ProHoster > Блог > xov xwm hauv internet > Tso tawm ntawm qhov systemd tus thawj tswj hwm 252 nrog UKI (Unified Kernel Image) txhawb nqa

Tso tawm ntawm qhov systemd tus thawj tswj hwm 252 nrog UKI (Unified Kernel Image) txhawb nqa

Tom qab tsib lub hlis ntawm txoj kev loj hlob, qhov kev tso tawm ntawm tus thawj tswj hwm systemd 252 tau nthuav tawm. Qhov kev hloov pauv tseem ceeb hauv cov ntawv tshiab yog kev koom ua ke ntawm kev txhawb nqa rau cov txheej txheem khau raj niaj hnub, uas tso cai rau koj los txheeb xyuas tsis yog cov ntsiav thiab bootloader nkaus xwb, tab sis kuj muaj cov khoom siv. ntawm lub hauv paus system ib puag ncig siv cov kos npe digital.

Txoj kev npaj yuav suav nrog kev siv cov duab sib koom ua ke hauv UKI (Unified Kernel Image) thaum thauj khoom, uas sib txuas cov neeg tuav rau kev thauj khoom ntawm UEFI (UEFI khau raj khau raj), Linux ntsiav duab thiab initrd system ib puag ncig loaded rau hauv nco, siv. rau kev pib pib ntawm theem ua ntej mounting lub hauv paus FS . Cov duab UKI tau ntim raws li ib daim ntawv ua tiav hauv PE hom, uas tuaj yeem thauj khoom siv cov bootloaders ib txwm muaj lossis hu ncaj qha los ntawm UEFI firmware. Thaum hu los ntawm UEFI, nws muaj peev xwm txheeb xyuas qhov ncaj ncees thiab kev ntseeg siab ntawm cov kos npe digital tsis yog tsuas yog cov ntsiav, tab sis kuj tseem muaj cov ntsiab lus ntawm initrd.

Txhawm rau xam qhov tsis sib xws ntawm TPM PCR (Trusted Platform Module Platform Configuration Register) cov ntawv sau npe siv los saib xyuas kev ncaj ncees thiab tsim cov kos npe digital ntawm UKI duab, cov khoom siv hluav taws xob tshiab suav nrog. Cov ntaub ntawv tseem ceeb rau pej xeem thiab nrog PCR cov ntaub ntawv siv hauv kos npe tuaj yeem kos ncaj qha rau hauv UKI khau raj duab (tus yuam sij thiab kos npe tau txais kev cawmdim hauv PE cov ntaub ntawv hauv '.pcrsig' thiab '.pcrkey' teb) thiab muab rho tawm los ntawm sab nraud los yog cov khoom siv hluav taws xob sab hauv.

Tshwj xeeb, qhov systemd-cryptsetup, systemd-cryptenroll thiab systemd-creds utilities tau raug yoog los siv cov ntaub ntawv no, uas koj tuaj yeem ua kom ntseeg tau tias cov ntaub ntawv disk uas tau muab zais tau raug khi rau cov ntawv kos npe digitally (hauv qhov no, nkag mus rau qhov muab faib encrypted. tsuas yog muab yog tias UKI duab tau dhau los ntawm kev kos npe digital raws li qhov tsis muaj nyob hauv TPM).

Tsis tas li ntawd, cov khoom siv hluav taws xob systemd-pcrphase suav nrog, uas tso cai rau koj los tswj kev khi ntawm ntau yam khau raj theem rau cov tsis muaj nyob hauv lub cim xeeb ntawm cryptoprocessors uas txhawb TPM 2.0 specification (piv txwv li, koj tuaj yeem ua LUKS2 muab faib decryption key muaj nyob hauv. cov duab initrd thiab thaiv kev nkag mus rau nws tom qab theem downloads).

Qee lwm yam kev hloov pauv:

  • Xyuas kom meej tias lub hauv paus pib yog C.UTF-8 tshwj tsis yog ib qho chaw sib txawv tau teev tseg hauv qhov chaw.
  • Tam sim no nws muaj peev xwm ua tiav kev pabcuam ua ntej ua haujlwm ("systemctl preset") thaum thawj khau raj. Enabling presets ntawm lub sijhawm khau raj yuav tsum tau tsim nrog "-Dfirst-boot-full-preset" kev xaiv, tab sis tau npaj kom qhib los ntawm lub neej ntawd hauv kev tshaj tawm yav tom ntej.
  • Cov neeg siv tswj cov koom haum koom nrog CPU tswj kev tswj hwm, uas ua rau nws muaj peev xwm ua kom ntseeg tau tias CPUWeight nqis tau siv rau txhua qhov ntu ntu siv los faib cov kab ke rau hauv qhov chaw (app.slice, background.slice, session.slice) kom cais cov peev txheej ntawm sib txawv cov neeg siv kev pabcuam, sib tw rau cov peev txheej CPU. CPUWeight kuj tseem txhawb nqa tus nqi "tsis ua haujlwm" txhawm rau qhib cov peev txheej tsim nyog.
  • Hauv ib ntus ("ntev") units thiab hauv qhov systemd-repart utility, overriding nqis tau tso cai los ntawm kev tsim cov ntaub ntawv poob rau hauv /etc/systemd/system/name.d/ directory.
  • Rau cov duab kab ke, tus chij txhawb-kawg tau teeb tsa, txiav txim siab qhov tseeb no raws li tus nqi ntawm qhov ntsuas tshiab "SUPPORT_END=" hauv /etc/os-release file.
  • Ntxiv "ConditionCredential =" thiab "AssertCredential =" teeb tsa, uas tuaj yeem siv los tsis quav ntsej lossis cuam tshuam yog tias qee cov ntawv pov thawj tsis muaj nyob hauv qhov system.
  • Ntxiv “DefaultSmackProcessLabel=” thiab “DefaultDeviceTimeoutSec=” teeb tsa rau system.conf thiab user.conf kom txhais lub neej ntawd SMACK kev ruaj ntseg qib thiab chav ua kom lub sijhawm.
  • Nyob rau hauv "ConditionFirmware =" thiab "AssertFirmware =" chaw, lub peev xwm los qhia ib tus kheej SMBIOS teb tau ntxiv, piv txwv li, tso tawm ib chav tsuas yog tias /sys/class/dmi/id/board_name teb muaj tus nqi "Custom Board", koj tuaj yeem teev "ConditionFirmware = smbios" -field(board_name = "Custom Board")".
  • Thaum lub sij hawm pib txheej txheem (PID 1), lub peev xwm los import cov ntaub ntawv pov thawj los ntawm SMBIOS teb (Hom 11, "OEM cov hlua muag khoom") tau ntxiv ntxiv rau lawv cov ntsiab lus ntawm qemu_fwcfg, uas yooj yim rau kev muab cov ntaub ntawv pov thawj rau cov tshuab virtual thiab tshem tawm cov xav tau cov cuab yeej thib peb xws li huab -init thiab ignition.
  • Thaum lub sij hawm kaw, lub logic rau unmounting virtual cov ntaub ntawv systems (proc, sys) tau raug hloov thiab cov ntaub ntawv hais txog cov txheej txheem thaiv lub unmounting ntawm cov ntaub ntawv systems tau txais kev cawmdim nyob rau hauv lub cav.
  • Lub kaw lus hu lim (SystemCallFilter) tso cai rau nkag mus rau riscv_flush_icache system hu los ntawm lub neej ntawd.
  • sd-boot bootloader ntxiv lub peev xwm los khau raj hauv hom sib xyaw, uas 64-ntsis Linux ntsiav sau los ntawm 32-ntsis UEFI firmware. Ntxiv qhov kev sim muaj peev xwm tuaj yeem siv cov yuam sij SecureBoot los ntawm cov ntaub ntawv pom hauv ESP (EFI system muab faib).
  • Cov kev xaiv tshiab tau muab ntxiv rau cov khoom siv bootctl: "-tag nrho-architectures" rau kev txhim kho binaries rau txhua qhov kev txhawb nqa EFI architectures, "-root="" thiab "-image=" rau kev ua hauj lwm nrog cov npe lossis cov duab disk, "-install-source = "rau kev txhais qhov chaw rau kev teeb tsa, "-efi-boot-option-description = "kom tswj cov npe nkag hauv khau raj.
  • Cov 'list-automounts' hais kom ua tau ntxiv rau qhov systemctl kev siv hluav taws xob los tso saib cov npe ntawm cov npe tau txais kev tso npe thiab cov "--image=" kev xaiv los ua cov lus txib hauv kev cuam tshuam nrog cov duab disk uas tau teev tseg. Ntxiv "--state=" thiab "--type=" cov kev xaiv rau 'show' thiab 'status' commands.
  • systemd-networkd ntxiv cov kev xaiv "TCPCongestionControlAlgorithm =" los xaiv TCP congestion tswj algorithm, "KeepFileDescriptor =" kom txuag tau cov ntaub ntawv piav qhia ntawm TUN / TAP interfaces, "NetLabel =" los teeb NetLabels, "RapidCommit =" kom ceev kev teeb tsa ntawm DHCP6 (RFC 3315). Qhov "RouteTable =" parameter tso cai qhia cov npe ntawm cov rooj sib tham.
  • systemd-nspawn tso cai rau siv cov ntaub ntawv txheeb ze txoj hauv kev "--bind=" thiab "--overlay=" xaiv. Ntxiv kev txhawb nqa rau 'rootidmap' parameter rau "--bind=" kev xaiv los khi tus neeg siv hauv paus ID hauv lub thawv rau tus tswv ntawm cov npe mounted ntawm tus tswv tsev.
  • systemd-kev daws teeb meem siv OpenSSL raws li nws cov encryption backend los ntawm lub neej ntawd (gnutls kev txhawb nqa yog khaws cia raws li kev xaiv). Tsis tau txais kev txhawb nqa DNSSEC algorithms tam sim no raug kho raws li tsis muaj kev nyab xeeb es tsis txhob rov qab ua qhov yuam kev (SERVFAIL).
  • systemd-sysusers, systemd-tmpfiles thiab systemd-sysctl siv lub peev xwm hloov chaw los ntawm kev tso cai tso cai.
  • Ntxiv 'sib piv-versions' hais kom ua rau systemd-kev tshuaj xyuas los sib piv cov hlua nrog cov lej version (zoo ib yam li 'rpmdev-vercmp' thiab 'dpkg --compare-versions'). Ntxiv lub peev xwm lim units los ntawm daim npog qhov ncauj rau 'systemd-analyze dump' hais kom ua.
  • Thaum xaiv ntau theem pw tsaug zog hom (siv-thaum-hibernate), lub sij hawm siv nyob rau hauv standby hom tam sim no raug xaiv raws li kev kwv yees ntawm cov roj teeb uas tseem tshuav. Kev hloov pauv tam sim mus rau hom pw tsaug zog tshwm sim thaum tsawg dua 5% roj teeb nqi tseem tshuav.
  • Ib hom kev tso zis tshiab "-o luv-delta" tau ntxiv rau 'journalctl', qhia lub sijhawm sib txawv ntawm cov lus sib txawv hauv lub cav.
  • systemd-repart ntxiv kev txhawb nqa rau kev tsim cov partitions nrog Squashfs cov ntaub ntawv system thiab partitions rau dm-verity, nrog rau cov kos npe digital.
  • Ntxiv "StopIdleSessionSec=" qhov chaw rau systemd-logind kom xaus qhov kev sib tham tsis ua haujlwm tom qab lub sijhawm teev tseg.
  • Systemd-cryptenroll tau ntxiv qhov "--unlock-key-file=" kev xaiv kom rho tawm tus yuam sij decryption los ntawm cov ntaub ntawv es tsis txhob hais rau tus neeg siv.
  • Tam sim no muaj peev xwm khiav qhov systemd-growfs utility nyob rau hauv ib puag ncig yam tsis muaj udev.
  • systemd-backlight tau txhim kho kev txhawb nqa rau cov tshuab nrog ntau daim npav duab.
  • Daim ntawv tso cai rau cov piv txwv code muab hauv cov ntaub ntawv tau hloov pauv ntawm CC0 rau MIT-0.

