Kugwiritsa ntchito QubesOS kugwira ntchito ndi Windows 7

Palibe zolemba zambiri za Habré zoperekedwa ku Qubes opareting'i sisitimu, ndipo zomwe ndaziwona sizimalongosola zambiri zakugwiritsa ntchito. Pansi pa odulidwawo, ndikuyembekeza kukonza izi pogwiritsa ntchito chitsanzo chogwiritsira ntchito Qubes monga njira yotetezera (motsutsa) chilengedwe cha Windows ndipo, panthawi imodzimodziyo, yerekezerani chiwerengero cha ogwiritsa ntchito olankhula Chirasha.

Chifukwa chiyani Qubes?

Nkhani ya kutha kwa chithandizo chaukadaulo cha Windows 7 komanso nkhawa yowonjezereka ya ogwiritsa ntchito idapangitsa kufunikira kokonzekera ntchito ya OS iyi, poganizira izi:

• onetsetsani kugwiritsa ntchito Windows 7 yokhazikika ndi kuthekera kwa wogwiritsa ntchito kukhazikitsa zosintha ndi mapulogalamu osiyanasiyana (kuphatikiza kudzera pa intaneti);
• khazikitsani kusagwirizana kwathunthu kapena kosankha kwa ma network okhudzana ndi momwe zinthu ziliri (ntchito zodziyimira pawokha ndi njira zosefera magalimoto);
• perekani kuthekera kosankha kulumikiza media zochotseka ndi zida.

Zoletsa izi zikuwonetsa wogwiritsa ntchito wokonzeka bwino, popeza kuwongolera paokha kumaloledwa, ndipo zoletsa sizikugwirizana ndi kuletsa zomwe angathe kuchita, koma kuchotserapo zolakwika zomwe zingatheke kapena zowononga mapulogalamu. Iwo. Palibe wolakwira wamkati mwachitsanzo.

Pofufuza yankho, tidasiya mwachangu lingaliro lokhazikitsa zoletsa pogwiritsa ntchito zida zomangidwira kapena zowonjezera za Windows, chifukwa ndizovuta kuletsa wogwiritsa ntchito ndi ufulu woyang'anira, ndikumusiyira mwayi woyika mapulogalamu.

Yankho lotsatira linali kudzipatula pogwiritsa ntchito virtualization. Zida zodziwika bwino za desktop virtualization (mwachitsanzo, monga bokosi) sizoyenera kuthana ndi zovuta zachitetezo ndipo zoletsa zomwe zalembedwazi ziyenera kuchitidwa ndi wogwiritsa ntchito posintha nthawi zonse kapena kusintha mawonekedwe a makina owonera alendo (omwe atchulidwa pano. monga VM), zomwe zimawonjezera chiopsezo cha zolakwika.

Panthawi imodzimodziyo, tinali ndi chidziwitso chogwiritsa ntchito Qubes monga makina ogwiritsira ntchito makompyuta, koma tinali ndi kukayikira za kukhazikika kwa ntchito ndi Windows alendo. Anaganiza kuti ayang'ane mtundu wamakono wa Qubes, popeza zofooka zomwe zanenedwazo zimagwirizana bwino ndi ndondomeko ya dongosolo lino, makamaka kukhazikitsidwa kwa ma templates a makina ndi kusakanikirana kowonekera. Kenaka, ndiyesera kulankhula mwachidule za malingaliro ndi zida za Qubes, pogwiritsa ntchito chitsanzo cha kuthetsa vutoli.

Mitundu ya Xen virtualization

Qubes imachokera ku Xen hypervisor, yomwe imachepetsa ntchito zoyendetsera purosesa, kukumbukira ndi makina enieni. Ntchito zina zonse zokhala ndi zida zimakhazikika mu dom0 kutengera Linux kernel (Qubes for dom0 imagwiritsa ntchito kugawa kwa Fedora).

