayan aikin baƙi). Hakanan za'a iya amfani da wani zaɓi mai gauraya, lokacin da hypervisor yayi kwaikwayon I / O don tsarin baƙo, kuma a waje yana ba da damar yin amfani da yarjejeniya wanda ya haɗa I / O, alal misali, kamar Spice. A lokaci guda, kayan aikin samun damar nesa galibi suna haɓaka hoton, tunda sun haɗa da aiki ta hanyar hanyar sadarwa, wanda ba shi da tasiri mai kyau akan ingancin hoton.
Qubes yana samar da nasa kayan aikin don haɗin VM. Da farko, wannan tsarin tsarin zane ne - windows daga VM daban-daban ana nuna su akan tebur guda tare da firam ɗin launi nasu. Gabaɗaya, kayan aikin haɗin kai sun dogara ne akan iyawar hypervisor - ƙwaƙwalwar ajiya (tebur na kyauta na Xen), kayan aikin sanarwa ( tashar taron Xen), xenstore ajiya da aka raba da ka'idar sadarwa ta vchan. Tare da taimakonsu, ana aiwatar da mahimman abubuwan qrexec da qubes-rpc, da sabis na aikace-aikacen - juyawar sauti ko USB, canja wurin fayiloli ko abubuwan da ke cikin allo, aiwatar da umarni da ƙaddamar da aikace-aikace. Yana yiwuwa a saita manufofin da zasu baka damar iyakance ayyukan da ake samu akan VM. Hoton da ke ƙasa misali ne na hanyar fara hulɗar VM guda biyu.
Don haka, ana aiwatar da aiki a cikin VM ba tare da amfani da hanyar sadarwa ba, wanda ke ba da damar cikakken amfani da VM masu cin gashin kansu don guje wa zubar da bayanai. Misali, wannan shine yadda ake aiwatar da rabuwar ayyukan sirri (PGP/SSH), lokacin da ake amfani da maɓallai masu zaman kansu a cikin keɓantattun VM kuma ba su wuce su ba.
Samfura, aikace-aikace da VMs na lokaci ɗaya
Duk aikin mai amfani a cikin Qubes ana yin su a cikin injina. Ana amfani da babban tsarin masauki don sarrafawa da hangen nesa. An shigar da OS tare da ainihin saitin injunan kama-da-wane na tushen samfuri (TemplateVM). Wannan samfuri shine Linux VM dangane da rarrabawar Fedora ko Debian, tare da kayan aikin haɗin kai da aka shigar da kuma daidaita su, da tsarin sadaukarwa da sassan mai amfani. Ana aiwatar da shigarwa da sabunta software ta daidaitaccen mai sarrafa fakiti (dnf ko dace) daga wuraren da aka tsara tare da tabbatar da sa hannun dijital na tilas (GnuPG). Manufar irin waɗannan VMs shine don tabbatar da amincin aikace-aikacen VM da aka ƙaddamar akan su.
A lokacin farawa, aikace-aikacen VM (AppVM) yana amfani da hoton ɓangaren tsarin tsarin samfurin VM mai dacewa, kuma bayan kammalawa yana share wannan hoton ba tare da adana canje-canje ba. Ana adana bayanan da mai amfani ke buƙata a cikin ɓangaren mai amfani na musamman don kowane aikace-aikacen VM, wanda aka ɗora a cikin kundin adireshin gida.
Yin amfani da VMs masu zubarwa (VM mai zubarwa) na iya zama da amfani ta fuskar tsaro. Irin wannan VM an ƙirƙira shi bisa samfuri a lokacin farawa kuma an ƙaddamar da shi don manufa ɗaya - don aiwatar da aikace-aikacen ɗaya, kammala aikin bayan an rufe shi. Ana iya amfani da VM ɗin da za a iya zubarwa don buɗe fayilolin da ake tuhuma waɗanda abun cikin su zai iya haifar da cin gajiyar takamaiman raunin aikace-aikacen. An haɗa ikon gudanar da VM na lokaci ɗaya cikin mai sarrafa fayil (Nautilus) da abokin ciniki na imel (Thunderbird).
