Lennart Poettering wasindikiza malingaliro oti asinthe kachitidwe ka boot kagawidwe ka Linux, cholinga chake ndi kuthetsa mavuto omwe alipo komanso kupangitsa kuti gulu la boot lotsimikizika lomwe limatsimikizira kudalirika kwa kernel ndi chilengedwe. Zosintha zomwe zimafunikira kukhazikitsa zomangamanga zatsopano zikuphatikizidwa kale mu systemd codebase ndipo zimakhudza zigawo monga systemd-stub, systemd-measure, systemd-cryptenroll, systemd-cryptsetup, systemd-pcrphase ndi systemd-creds.
Zosintha zomwe zasinthidwazi zikufika pakupanga chithunzi chimodzi chapadziko lonse lapansi UKI (Unified Kernel Image), kuphatikiza chithunzi cha Linux kernel, chothandizira kutsitsa kernel kuchokera ku UEFI (UEFI boot stub) ndi initrd system yosungidwa kukumbukira, yogwiritsidwa ntchito kukhazikitsidwa koyamba pa siteji isanakhazikitse muzu FS. M'malo mwa chithunzi cha initrd RAM disk, dongosolo lonselo likhoza kuikidwa mu UKI, zomwe zimakulolani kuti mupange malo otsimikiziridwa bwino omwe ali mu RAM. Chithunzi cha UKI chimapangidwa ngati fayilo yotheka kuchitidwa mumtundu wa PE, womwe ukhoza kukwezedwa osati kugwiritsa ntchito ma bootloaders achikhalidwe, koma ukhoza kuyitanidwa mwachindunji kuchokera ku UEFI firmware.
Kutha kuyimba kuchokera ku UEFI kumakupatsani mwayi woti mugwiritse ntchito cheke chotsimikizira siginecha ya digito chomwe sichimangokhudza kernel, komanso zomwe zili mu initrd. Nthawi yomweyo, kuthandizira kuyimba kuchokera ku ma bootloaders achikhalidwe kumakupatsani mwayi wosunga zinthu monga kutumiza mitundu ingapo ya kernel ndikubweza pompopompo ku kernel yomwe ikugwira ntchito ngati zovuta zizindikirika ndi kernel yatsopano mutakhazikitsa zosintha.
Pakadali pano, m'magawo ambiri a Linux, njira yoyambira imagwiritsa ntchito unyolo "firmware β wosanjidwa ndi digito Microsoft shim wosanjikiza β GRUB bootloader ya digito yosainidwa ndi kugawa β Linux kernel yosainidwa ndi digito β chilengedwe chosasainidwa β mizu FS." Kupanda kutsimikizira kwa initrd pamagawidwe achikhalidwe kumabweretsa zovuta zachitetezo, chifukwa, mwa zina, m'malo ano makiyi ochotsa mizu amachotsedwa.
Kutsimikizika kwa chithunzi cha initrd sikuthandizidwa popeza fayiloyi imapangidwa pamakina am'deralo ndipo sichingatsimikizidwe ndi siginecha ya digito ya zida zogawa, zomwe zimasokoneza kwambiri bungwe lotsimikizira mukamagwiritsa ntchito SecureBoot mode (kutsimikizira initrd, the wogwiritsa ntchito ayenera kupanga makiyi awo ndikuwayika mu UEFI firmware). Kuonjezera apo, bungwe la boot lamakono sililola kugwiritsa ntchito chidziwitso kuchokera ku TPM PCR (Platform Configuration Register) kuti athetse kukhulupirika kwa zigawo za malo ogwiritsira ntchito kupatula shim, grub ndi kernel. Pakati pazovuta zomwe zilipo, zovuta zosinthira bootloader komanso kulephera kuletsa makiyi a TPM amitundu yakale ya OS yomwe yakhala yosafunikira pambuyo pokhazikitsa zosinthazo zimatchulidwanso.
Zolinga zazikulu zowonetsera zomanga zatsopano zotsegula ndi:
- Kupereka ndondomeko yotsimikizirika ya boot yomwe imachokera ku firmware kupita kumalo ogwiritsira ntchito, kutsimikizira kutsimikizika ndi kukhulupirika kwa zigawo zomwe zikugwiritsidwa ntchito.
- Kulumikiza zoyendetsedwa ndi zolembetsa za TPM PCR, zolekanitsidwa ndi eni ake.
- Kutha kuwerengeratu ma PCR kutengera kernel, initrd, kasinthidwe ndi ID yamakina omwe amagwiritsidwa ntchito panthawi yoyambira.
- Kutetezedwa motsutsana ndi kuwopseza kubweza komwe kumakhudzana ndi kubwereranso ku mtundu wakale wosatetezeka wadongosolo.
- Kufewetsa ndi kuonjezera kudalirika kwa zosintha.
- Kuthandizira zosintha za OS zomwe sizikufuna kubwerezanso kapena kuperekedwa kwanuko kwa zinthu zotetezedwa ndi TPM.
- Dongosololi ndi lokonzeka kutsimikizira zakutali kuti zitsimikizire kulondola kwa OS yodzaza ndi zoikamo.
- Kutha kumangiriza deta yodziwika bwino pamagawo ena a boot, mwachitsanzo, kuchotsa makiyi a encryption a mizu yamafayilo kuchokera ku TPM.
- Kupereka njira yotetezeka, yodziwikiratu, komanso yopanda ogwiritsa ntchito kuti mutsegule makiyi kuti mutsegule drive partition drive.
- Kugwiritsa ntchito tchipisi chomwe chimathandizira mawonekedwe a TPM 2.0, ndikutha kubweza kumakina opanda TPM.
Source: opennet.ru