Xen imathandizira mitundu ingapo yaukadaulo (ndipereka zitsanzo zamamangidwe a Intel, ngakhale Xen amathandizira ena):

• paravirtualization (PV) - mode virtualization popanda kugwiritsa ntchito hardware thandizo, kukumbukira chidebe virtualization, angagwiritsidwe ntchito kachitidwe ndi anazolowera kernel (dom0 imagwira ntchito motere);
• Full virtualization (HVM) - munjira iyi, chithandizo cha hardware chimagwiritsidwa ntchito pazinthu za purosesa, ndipo zida zina zonse zimatsatiridwa pogwiritsa ntchito QEMU. Iyi ndi njira yodziwika bwino kwambiri yoyendetsera machitidwe osiyanasiyana;
• paravirtualization of hardware (PVH - ParaVirtualized Hardware) - njira yowonetsera kugwiritsa ntchito chithandizo cha hardware pamene, kugwira ntchito ndi hardware, kernel ya alendo imagwiritsa ntchito madalaivala ogwirizana ndi mphamvu za hypervisor (mwachitsanzo, kukumbukira nawo), kuthetsa kufunikira kwa kutsanzira kwa QEMU. ndikuwonjezera magwiridwe antchito a I/O. Linux kernel kuyambira 4.11 imatha kugwira ntchito motere.

Kuyambira ndi Qubes 4.0, pazifukwa zachitetezo, kugwiritsa ntchito mawonekedwe a paravirtualization kumasiyidwa (kuphatikiza chifukwa cha zovuta zomwe zimadziwika muzomanga za Intel, zomwe zimachepetsedwa pang'ono ndikugwiritsa ntchito mawonekedwe athunthu); PVH mode imagwiritsidwa ntchito mwachisawawa.

Mukamagwiritsa ntchito emulation (HVM mode), QEMU imayambitsidwa mu VM yokhayokha yotchedwa stubdomain, motero kuchepetsa chiopsezo chogwiritsa ntchito zolakwika zomwe zingatheke pakukhazikitsa (pulojekiti ya QEMU ili ndi code yambiri, kuphatikizapo kugwirizanitsa).
Kwa ife, njirayi iyenera kugwiritsidwa ntchito pa Windows.

Makina ogwiritsira ntchito

Muzomangamanga zachitetezo cha Qubes, chimodzi mwazofunikira za hypervisor ndikusamutsa zida za PCI kumalo ochezera alendo. Kupatula kwa Hardware kumakupatsani mwayi wolekanitsa gawo la dongosololi kuzinthu zakunja. Xen imathandizira izi pamitundu ya PV ndi HVM, chachiwiri imafunikira thandizo la IOMMU (Intel VT-d) - kasamalidwe ka kukumbukira kwa hardware pazida zowoneka bwino.

Izi zimapanga makina angapo apakompyuta:

• sys-net, zomwe zida zapaintaneti zimasamutsidwa ndipo zimagwiritsidwa ntchito ngati mlatho wa ma VM ena, mwachitsanzo, omwe amakwaniritsa ntchito za firewall kapena kasitomala wa VPN;
• sys-usb, komwe USB ndi zowongolera zida zina zotumphukira zimasamutsidwa;
• sys-firewall, yomwe sigwiritsa ntchito zida, koma imagwira ntchito ngati chozimitsa moto cha ma VM olumikizidwa.

Kugwira ntchito ndi zida za USB, ntchito zofananira zimagwiritsidwa ntchito, zomwe zimapereka, mwa zina:

• kwa HID (chida cholumikizira anthu) kalasi ya chipangizo, kutumiza malamulo ku dom0;
• pa media zochotseka, kulozeranso ma voliyumu a chipangizocho kupita ku ma VM ena (kupatula dom0);
• kulunjika ku chipangizo cha USB (pogwiritsa ntchito USBIP ndi zida zophatikizira).

Kukonzekera kotereku, kuwukira bwino kudzera pa network stack kapena zida zolumikizidwa kungayambitse kusokonekera kwa VM yokhayo yothamanga, osati dongosolo lonselo. Ndipo mutatha kuyambitsanso VM yantchitoyo, idzakwezedwa momwe idakhalira.

Zida zophatikizira za VM

Pali njira zingapo zolumikizirana ndi makina apakompyuta - kukhazikitsa mapulogalamu mumayendedwe a alendo kapena kutengera makanema pogwiritsa ntchito zida zowonera. Mapulogalamu a alendo amatha kukhala zida zosiyanasiyana zofikira kutali (RDP, VNC, Spice, etc.) kapena zosinthidwa ndi hypervisor inayake (zida zotere zimatchedwa zothandiza alendo). Njira yosakanikirana ingagwiritsidwenso ntchito, pamene hypervisor imatsanzira I / O kwa dongosolo la alendo, ndipo kunja imapereka mphamvu yogwiritsira ntchito protocol yomwe imaphatikizapo I / O, mwachitsanzo, monga Spice. Panthawi imodzimodziyo, zida zopezera kutali nthawi zambiri zimakonza chithunzicho, chifukwa chimaphatikizapo kugwira ntchito kudzera pa intaneti, zomwe sizikhala ndi zotsatira zabwino pa chithunzicho.