Hakanan ana iya amfani da Windows VM don ƙirƙirar samfuri da VM na lokaci ɗaya ta hanyar matsar da bayanin martabar mai amfani zuwa wani sashe daban. A cikin sigar mu, mai amfani zai yi amfani da irin wannan samfuri don ayyukan gudanarwa da shigar da aikace-aikacen. Dangane da samfurin, za a ƙirƙiri VM na aikace-aikacen da yawa - tare da iyakance damar shiga hanyar sadarwa (daidaitacce sys-firewall damar) kuma ba tare da samun damar shiga cibiyar sadarwa kwata-kwata (ba a ƙirƙiri na'urar cibiyar sadarwa mai kama-da-wane ba). Duk canje-canje da aikace-aikacen da aka shigar a cikin samfuri za su kasance don yin aiki a cikin waɗannan VMs, kuma ko da an gabatar da shirye-shiryen alamar shafi, ba za su sami hanyar hanyar sadarwa don daidaitawa ba.
Yaƙi don Windows
Abubuwan da aka bayyana a sama sune tushen Qubes kuma suna aiki sosai; matsalolin sun fara da Windows. Don haɗa Windows, dole ne ka yi amfani da saitin kayan aikin baƙo Qubes Windows Tools (QWT), wanda ya haɗa da direbobi don aiki tare da Xen, direban qvideo da saitin kayan aiki don musayar bayanai (canja wurin fayil, allo). An tsara tsarin shigarwa da tsari daki-daki akan gidan yanar gizon aikin, don haka za mu raba kwarewar aikace-aikacen mu.
Babban wahala shine ainihin rashin tallafi ga kayan aikin da aka haɓaka. Maɓallai Masu Haɓakawa (QWT) ya bayyana ba ya samuwa kuma aikin haɗin gwiwar Windows yana jiran mai haɓaka jagora. Sabili da haka, da farko, ya zama dole don tantance ayyukansa da kuma samar da fahimtar yiwuwar tallafawa da kansa, idan ya cancanta. Mafi wahalar haɓakawa da gyara kuskure shine direban zane, wanda ke kwaikwayon adaftar bidiyo da nuni don samar da hoto a cikin ƙwaƙwalwar ajiya, yana ba ku damar nuna duka tebur ko taga aikace-aikacen kai tsaye a cikin taga tsarin runduna. A yayin nazarin aikin direba, mun daidaita lambar don haɗuwa a cikin mahallin Linux kuma mun aiwatar da tsarin lalata tsakanin tsarin baƙo na Windows guda biyu. A matakin ginin giciye, mun yi canje-canje da yawa waɗanda suka sauƙaƙa mana abubuwa, galibi dangane da shigar da kayan aikin “ shiru”, sannan kuma mun kawar da ɓarnawar aiki yayin aiki a cikin VM na dogon lokaci. Mun gabatar da sakamakon aikin a wani dabam , don haka ba dadewa ba Jagoran Qubes Developer.
Mataki mafi mahimmanci dangane da kwanciyar hankalin tsarin baƙo shine farawa na Windows, a nan zaka iya ganin allon shuɗin da aka saba (ko ma ba a gan shi ba). Ga mafi yawan kurakuran da aka gano, an sami hanyoyi daban-daban - kawar da direbobin na'urar toshe Xen, kashe daidaita ma'auni na VM, daidaita saitunan cibiyar sadarwa, da rage yawan muryoyin. Kayan aikin baƙonmu suna gina shigarwa kuma suna aiki akan cikakken sabuntawa Windows 7 da Windows 10 (sai dai qvideo).
Lokacin matsawa daga ainihin mahalli zuwa kama-da-wane, matsala ta taso tare da kunna Windows idan an yi amfani da sigar OEM da aka riga aka shigar. Irin waɗannan tsarin suna amfani da kunnawa dangane da lasisi da aka ƙayyade a cikin UEFI na na'urar. Don aiwatar da kunnawa daidai, dole ne a fassara ɗaya daga cikin duka sassan ACPI na tsarin runduna (SLIC tebur) zuwa tsarin baƙo kuma ɗan gyara wasu, yin rijistar masana'anta. Xen yana ba ku damar tsara abun ciki na ACPI na ƙarin tebur, amma ba tare da canza manyan ba. Faci daga aikin OpenXT iri ɗaya, wanda aka daidaita don Qubes, ya taimaka da mafita. Gyaran ya yi kama da amfani ba kawai a gare mu ba kuma an fassara su zuwa babban ma'ajiyar Qubes da ɗakin karatu na Libvirt.
