Lennart Poettering ebipụtala atụmatụ iji kwalite usoro buut maka nkesa Linux, nke ezubere iji dozie nsogbu ndị dị na ime ka nhazi nke akpụkpọ ụkwụ zuru ezu kwadoro nke na-akwado ntụkwasị obi nke kernel na gburugburu sistemu dị n'okpuru. Mgbanwe ndị a chọrọ iji mejuputa ihe owuwu ọhụrụ a etinyelarị na koodu codebase ma na-emetụta ihe ndị dị ka systemd-stub, systemd-measure, systemd-cryptenroll, systemd-cryptsetup, systemd-pcrphase na systemd-creds.
Mgbanwe ndị a na-atụ aro na-agbada ruo n'ichepụta otu onyonyo zuru ụwa ọnụ UCI (Unified Kernel Image), na-ejikọta onyonyo kernel Linux, onye na-ahụ maka nbudata kernel site na UEFI (UEFI boot stub) na sistemụ initrd nke etinyere n'ime ebe nchekwa, ejiri maka ya. mmalite mmalite na ogbo tupu ịtinye mgbọrọgwụ FS. Kama onyonyo diski initrd RAM, enwere ike ịchikota sistemu niile na UKI, nke na-enye gị ohere ịmepụta gburugburu sistemụ nkwenye zuru oke n'ime RAM. A na-ahazi ihe oyiyi UKI dị ka faịlụ nwere ike ime na usoro PE, nke enwere ike ibunye ọ bụghị naanị site na iji bootloaders omenala, mana enwere ike ịkpọ ya ozugbo site na ngwa ngwa UEFI.
Ikike ịkpọ site na UEFI na-enye gị ohere iji nyocha iguzosi ike n'ezi ihe mbinye aka dijitalụ nke na-ekpuchi ọ bụghị naanị kernel, kamakwa ọdịnaya nke initrd. N'otu oge ahụ, nkwado maka ịkpọ sitere na bootloaders omenala na-enye gị ohere ijigide njirimara dị ka nnyefe nke ọtụtụ nsụgharị nke kernel na akpaghị aka na kernel na-arụ ọrụ ma ọ bụrụ na achọpụtara nsogbu na kernel ọhụrụ mgbe ị wụnye mmelite ahụ.
Ugbu a, n'ọtụtụ nkesa Linux, usoro mmalite na-eji yinye "firmware → akara Microsoft shim oyi akwa → GRUB bootloader nkesa dijitalụ bịanyere aka na ya → kernel Linux dijitalụ bịanyere aka na dijitalụ → gburugburu initrd enweghị mbinye aka → mgbọrọgwụ FS." Enweghị nkwenye initrd na nkesa ọdịnala na-emepụta nsogbu nchebe, ebe ọ bụ na, n'etiti ihe ndị ọzọ, na gburugburu ebe a, a na-eweghachite igodo maka ibelata usoro faịlụ mgbọrọgwụ.
A naghị akwado nkwenye nke onyonyo initrd ebe ọ bụ na ewepụtara faịlụ a na sistemụ mpaghara onye ọrụ na enweghị ike iji akara dijitalụ nke ngwa nkesa nweta asambodo, nke na-akpaghasị nhazi nke nkwenye mgbe ị na-eji ọnọdụ SecureBoot (iji nyochaa initrd, na Onye ọrụ kwesịrị ịmepụta igodo nke ya ma tinye ya na firmware UEFI). Na mgbakwunye, ụlọ ọrụ buut dị ugbu a anaghị ekwe ka iji ozi sitere na ndekọ TPM PCR (Platform Configuration Register) iji chịkwaa iguzosi ike n'ezi ihe nke akụrụngwa oghere ndị ọzọ karịa shim, grub na kernel. N'ime nsogbu ndị dị ugbu a, a na-akpọkwa mgbagwoju anya nke imelite bootloader na enweghị ike igbochi ịnweta igodo na TPM maka ụdị OS ochie nke na-abaghị uru mgbe ị wụnye mmelite ahụ.
Ebumnuche ndị bụ isi nke iwebata ihe owuwu ọhụrụ a bụ:
- Na-enye usoro buut ekwenyesiri ike nke na-esite na firmware ruo na ohere onye ọrụ, na-akwado izi ezi na iguzosi ike n'ezi ihe nke ihe ndị a na-ebuli.
- Ijikọ akụrụngwa a na-achịkwa na ndekọ TPM PCR, nke onye nwe ya kewapụrụ.
- Ikike ibu ụzọ gbakọọ ụkpụrụ PCR dabere na kernel, initrd, nhazi na ID sistemụ mpaghara ejiri n'oge buut.
- Nchedo megide mwakpo nlọghachi azụ jikọtara ya na ịtụgharị azụ na ụdị sistemụ adịghị ike gara aga.
- Mee ka ọ dị mfe ma bulie ntụkwasị obi nke mmelite.
- Nkwado maka mmelite OS nke na-achọghị ntinye ọzọ ma ọ bụ ntinye mpaghara nke akụrụngwa echekwara TPM.
- Sistemu dị njikere maka asambodo dịpụrụ adịpụ iji gosi izi ezi nke OS na ntọala ndị ebugoro.
- Ikike ijikọ data nwere mmetụta na ụfọdụ ọkwa buut, dịka ọmụmaatụ, wepụ igodo nzuzo maka sistemụ faịlụ mgbọrọgwụ na TPM.
- Inye usoro echedoro, akpaka na enweghị onye ọrụ maka imeghe igodo iji mebie draịva nkebi mgbọrọgwụ.
- Ojiji nke ibe na-akwado nkọwapụta TPM 2.0, yana ikike ịtụgharị na sistemụ na-enweghị TPM.
isi: opennet.ru