Qubes imapereka zida zake zophatikizira VM. Choyamba, iyi ndi mawonekedwe azithunzi - windows kuchokera ku VM zosiyanasiyana zimawonetsedwa pakompyuta imodzi yokhala ndi mawonekedwe awoawo. Nthawi zambiri, zida zophatikizira zimachokera ku kuthekera kwa hypervisor - kukumbukira kogawana (tebulo la Xen), zida zodziwitsira (njira ya Xen), xenstore yosungiramo ndikugawana vchan protocol. Ndi chithandizo chawo, zida zoyambira qrexec ndi qubes-rpc, ndi ntchito zogwiritsira ntchito zimayendetsedwa - mayendedwe omvera kapena USB, kusamutsa mafayilo kapena zomwe zili pa bolodi, kulamula ndikuyambitsa mapulogalamu. Ndizotheka kukhazikitsa ndondomeko zomwe zimakulolani kuchepetsa ntchito zomwe zilipo pa VM. Chithunzi chomwe chili pansipa ndi chitsanzo cha njira yoyambira kuyanjana kwa ma VM awiri.

Chifukwa chake, ntchito mu VM imachitika popanda kugwiritsa ntchito maukonde, omwe amalola kugwiritsa ntchito kwathunthu ma VM odziyimira pawokha kupewa kutayikira kwa chidziwitso. Mwachitsanzo, umu ndi momwe kulekanitsa ntchito za cryptographic (PGP/SSH) zimagwiritsidwira ntchito, pamene makiyi achinsinsi amagwiritsidwa ntchito mu ma VM akutali ndipo osapitirira iwo.

Ma templates, kugwiritsa ntchito ndi ma VM anthawi imodzi

Ntchito zonse zogwiritsa ntchito ku Qubes zimachitika pamakina enieni. Dongosolo lalikulu la alendo limagwiritsidwa ntchito kuwawongolera ndi kuwawonera. OS imayikidwa limodzi ndi makina oyambira a template (TemplateVM). Template iyi ndi Linux VM yozikidwa pa kugawa kwa Fedora kapena Debian, ndi zida zophatikizira zoyikidwa ndi kukonzedwa, ndi machitidwe odzipatulira ndi magawo ogwiritsa ntchito. Kuyika ndi kukonzanso mapulogalamu kumayendetsedwa ndi woyang'anira phukusi (dnf kapena apt) kuchokera kumalo osungira omwe ali ndi chitsimikizo cha siginecha ya digito (GnuPG). Cholinga cha ma VM oterowo ndikuwonetsetsa kudalira ma VM omwe akhazikitsidwa pamaziko awo.

Poyambitsa, pulogalamu ya VM (AppVM) imagwiritsa ntchito chithunzithunzi cha magawo a dongosolo la VM template, ndipo ikamaliza imachotsa chithunzichi popanda kusunga zosintha. Zomwe zimafunidwa ndi wogwiritsa ntchito zimasungidwa m'gawo la ogwiritsa ntchito lapadera pa VM iliyonse, yomwe imayikidwa m'ndandanda wakunyumba.

Kugwiritsa ntchito ma VM otayika (disposableVM) kungakhale kothandiza poyang'ana chitetezo. VM yotereyi imapangidwa kutengera template pa nthawi yoyambira ndipo imayambitsidwa ndi cholinga chimodzi - kuchita ntchito imodzi, kumaliza ntchito itatsekedwa. Ma VM otayidwa atha kugwiritsidwa ntchito kutsegula mafayilo okayikitsa omwe zomwe zili mkati mwake zingayambitse kugwiritsa ntchito zovuta zina za pulogalamu. Kutha kuyendetsa VM yanthawi imodzi kumaphatikizidwa mu fayilo manager (Nautilus) ndi imelo kasitomala (Thunderbird).