Abubuwan da ke bayyane na kayan aikin haɗin gwiwar Windows sun haɗa da rashin tallafi don sauti, na'urorin USB, da kuma rikitarwa na aiki tare da kafofin watsa labaru, tun da babu wani tallafi na hardware ga GPU. Amma abin da ke sama baya hana amfani da VM don aiki tare da takaddun ofis, kuma baya hana ƙaddamar da takamaiman aikace-aikacen kamfanoni.
Abubuwan da ake buƙata don canzawa zuwa yanayin aiki ba tare da hanyar sadarwa ba ko tare da iyakataccen hanyar sadarwa bayan ƙirƙirar samfuri na Windows VM ya cika ta hanyar ƙirƙirar saitunan da suka dace na VMs na aikace-aikacen, kuma yiwuwar zaɓin haɗa kafofin watsa labarai masu cirewa an kuma warware su ta daidaitattun kayan aikin OS - lokacin da aka haɗa su. , suna samuwa a cikin tsarin VM sys-usb, daga inda za'a iya tura su zuwa VM da ake bukata. Teburin mai amfani yayi kama da wannan.
Tsarin ƙarshe na tsarin ya kasance tabbatacce (kamar yadda irin wannan cikakkiyar bayani ya ba da izinin) masu amfani da su sun yarda da su, kuma daidaitattun kayan aikin tsarin sun ba da damar fadada aikace-aikacen zuwa wurin aiki na wayar hannu ta mai amfani tare da samun dama ta hanyar VPN.
Maimakon a ƙarshe
Ƙarfafawa gaba ɗaya yana ba ku damar rage haɗarin yin amfani da tsarin Windows da aka bari ba tare da tallafi ba - baya tilasta dacewa da sabon kayan aiki, yana ba ku damar ware ko sarrafa damar shiga tsarin akan hanyar sadarwa ko ta hanyar na'urorin da aka haɗa, kuma yana ba ku damar. aiwatar da yanayin ƙaddamarwa na lokaci ɗaya.
Dangane da ra'ayin ware ta hanyar haɓakawa, Qubes OS yana taimaka muku yin amfani da waɗannan da sauran hanyoyin don tsaro. Daga waje, mutane da yawa suna kallon Qubes da farko a matsayin sha'awar rashin sani, amma tsari ne mai amfani ga injiniyoyi, waɗanda galibi ke jujjuya ayyukan, abubuwan more rayuwa, da sirri don samun damar su, da kuma masu binciken tsaro. Rarraba aikace-aikace, bayanai da kuma tsara tsarin hulɗar su shine matakan farko na nazarin barazanar da tsarin tsarin tsaro. Wannan rabuwa yana taimakawa wajen tsara bayanai da kuma rage yiwuwar kurakurai saboda yanayin ɗan adam - gaggawa, gajiya, da dai sauransu.
A halin yanzu, babban fifikon haɓakawa shine faɗaɗa ayyukan mahalli na Linux. Ana shirya sigar 4.1 don fitarwa, wanda zai dogara ne akan Fedora 31 kuma ya haɗa da sigogin yanzu na mahimman abubuwan Xen da Libvirt. Yana da kyau a lura cewa ƙwararrun tsaro na bayanai ne suka ƙirƙira Qubes waɗanda koyaushe suna fitar da sabuntawa da sauri idan an gano sabbin barazanar ko kurakurai.
Bayanword
Ɗaya daga cikin ƙarfin gwaji da muke haɓakawa yana ba mu damar ƙirƙirar VMs tare da tallafi don samun damar baƙo zuwa GPU bisa ga fasahar Intel GVT-g, wanda ke ba mu damar yin amfani da damar adaftar hoto da kuma fadada iyakokin tsarin. A lokacin rubuce-rubuce, wannan aikin yana aiki don ginin gwajin Qubes 4.1, kuma yana kan shi .
source: www.habr.com