ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > Siideynta maareeyaha nidaamka habaysan ee 252 oo leh taageerada UKI (Unified Kernel Image).

Siideynta maareeyaha nidaamka habaysan ee 252 oo leh taageerada UKI (Unified Kernel Image).

Shan bilood ka dib horumarinta, sii deynta maamulaha nidaamka nidaamka 252 ayaa la soo bandhigay. Isbeddelka muhiimka ah ee nooca cusub wuxuu ahaa isdhexgalka taageerada habka boot-ka ee casriga ah, kaas oo kuu ogolaanaya inaad hubiso kaliya maaha kernel iyo bootloader, laakiin sidoo kale qaybaha ee deegaanka nidaamka aasaasiga ah iyadoo la isticmaalayo saxiixyada dhijitaalka ah.

Habka la soo jeediyay ayaa ku lug leh isticmaalka sawirka kernel-ka midaysan ee UCI (Muuqaalka Midaysan ee Kernel) marka la soo shubayo, kaas oo isku daraya gacan-hayaha si loogu soo dejiyo kernel-ka UEFI (UEFI boot stub), sawirka kernel Linux iyo nidaamka initrd ee ku raran xusuusta, la isticmaalay. bilawga bilawga ah ee marxaladda ka hor inta aan la saarin xididka FS. Sawirka UKI waxa loo baakadeeyay sidii hal fayl oo la fulin karo oo qaabka PE ah, kaas oo lagu shuban karo iyadoo la isticmaalayo bootloaders-dhaqameed ama si toos ah looga waco UEFI firmware. Marka laga soo waco UEFI, waxaa suurtagal ah in la xaqiijiyo daacadnimada iyo isku halaynta saxiixa dhijitaalka ah ee kaliya maaha kernel, laakiin sidoo kale waxa ku jira initrd.

Si loo xisaabiyo cabbirrada TPM PCR (Diiwaangelinta Habaynta Platform Module Platform ee la Aaminsanyahay) ee loo isticmaalo in lagu kormeero daacadnimada iyo soo saarida saxeex dhijitaal ah ee sawirka UKI, hab cusub oo utility-cabbir ah ayaa lagu daray. Furaha dadweynaha ee lagu isticmaalo saxiixa iyo macluumaadka PCR ee la socda waxaa si toos ah loogu dhejin karaa sawirka boot UK (furaha iyo saxiixa waxaa lagu keydiyaa faylka PE ee meelaha '.pcrsig' iyo'.pcrkey') waxaana laga soo saaray dibadda ama adeegyada gudaha.

Gaar ahaan, systemd-cryptsetup, systemd-cryptenroll iyo systemd-creds utilities ayaa loo habeeyey si ay u isticmaalaan macluumaadkan, taas oo aad ku hubin karto in qaybaha diskka sirta ah ay ku xidhan yihiin kernel si dhijitaal ah loo saxeexay (kiiskan, gelitaanka qaybta sirta ah) waxaa la bixiyaa kaliya haddii sawirka UKI uu ku dhaafo xaqiijinta saxeex dhijitaal ah oo ku salaysan cabbirada ku yaal TPM).

Intaa waxaa dheer, utility systemd-pcrphase ayaa lagu soo daray, kaas oo kuu ogolaanaya inaad xakamayso xidhitaanka marxaladaha boot ee kala duwan ee cabbirada ku yaal xusuusta cryptoprocessors ee taageera qeexitaanka TPM 2.0 (tusaale ahaan, waxaad samayn kartaa furaha furaha qaybta LUKS2 oo la heli karo oo keliya gudaha gudaha sawirka initrd oo xannibi gelitaankiisa marxaladaha dambe soo dejinta).

Isbedelada kale qaarkood:

  • Waxay xaqiijisaa in goobta ugu habbooni ay tahay C.UTF-8 ilaa meel kale lagu sheego goobaha.
  • Hadda waxaa suurtogal ah in la sameeyo hawl dhammaystiran oo hore u soo dejisay adeegga ("systemctl preset") inta lagu jiro bootinta koowaad. Awood u yeelashada presets-ka wakhtiga bootinta waxay u baahan tahay in lagu dhiso ikhtiyaarka "-Dfirst-boot-full-preset", laakiin waxa la qorsheeyay in si caadi ah loo furo siidaynta mustaqbalka.
  • Qaybaha maamulka isticmaalaha waxa ku lug leh kantaroolaha khayraadka CPU, kaas oo suurtageliyay in la hubiyo in goobaha CPUWeight lagu dabaqo dhammaan cutubyada jeexan ee loo isticmaalo in lagu qaybiyo qaybo (app.slice, background.slice, session.slice) si loo kala saaro ilaha u dhexeeya adeegyada kala duwan ee isticmaalayaasha, oo u tartamaya agabka CPU. CPUWeight sidoo kale waxay taageertaa qiimaha "shaqo la'aanta" si loo dhaqaajiyo habka bixinta kheyraadka ku habboon.
  • Unugyada ku meel gaadhka ah ("ku-meel-gaadhka ah") iyo nidaamka dib-u-celinta utility, habaynta ka-hortagga waa la oggol yahay iyada oo la abuurayo faylalka meel-dhigista ee /etc/systemd/system/name.d/ directory.
  • Sawirada nidaamka, calanka taageerada-dhamaadka ah ayaa la dejiyay, go'aaminta xaqiiqadan iyadoo lagu salaynayo qiimaha cabbirka cusub "SUPPORT_END=" ee ku jira faylka /etc/os-release.
  • Waxaa lagu daray "ConditionCredential=" iyo "AssertCredential=" settings, kuwaas oo loo isticmaali karo in la iska indhatiro ama burburo unugyada haddii shahaadooyinka qaarkood aysan ku jirin nidaamka.
  • Waxaa lagu daray "DefaultSmackProcessLabel="iyo"DefaultDeviceTimeoutSec=" settings in system.conf iyo user.conf si loo qeexo heerka amniga SMACK ee caadiga ah iyo wakhtiga hawlgelinta unugga.
  • Goobaha "ConditionFirmware=" iyo "AssertFirmware=", awoodda lagu qeexayo goobaha SMBIOS ayaa lagu daray, tusaale ahaan, in la bilaabo cutub kaliya haddii goobta / sys / class / dmi / id / board_name ka kooban yahay qiimaha "Custom Board", waxaad qeexi kartaa "ConditionFirmware=smbios" -field (board_name = "Guddiga Gaarka ah").
  • Inta lagu guda jiro habka bilowga ah (PID 1), awoodda soo dejinta aqoonsiga goobaha SMBIOS (Nooca 11, "OEM strings strings") ayaa lagu daray qeexitaankooda iyada oo loo marayo qemu_fwcfg, taas oo fududaynaysa bixinta aqoonsiga mashiinada farsamada iyo baabi'inta baahida loo qabo qalabka dhinac saddexaad sida Cloud-init iyo ignition.
  • Inta lagu jiro xidhidhiyaha, caqli-galkii furista nidaamyada faylalka farsamada (proc, sys) waa la beddelay oo macluumaadka ku saabsan hababka xannibaya dejinta nidaamyada faylka ayaa lagu kaydiyaa log.
  • Filterka nidaamka wicitaanka (SystemCallFilter) wuxuu u oggolaanayaa gelitaanka nidaamka riscv_flush_icache wicida si caadi ah.
  • Bootloader-ka sd-boot wuxuu ku darayaa awoodda lagu dhejiyo qaab isku dhafan, kaas oo 64-bit Linux kernel uu ka socdo 32-bit UEFI firmware. Awood tijaabo ah oo lagu daray si toos ah furayaasha SecureBoot ee faylasha laga helay ESP (qaybta nidaamka EFI).
  • Ikhtiyaarada cusub ayaa lagu daray utility bootctl: "-all-architectures" loogu rakibo binaries ee dhammaan qaab dhismeedka EFI ee la taageeray, "-root="iyo"-image=" ee la shaqaynta hagaha ama sawirka diskka, "-install-source =" si loo qeexo isha rakibaadda, "-efi-boot-option-description=" si loo xakameeyo magacyada gelitaanka boot.
  • Amarka 'list-automounts' ayaa lagu daray utility systemctl si uu u muujiyo liiska hagayaasha si toos ah ugu rakiban iyo '-image=' doorashada lagu fulinayo amarada la xiriira sawirka saxanka ee la cayimay. Waxaa lagu daray "-state=" iyo "-type=" ikhtiyaarrada 'show' iyo 'status' amarada.
  • systemd-networkd ayaa lagu daray xulashooyinka "TCPCongestionControlAlgorithm=" si loo doorto algorithm kantaroolka ciriiriga TCP, "KeepFileDescriptor =" si loo badbaadiyo sharraxaadaha faylka TUN/TAP interfaces, "NetLabel=" si loo dejiyo NetLabels, "RapidCommit=" si loo dedejiyo qaabeynta iyada oo loo marayo DHCPv6 (RFC 3315). Halbeegga "RouteTable=" wuxuu ogolaanayaa in la qeexo magacyada miisaska dariiqa.
  • systemd-nspawn waxay u ogolaataa isticmaalka dariiqyada faylka qaraabada ah ee "--bind="iyo"--overlay="ikhtiyaarada. Taageerada lagu daray ee 'rootidmap' halbeegga "--bind="ikhtiyaarka si loogu xidho aqoonsiga isticmaalaha xididka ee weelka milkiilaha tusaha ku rakiban ee dhinaca martida loo yahay.
  • systemd-xaled waxay u isticmaashaa OpenSSL si ay u noqoto sir sireedkeeda danbeed (taageerada gnutls waxa loo hayaa ikhtiyaar ahaan). Algorithms-yada DNSSEC ee aan la taageerin ayaa hadda loola dhaqmaa inay yihiin kuwo aan badbaado lahayn halkii ay ka noqon lahaayeen khalad (SERVFAIL).
  • systemd-sysusers, systemd-tmpfiles iyo systemd-sysctl waxay hirgeliyaan awooda wareejinta goobaha iyada oo loo marayo habka kaydinta aqoonsiga.
  • Waxaa lagu daray amarka 'compare-versions' utility systemd-analyze si loo barbar dhigo xargaha iyo nambarada nooca (oo la mid ah 'rpmdev-vercmp' iyo 'dpkg --compare-versions'). Awoodda lagu shaandheeyo cutubyada maaskaro ayaa lagu daray amarka 'systemd-analyze dump'.
  • Markaad dooranayso hab hurdo oo badan (ka-joojin-kadib-hibernate), wakhtiga lagu qaato qaabka heeganka ayaa hadda la doortay iyadoo lagu salaynayo saadaasha nolosha batteriga ee hadhay. U gudubka degdega ah ee qaabka hurdada waxay dhacdaa marka wax ka yar 5% batteriga ay baaqato.
  • Qaab cusub oo wax soo saar ah "-o short-delta" ayaa lagu daray 'journalctl', taasoo muujinaysa farqiga u dhexeeya farriimaha kala duwan ee ku jira log.
  • systemd-repart wuxuu ku darayaa taageerada abuuritaanka qaybo leh nidaamka faylka Squashfs iyo qaybo dm-verity, oo ay ku jiraan saxeexyada dhijitaalka ah.
  • Lagu darey "StopIdleSessionSec=" dejinta systemd-logind si loo dhammeeyo fadhiga aan shaqayn ka dib wakhti go'an.
  • Systemd-cryptenroll waxa ay ku dartay "--unlock-key-file="ikhtiyaar si looga soo saaro furaha furaha faylka halkii ay ka kicin lahayd isticmaalaha.
  • Hadda waa suurtogal in lagu socodsiiyo utility systemd-growfs deegaan aan lahayn udev.
  • systemd-backlight ayaa wanaajiyay taageerada nidaamyada leh kaarar garaafyo badan.
  • Shatiga tusaalooyinka koodka ee lagu sheegay dukumeentiyada ayaa laga beddelay CC0 loona beddelay MIT-0.

