Lennart Poettering yakaburitsa chirevo chekuvandudza maitiro ebhutsu yeLinux kugovera, yakanangana nekugadzirisa matambudziko aripo uye kurerutsa sangano rebhutsu rakasimbiswa rakazara, zvichisimbisa huchokwadi hwekernel uye iri pasi pehurongwa nharaunda. Shanduko dzinodiwa kuita chivakwa chitsva chatoverengerwa musystemd codebase uye dzinobata zvinhu zvakaita se systemd-stub, systemd-measure, systemd-cryptenroll, systemd-cryptsetup, systemd-pcrphase, uye systemd-creds.
Idzo shanduko dzakarongwa dzakaderedzwa kusvika pakugadzirwa kweimwe yepasirese yeUKI (Yakabatana Kernel Image) inosanganisa iyo Linux kernel mufananidzo, mubati wekutakura kernel kubva kuUEFI (UEFI boot stub) uye initrd system nharaunda yakarongedzerwa mundangariro, inoshandiswa kutanga kutanga pachikuva usati waisa mudzi FS. Panzvimbo peiyo initrd RAM dhisiki mufananidzo, iyo yese system inogona kuiswa muUKI, ichibvumira kusikwa kweyakasimbiswa yakazara system nharaunda inoiswa muRAM. UKI-image inogadzirwa muchimiro chefaira rinogoneka mune PE fomati, iyo inogona kutakurwa kwete chete kushandisa echinyakare bootloaders, asi inodaidzwa zvakananga kubva kuEFI firmware.
Iko kugona kufona kubva kuUEFI inokutendera kuti ushandise siginecha yedhijitari kutendeseka uye cheki yechokwadi inovhara kwete chete kernel, asiwo zviri mukati meiyo initrd. Panguva imwecheteyo, tsigiro yekufona kubva kune echinyakare bootloaders inobvumidza iwe kuchengetedza maficha akadai sekuunza akati wandei mavhezheni e kernel uye otomatiki rollback kune inoshanda kernel kana matambudziko neiyo kernel nyowani aonekwa mushure mekuisa iyo update.
Parizvino, kugoverwa kweLinux kwakawanda kunoshandisa cheni "firmware β digitally sign Microsoft shim layer β digitally sign distribution GRUB bootloader β digitally signed distribution Linux kernel β unsigned initrd environment β mudzi FS" mukutanga maitiro. Kushaikwa kweiyo initrd verification mukugovera kwechinyakare kunogadzira matambudziko ekuchengetedza, sezvo, pakati pezvimwe zvinhu, munzvimbo ino, makiyi anotorwa kuti anyore mudzi FS.
Kuongororwa kwemufananidzo weinitrd hakutsigirwi, sezvo faira iyi inogadzirwa pane yemuno sisitimu uye haigone kusimbiswa nedhijitari siginecha, iyo inoomesa zvakanyanya sangano rekusimbisa kana uchishandisa SecureBoot modhi (kusimbisa iyo initrd, mushandisi anoda. kugadzira makiyi ake uye kuaisa muEFI firmware). Mukuwedzera, sangano riripo rebhoti haribvumiri kushandisa ruzivo kubva kuTPM PCR (Platform Configuration Register) kunyoresa kudzora kuvimbika kwevashandisi-nzvimbo zvikamu kunze kwe shim, grub, uye kernel. Pakati pematambudziko aripo, kunetsa kwekugadzirisa bhootloader uye kusakwanisa kurambidza kuwana makiyi muTPM kune ekare OS mavhezheni ayo ave asina basa mushure mekuisa iyo update anotaurwa zvakare.
Zvinangwa zvikuru zvekushandisa iyo nyowani boot architecture:
- Kupa iyo yakasimbiswa yakazara yekurodha maitiro, inovhara ese matanho kubva kune firmware kuenda kune mushandisi nzvimbo, uye ichisimbisa chokwadi uye kuvimbika kwezvikamu zvakadhawunirwa.
- Kusunga zviwanikwa zvinodzorwa kuTPM PCR marejista nekuparadzaniswa nevaridzi.
- Kugona precalculate PCR kukosha kwakavakirwa kernel boot, initrd, kumisikidza, uye yemuno system ID.
- Dziviriro kubva pakurwiswa kwekudzoserwa kwakabatana nekudzoreredza kune yakapfuura njodzi vhezheni yesystem.
- Nyoresa uye uvandudze kuvimbika kwezvigadziriso.
- Tsigiro yekuvandudzwa kweOS iyo isingade kudzokorodza kana kupihwa kwenzvimbo kweTPM-yakachengetedzwa zviwanikwa.
- Kugadzirira kweiyo sisitimu yekure certification yekusimbisa iko kurongeka kweiyo bootable OS uye marongero.
- Iko kugona kubatanidza data rakadzama kune mamwe nhanho dzebhutsu, semuenzaniso, kubvisa encryption makiyi emudzi FS kubva kuTPM.
- Ipa yakachengeteka, otomatiki, uye yakanyarara maitiro ekuvhura makiyi ekudzima dhiraivha ine midzi yekuparadzanisa.
- Iko kushandiswa kwemachipi anotsigira iyo TPM 2.0 yakatarwa, nekugona kudonha kumashure kune masisitimu asina TPM.
Source: opennet.ru