Cov kev hloov pauv uas cuam tshuam kev sib raug zoo:

  • Thaum kuaj xyuas tus lej version siv tus ConditionKernelVersion cov lus qhia, kev sib piv txoj hlua yooj yim tam sim no siv rau hauv '=' thiab '!=' tus neeg teb xov tooj, thiab yog tias tus neeg teb xov tooj sib piv tsis tau teev tag nrho, glob-mask matching tuaj yeem siv los ntawm cov cim '*', '?' Thiab '[', ']'. Txhawm rau sib piv stverscmp() style versions, siv '<', '>', '<=' thiab '>=' tus tswv.
  • SELinux tag siv los tshawb xyuas kev nkag los ntawm chav tsev cov ntaub ntawv tam sim no tau nyeem thaum lub sijhawm cov ntaub ntawv thauj khoom, tsis yog thaum lub sijhawm kuaj xyuas.
  • Qhov xwm txheej "ConditionFirstBoot" tam sim no tshwm sim ntawm thawj khau raj ntawm lub kaw lus tsuas yog ncaj qha rau ntawm lub khau raj theem thiab rov "tsis tseeb" thaum hu rau chav tom qab khau raj tiav.
  • Hauv 2024, systemd npaj yuav tsum tsis txhob txhawb nqa cgroup v1 cov peev txheej txwv cov txheej txheem, uas tau txiav txim siab hauv qhov systemd tso tawm 248. Cov thawj coj tau qhia kom saib xyuas ua ntej ntawm kev tsiv teb tsaws cgroup v2-raws li kev pabcuam rau cgroup v1. Qhov sib txawv tseem ceeb ntawm cgroups v2 thiab v1 yog kev siv cgroups hierarchy rau txhua hom kev pab, es tsis txhob cais hierarchies rau faib CPU cov peev txheej, rau kev tswj hwm kev nco, thiab rau I / O. Kev sib cais hierarchies ua rau muaj teeb meem hauv kev teeb tsa kev sib cuam tshuam ntawm cov neeg tuav haujlwm thiab cov nqi ntxiv cov peev txheej thaum siv cov cai rau cov txheej txheem hais txog hauv cov hierarchies sib txawv.
  • Nyob rau hauv ib nrab ntawm 2023, peb npaj yuav xaus kev txhawb nqa rau kev faib cov npe hierarchies, qhov twg /usr yog mounted cais los ntawm lub hauv paus, los yog /bin thiab / usr / bin, /lib thiab / usr / lib raug cais.

Tau qhov twg los: opennet.ru

Ntxiv ib saib