Windows VM itha kugwiritsidwanso ntchito kupanga template ndi VM yanthawi imodzi posuntha mbiri ya ogwiritsa ntchito kugawo lina. Mu mtundu wathu, template yotere idzagwiritsidwa ntchito ndi wogwiritsa ntchito poyang'anira ndikuyika pulogalamu. Kutengera template, ma VM angapo adzapangidwa - opanda mwayi wopezeka pa netiweki (mphamvu za sys-firewall) komanso osapeza netiweki konse (chida chapaintaneti sichinapangidwe). Zosintha zonse ndi mapulogalamu omwe adayikidwa mu template adzakhalapo kuti agwire ntchito mu ma VM awa, ndipo ngakhale mapulogalamu a ma bookmark atayambitsidwa, sadzakhala ndi mwayi wolumikizana ndi netiweki.

Menyani nkhondo pa Windows

Zomwe tafotokozazi ndizo maziko a Qubes ndipo zimagwira ntchito mokhazikika; zovuta zimayamba ndi Windows. Kuti muphatikize Windows, muyenera kugwiritsa ntchito zida za alendo Qubes Windows Tools (QWT), zomwe zimaphatikizapo madalaivala ogwirira ntchito ndi Xen, qvideo driver ndi seti yazinthu zosinthira zidziwitso (kusamutsa mafayilo, clipboard). Kuyika ndi kukonza kumalembedwa mwatsatanetsatane patsamba la polojekiti, kotero tidzagawana zomwe takumana nazo.

Chovuta chachikulu ndicho kusowa kwa chithandizo cha zida zopangidwira. Key Developers (QWT) akuwoneka kuti sakupezeka ndipo pulojekiti yophatikiza Windows ikuyembekezera wotsogolera. Choncho, choyamba, kunali koyenera kuwunika momwe ntchito yake ikugwiritsidwira ntchito ndikupanga kumvetsetsa kwa kuthekera kothandizira paokha, ngati kuli kofunikira. Chovuta kwambiri kupanga ndi kukonza zolakwika ndi dalaivala wazithunzi, yemwe amatsanzira adaputala yamavidiyo ndikuwonetsa kuti apange chithunzi mumakumbukidwe omwe amagawana, kukulolani kuti muwonetse desktop yonse kapena zenera la pulogalamuyo mwachindunji pawindo lazenera la omvera. Pofufuza momwe dalaivala amagwirira ntchito, tidasintha kachidindo kuti tisonkhane m'malo a Linux ndikukonza chiwembu chowongolera pakati pa machitidwe awiri a alendo a Windows. Pa gawo lomangamanga, tidapanga zosintha zingapo zomwe zidatifewetsera zinthu, makamaka pokhazikitsa "chete" zothandizira, ndikuchotsanso kuwonongeka koyipa kwa magwiridwe antchito mukamagwira ntchito mu VM kwa nthawi yayitali. Tinapereka zotsatira za ntchitoyo mosiyana nkhokwe, motero osati kwa nthawi yayitali zolimbikitsa Lead Qubes Developer.

Gawo lovuta kwambiri potsata kukhazikika kwa dongosolo la alendo ndikuyambitsa kwa Windows, apa mutha kuwona mawonekedwe odziwika bwino a buluu (kapena osawona ngakhale). Pazolakwa zambiri zomwe zadziwika, panali njira zingapo zogwirira ntchito - kuchotsa madalaivala a Xen block, kulepheretsa kukumbukira kukumbukira kwa VM, kukonza ma network, ndikuchepetsa kuchuluka kwa ma cores. Zida zathu za alendo zimamanga ma installs ndikugwira ntchito mosinthidwa Windows 7 ndi Windows 10 (kupatula qvideo).

Mukasuntha kuchoka kumalo enieni kupita kumalo enieni, vuto limadza ndi kuyambitsa Windows ngati mitundu ya OEM yomwe inakhazikitsidwa kale ikugwiritsidwa ntchito. Makina oterowo amagwiritsa ntchito kuyambitsa kutengera zilolezo zomwe zafotokozedwa mu UEFI ya chipangizocho. Kuti mugwiritse ntchito molondola, ndikofunikira kumasulira gawo limodzi mwa magawo onse a ACPI a gulu la alendo (SLIC table) ku dongosolo la alendo ndikusintha ena pang'ono, kulembetsa wopanga. Xen imakulolani kuti musinthe zomwe zili mu ACPI pamatebulo owonjezera, koma osasintha zazikulu. Chigamba chochokera ku projekiti yofananira ya OpenXT, yomwe idasinthidwa ku Qubes, idathandizira yankho. Zokonzazi zidawoneka ngati zothandiza osati kwa ife okha ndipo zidamasuliridwa kunkhokwe yayikulu ya Qubes ndi laibulale ya Libvirt.

