Kampaniyo idatumiza nkhaniyi kuti ikambidwe pamndandanda wamakalata a opanga kernel. Linux Khodi ya gawo la LSM imagwiritsa ntchito njira ya IPE (Integrity Policy Enforcement), ndikukulitsa machitidwe omwe alipo ofunikira owongolera mwayi. M'malo modalira zilembo ndi njira, IPE imalola zisankho kulola kapena kukana ntchito kutengera mawonekedwe osasinthika a gawo la dongosolo lomwe likugwiritsidwa ntchito. Gawoli limalola kufotokozera mfundo yokhazikika ya dongosolo lonse, kutchula ntchito zomwe zimaloledwa komanso momwe zigawo ziyenera kutsimikiziridwa.
IPE ikufuna kupanga machitidwe otsimikizirika bwino omwe kukhulupirika kwawo kumatsimikiziridwa kuchokera pa boot loader ndi kernel kupita ku mapeto omaliza, makonzedwe ndi mafayilo a boot. Mwachitsanzo, pogwiritsa ntchito IPE, mutha kufotokoza kuti ndi mafayilo ati omwe angagwiritsidwe ntchito omwe amaloledwa kuyendetsa, poganizira kutsatiridwa kwawo ndi buku lofotokozera pogwiritsa ntchito ma cryptographic hashes operekedwa ndi dm-verity system. Ngati fayilo yasinthidwa kapena kusinthidwa, IPE ikhoza kuletsa ntchitoyo kapena kulemba mfundo ya kuphwanya kukhulupirika.
Njira yokonzedweratu ingagwiritsidwe ntchito mu firmware kwa zipangizo zophatikizidwa, momwe mapulogalamu onse ndi zoikamo zimasonkhanitsidwa mwapadera ndikuperekedwa ndi mwiniwake, mwachitsanzo, mu Microsoft data centers, IPE imagwiritsidwa ntchito pazida zozimitsa moto. Chomwe chimasiyanitsa IPE ndi machitidwe ena owunika kukhulupirika, monga IMA, ndikudziyimira pawokha kuchokera ku metadata mu FS - zinthu zonse zomwe zimatsimikizira kuloledwa kwa ntchito zimasungidwa mwachindunji mu kernel.
Malamulo amafotokozedwa m'mawu pogwiritsa ntchito ma key-value sets. Zofunika kwambiri ndi kiyi ya "op", yomwe imatanthawuza momwe lamuloli likugwiritsidwira ntchito (mwachitsanzo, op=EXECUTE idzagwira ntchito poyesa kuchita), ndi fungulo la "kuchita", lomwe limatanthawuza zochita (mwachitsanzo, " zochita=KUKANA” poletsa). Malamulo amamangidwa kuzinthu zoperekedwa ndi magawo akunja monga dm-verity ndi fs-verity.
Mwachitsanzo, malamulo op=EXECUTE boot_verified=TRUE action=ALLOW op=EXECUTE dmverity_signature=FALSE action=DENY op=EXECUTE fsverity_digest=sha256:401fce…0dec146938 action=KUKHALA kudzalola kutsegulidwa kwa mafayilo otsimikiziridwa kuchokera ku magawo omwe alibe siginecha mu dm-verity, komanso amaletsa mwachisawawa kugwiritsa ntchito fayilo yokhala ndi hashi "401fce...0dec146938".
Malamulo oyambirira a boot amatanthauzidwa pogwiritsa ntchito SECURITY_IPE_BOOT_POLICY kukhazikitsidwa ndikuphatikizidwa ngati gawo la kernel build, ndipo malamulo ena amawonjezedwa ngati akufunikira kudzera mu fayilo /sys/kernel/security/ipe/new_policy. Malamulo otumizidwa amasungidwa mwachinsinsi pogwiritsa ntchito satifiketi yofotokozedwa mu SYSTEM_TRUSTED_KEYRING.
Pamakina azinthu zonse, akulinganiza kugwiritsa ntchito IPE kuphatikiza makina a DIGLIM opangidwa ndi Huawei. DIGLIM imayendetsedwa pogwiritsa ntchito eBPF ndipo imakulolani kuti mugwiritse ntchito kuwongolera kukhulupirika mosavuta pamlingo wa mafayilo omwe amagawika pafupipafupi osafuna kuti akonzedwenso (amawonetsedwa ngati mtundu wa Chitetezo Chotetezedwa chomwe chimagwira ntchito pamlingo wofunsira). Chofunikira cha DIGLIM ndikusunga ma hashes otsimikizika a mafayilo ndi metadata, ndikupereka mwayi wamafayilo omwe angathe kuchitika pokhapokha ngati hashi yake ilipo padziwe. Mndandanda wamahashi ukhoza kupezeka kuchokera kwa woyang'anira phukusi la RPM kapena kupangidwa pamanja ndi wogwiritsa ntchito.
Source: opennet.ru
