Lennart Poettering ya wallafa wani tsari don sabunta tsarin taya don rarrabawar Linux, da nufin magance matsalolin da ake ciki da kuma sauƙaƙe ƙungiyar cikakken ingantaccen takalmin da ke tabbatar da amincin kernel da yanayin tsarin da ke ciki. Canje-canjen da ake buƙata don aiwatar da sabon gine-gine an riga an haɗa su a cikin tsarin codebase kuma suna shafar abubuwan da suka dace kamar tsarin tsarin, tsarin tsarin, tsarin tsarin-cryptenroll, systemd-cryptsetup, systemd-pcrphase da systemd-creds.
Canje-canjen da aka gabatar sun gangara zuwa ƙirƙirar hoto guda ɗaya na UCI (Haɗin Kernel Hoton), haɗa hoton kernel Linux, mai sarrafa kwaya don loda kwaya daga UEFI (UEFI boot stub) da yanayin tsarin initrd wanda aka loda cikin ƙwaƙwalwar ajiya, ana amfani dashi don farawa na farko a mataki kafin hawa tushen FS. Maimakon hoton diski na initrd RAM, ana iya haɗa tsarin gabaɗayan a cikin UKI, wanda ke ba ka damar ƙirƙirar ingantaccen yanayin tsarin da aka loda cikin RAM. An tsara hoton UKI azaman fayil mai aiwatarwa a cikin tsarin PE, wanda za'a iya lodawa ba kawai ta amfani da bootloaders na gargajiya ba, amma ana iya kiransa kai tsaye daga firmware na UEFI.
Ikon yin kira daga UEFI yana ba ku damar amfani da rajistan amincin sa hannu na dijital wanda ke rufe ba kawai kernel ba, har ma da abubuwan da ke cikin initrd. A lokaci guda, goyan bayan kira daga bootloaders na gargajiya yana ba ku damar riƙe irin waɗannan fasalulluka kamar isar da nau'ikan kernel da yawa da juyawa ta atomatik zuwa kwaya mai aiki idan an gano matsaloli tare da sabon kernel bayan shigar da sabuntawa.
A halin yanzu, a yawancin rabawa na Linux, tsarin farawa yana amfani da sarkar "firmware → sa hannu na dijital na Microsoft shim Layer → GRUB bootloader da aka sanya hannu ta hanyar rarrabawa → sa hannu na Linux na dijital → muhallin initrd mara sa hannu → tushen FS." Rashin tabbatar da initrd a cikin rabawa na al'ada yana haifar da matsalolin tsaro, tun da, a tsakanin sauran abubuwa, a cikin wannan mahallin ana dawo da maɓallan ɓoye tushen fayil ɗin.
Ba a tallafawa tabbatar da hoton initrd tun lokacin da aka samar da wannan fayil ɗin akan tsarin gida na mai amfani kuma ba za a iya ba da izini tare da sa hannun dijital na kayan rarrabawa ba, wanda ke dagula tsarin tabbatarwa sosai yayin amfani da yanayin SecureBoot (don tabbatar da initrd, da mai amfani yana buƙatar ƙirƙirar maɓallan nasu kuma ya loda su cikin firmware na UEFI). Bugu da ƙari, ƙungiyar taya na yanzu ba ta ƙyale yin amfani da bayanai daga rajistar TPM PCR (Platform Configuration Register) don sarrafa amincin abubuwan sararin samaniya na mai amfani banda shim, grub da kernel. Daga cikin matsalolin da ake da su, an kuma ambata sarƙaƙƙiyar sabunta bootloader da rashin iya hana damar yin amfani da maɓalli a cikin TPM don tsofaffin nau'ikan OS waɗanda ba su da mahimmanci bayan shigar da sabuntawar.
Babban makasudin gabatar da sabbin gine-ginen lodi sune:
- Samar da ingantaccen tsari na taya wanda ke gudana daga firmware zuwa sararin mai amfani, yana mai tabbatar da inganci da amincin abubuwan da ake lodawa.
- Haɗa albarkatun sarrafawa zuwa rijistar TPM PCR, wanda mai shi ya raba.
- Ikon yin ƙididdige ƙimar PCR dangane da kernel, initrd, daidaitawa da ID na tsarin gida da aka yi amfani da su yayin taya.
- Kariya daga harin juyowa mai alaƙa da juyawa zuwa sigar tsarin da ta gabata mai rauni.
- Sauƙaƙe da ƙara amincin abubuwan sabuntawa.
- Taimako don sabuntawar OS waɗanda baya buƙatar sake aikace-aikacen ko samar da albarkatu masu kariya na TPM.
- An shirya tsarin don takaddun shaida na nesa don tabbatar da daidaiton OS da saitunan da aka ɗora.
- Ikon haɗa bayanai masu mahimmanci zuwa wasu matakan taya, misali, cire maɓallan ɓoye don tsarin fayil ɗin tushen daga TPM.
- Samar da amintacce, atomatik, da tsari mara amfani don buɗe maɓallai don ɓata tushen tushen ɓangaren tushen.
- Amfani da kwakwalwan kwamfuta masu goyan bayan ƙayyadaddun TPM 2.0, tare da ikon juyawa zuwa tsarin ba tare da TPM ba.
source: budenet.ru