Kuipa kodziwikiratu kwa zida zophatikizira za Windows kumaphatikizapo kusowa kwa chithandizo cha audio, zida za USB, komanso zovuta zogwirira ntchito ndi media, popeza palibe chithandizo cha Hardware cha GPU. Koma zomwe zili pamwambazi sizikulepheretsa kugwiritsa ntchito VM pogwira ntchito ndi zikalata zaofesi, komanso sizilepheretsa kukhazikitsidwa kwa ntchito zina zamakampani.

Kufunika kosinthira kumachitidwe ogwiritsira ntchito popanda netiweki kapena netiweki yochepa mutatha kupanga template ya Windows VM kudakwaniritsidwa popanga masinthidwe oyenera a ma VM ogwiritsira ntchito, komanso kuthekera kolumikizira mosasunthika zochotseka kudathetsedwanso ndi zida za OS - zikalumikizidwa. , akupezeka mu VM sys-usb, kuchokera komwe atha "kutumizidwa" kupita ku VM yofunikira. Desktop ya ogwiritsa ntchito imawoneka motere.

Mtundu womaliza wa dongosololi unali wabwino (monga momwe yankho lathunthu limalola) kuvomerezedwa ndi ogwiritsa ntchito, ndipo zida zokhazikika zamakina zidapangitsa kuti zitheke kukulitsa pulogalamuyo kumalo ogwiritsira ntchito mafoni a wogwiritsa ntchito pogwiritsa ntchito VPN.

M'malo mapeto

Virtualization imakupatsani mwayi kuti muchepetse kuopsa kogwiritsa ntchito makina a Windows osiyidwa popanda thandizo - sikukakamiza kugwirizana ndi zida zatsopano, kumakupatsani mwayi wopatula kapena kuwongolera mwayi wopezeka pamakina pamaneti kapena kudzera pazida zolumikizidwa, ndikukulolani khazikitsani malo oyambitsa kamodzi.

Kutengera lingaliro la kudzipatula kudzera mu virtualization, Qubes OS imakuthandizani kuti mugwiritse ntchito njira izi ndi zina zachitetezo. Kuchokera kunja, anthu ambiri amawona Qubes makamaka ngati chikhumbo chofuna kusadziwika, koma ndi njira yothandiza kwa mainjiniya, omwe nthawi zambiri amayendetsa ntchito, zomangamanga, ndi zinsinsi kuti athe kuzipeza, komanso ofufuza zachitetezo. Kupatukana kwa mapulogalamu, deta ndi kukhazikitsidwa kwa kuyanjana kwawo ndizomwe zimayambira pakuwunika kowopsa ndi kapangidwe ka chitetezo. Kupatukana kumeneku kumathandizira kupanga zidziwitso ndikuchepetsa kuthekera kwa zolakwika chifukwa chamunthu - mwachangu, kutopa, ndi zina zambiri.

Pakadali pano, kugogomezera kwakukulu pakukula ndikukulitsa magwiridwe antchito a Linux. Mtundu wa 4.1 ukukonzekera kumasulidwa, womwe udzakhazikitsidwa pa Fedora 31 ndikuphatikizanso matembenuzidwe amakono a zigawo zazikulu Xen ndi Libvirt. Ndizofunikira kudziwa kuti Qubes imapangidwa ndi akatswiri oteteza zidziwitso omwe nthawi zonse amamasula zosintha ngati ziwopsezo zatsopano kapena zolakwika zadziwika.

Pambuyo pake

Chimodzi mwazinthu zoyesera zomwe tikupanga zimatilola kupanga ma VM mothandizidwa ndi mwayi wofikira alendo ku GPU pogwiritsa ntchito ukadaulo wa Intel GVT-g, womwe umatilola kugwiritsa ntchito luso la adaputala yazithunzi ndikukulitsa kwambiri kuchuluka kwa dongosolo. Panthawi yolemba, ntchitoyi imagwira ntchito popanga mayeso a Qubes 4.1, ndipo ikupezeka pa github.

Source: www.habr.com