Lennart Poettering tau tshaj tawm cov lus pom zoo los txhim kho cov txheej txheem khau raj rau Linux kev faib tawm, txhawm rau daws cov teeb meem uas twb muaj lawm thiab ua kom yooj yim rau lub koom haum ntawm kev kuaj xyuas tag nrho cov khau raj uas lees paub qhov kev ntseeg siab ntawm cov kernel thiab cov hauv paus system ib puag ncig. Cov kev hloov pauv uas yuav tsum tau ua los siv cov qauv tshiab tau suav nrog hauv systemd codebase thiab cuam tshuam rau cov khoom xws li systemd-stub, systemd-measure, systemd-cryptenroll, systemd-cryptsetup, systemd-pcrphase thiab systemd-creds.
Cov kev hloov pauv tau npau taws mus rau kev tsim ib qho duab thoob ntiaj teb UKI (Unified Kernel Duab), sib txuas cov duab Linux ntsiav, tus neeg tuav ntaub ntawv rau thauj cov ntsiav los ntawm UEFI (UEFI khau raj stub) thiab initrd system ib puag ncig loaded rau hauv nco, siv rau pib pib ntawm theem ua ntej mounting lub hauv paus FS. Hloov chaw ntawm initrd RAM disk duab, tag nrho cov kab ke tuaj yeem raug ntim rau hauv UKI, uas tso cai rau koj los tsim cov ntaub ntawv pov thawj tag nrho hauv cov khoom siv hauv RAM. Lub UKI duab yog formatted raws li ib tug executable ntaub ntawv nyob rau hauv PE hom, uas yuav tsum tau loaded tsis tau tsuas yog siv ib txwm bootloaders, tab sis yuav hu ncaj qha los ntawm UEFI firmware.
Lub peev xwm hu tau los ntawm UEFI tso cai rau koj siv cov kev kos npe digital kos npe ncaj ncees uas tsis yog tsuas yog cov ntsiav xwb, tab sis kuj yog cov ntsiab lus ntawm initrd. Nyob rau tib lub sijhawm, kev txhawb nqa rau kev hu xov tooj los ntawm cov bootloaders ib txwm tso cai rau koj khaws cov yam ntxwv xws li xa tawm ntau lub versions ntawm lub ntsiav thiab tsis siv neeg rov qab mus rau lub ntsiav ua haujlwm yog tias muaj teeb meem nrog cov ntsiav tshiab tom qab txhim kho qhov hloov tshiab.
Tam sim no, nyob rau hauv feem ntau Linux distributions, cov txheej txheem pib siv cov saw "firmware β digitally kos npe Microsoft shim txheej β GRUB khau raj loader digitally kos npe los ntawm kev faib β digitally kos npe Linux ntsiav β tsis kos npe initrd ib puag ncig β hauv paus FS." Qhov tsis muaj kev pov thawj initrd hauv kev faib khoom ib txwm tsim teeb meem kev nyab xeeb, txij li, ntawm lwm yam, nyob rau hauv ib puag ncig no cov yuam sij rau decrypting cov ntaub ntawv hauv paus system tau muab rov qab.
Kev pov thawj ntawm cov duab initrd tsis tau txais kev txhawb nqa vim tias cov ntaub ntawv no tau tsim los ntawm tus neeg siv lub hauv paus system thiab tsis tuaj yeem lees paub nrog tus lej kos npe ntawm cov khoom siv faib khoom, uas cuam tshuam rau lub koom haum ntawm kev pov thawj thaum siv SecureBoot hom (los txheeb xyuas qhov initrd, lub tus neeg siv yuav tsum tsim lawv tus kheej cov yuam sij thiab thauj lawv mus rau hauv UEFI firmware). Tsis tas li ntawd, lub koom haum khau raj tam sim no tsis tso cai rau kev siv cov ntaub ntawv los ntawm TPM PCR (Platform Configuration Register) tso npe los tswj kev ncaj ncees ntawm cov neeg siv khoom siv qhov chaw uas tsis yog shim, grub thiab kernel. Ntawm cov teeb meem uas twb muaj lawm, qhov nyuaj ntawm kev hloov kho lub bootloader thiab tsis muaj peev xwm txwv tsis pub nkag mus rau cov yuam sij hauv TPM rau cov laus versions ntawm OS uas tau dhau los tsis cuam tshuam tom qab txhim kho qhov hloov tshiab kuj tau hais.
Lub hom phiaj tseem ceeb ntawm kev qhia txog qhov tshiab loading architecture yog:
- Muab cov txheej txheem kuaj xyuas tag nrho uas nthuav tawm ntawm firmware mus rau tus neeg siv qhov chaw, lees paub qhov siv tau thiab kev ncaj ncees ntawm cov khoom raug thauj khoom.
- Txuas cov peev txheej tswj tau rau TPM PCR cov npe, cais los ntawm tus tswv.
- Muaj peev xwm ua ntej xam PCR qhov tseem ceeb raws li cov ntsiav, initrd, teeb tsa thiab hauv zos ID siv thaum lub caij khau raj.
- Kev tiv thaiv kev tawm tsam rollback cuam tshuam nrog dov rov qab mus rau qhov tsis muaj zog dhau los ntawm qhov system.
- Ua kom yooj yim thiab ua kom muaj kev ntseeg siab ntawm kev hloov tshiab.
- Kev them nyiaj yug rau OS hloov tshiab uas tsis tas yuav rov thov dua lossis hauv zos muab TPM-tiv thaiv cov peev txheej.
- Lub kaw lus tau npaj rau tej thaj chaw deb ntawv pov thawj kom paub meej tias qhov tseeb ntawm cov khoom siv OS thiab cov chaw.
- Lub peev xwm los txuas cov ntaub ntawv rhiab rau qee theem khau raj, piv txwv li, rho tawm cov yuam sij encryption rau cov hauv paus ntaub ntawv los ntawm TPM.
- Muab cov txheej txheem ruaj ntseg, tsis siv neeg, thiab cov neeg siv-dawb rau kev xauv cov yuam sij los txiav txim siab lub hauv paus muab faib tsav.
- Kev siv cov chips uas txhawb TPM 2.0 specification, nrog lub peev xwm rov qab mus rau cov tshuab tsis muaj TPM.
Tau qhov twg los: opennet.ru