Isbeddellada jebiya iswaafajinta:

  • Markaad hubinayso nambarka nooca kernel-ka iyadoo la adeegsanayo dardaaranka ConditionKernelVersion, isbarbardhigga xargaha fudud ayaa hadda lagu isticmaalaa '=' iyo'!=' hawl wadeennada, iyo haddii isbarbardhigga aan la cayimin gabi ahaanba, isbarbardhigga glob-mask waxaa loo isticmaali karaa iyadoo la adeegsanayo jilayaasha '*', '?' iyo '[', ']'. Si loo barbardhigo noocyada qaabka shaqada stverscmp(), waa inaad isticmaashaa hawlwadeenada '', '='.
  • Calaamadda SELinux ee loo isticmaalo in lagu hubiyo gelitaanka faylka cutubka hadda waa la akhriyaa wakhtiga faylka la shubo, halkii laga heli lahaa wakhtiga hubinta.
  • Xaaladda "ConditionFirstBoot" hadda waxay kicisay kabaha ugu horreeya ee nidaamka oo kaliya si toos ah marxaladda boot waxayna soo celisaa "been" marka la wacayo cutubyada ka dib marka kabaha la dhammeeyo.
  • Sannadka 2024, systemd waxa uu qorshaynayaa in uu joojiyo taageerada habka xaddidaadda khayraadka cgroup v1, kaas oo meesha ka saaray siidaynta habaysan ee 248. Maamulayaasha waxa lagula talinayaa in ay ka taxadaraan u haajiridda adeegyada ku salaysan cgroup v2 si ay u ururiyaan v1. Farqiga ugu muhiimsan ee u dhexeeya kooxaha v2 iyo v1 waa isticmaalka kala sarreynta kooxaha guud ee dhammaan noocyada agabka, halkii ay ka ahaan lahaayeen kala sareynta kala sareynta qoondaynta agabka CPU, habaynta isticmaalka xusuusta, iyo I/O. Kala sareynta kala duwani waxay horseedaa dhibaatooyin xagga abaabulka isdhexgalka ka dhexeeya maamulayaasha iyo kharashaadka kheyraadka kernelka ee dheeraadka ah marka la dabaqayo xeerarka nidaamka lagu tixraacayo kala sarreynta kala duwan.
  • Qeybta labaad ee 2023, waxaan qorsheyneynaa inaan joojino taageerada kala sarreynta hagaha, halkaasoo / usr si gooni ah loogu rakibay xididka, ama / bin iyo / usr / bin, / lib iyo / usr / lib la kala saaray.

Source: opennet.ru

Add a comment