ProHoster > Blog > litaba tsa inthanete > Ho lokolloa ha systemd system manager 252 ka tšehetso ea UKI (Unified Kernel Image).

Ho lokolloa ha systemd system manager 252 ka tšehetso ea UKI (Unified Kernel Image).

Ka mor'a likhoeli tse hlano tsa tsoelo-pele, ho ile ha hlahisoa tokollo ea tsamaiso ea tsamaiso systemd 252. Phetoho ea bohlokoa phetolelong e ncha e ne e le ho kopanngoa ha ts'ehetso bakeng sa mokhoa oa morao-rao oa boot, o u lumellang hore u se ke ua netefatsa kernel le bootloader feela, empa hape le likaroloana. ea tikoloho ea mantlha ea sistimi e sebelisang li-signature tsa dijithale.

Mokhoa o reriloeng o kenyelletsa ts'ebeliso ea setšoantšo se kopaneng sa kernel UKI (Unified Kernel Image) ha e jarolloa, e kopanyang sesebelisoa sa ho kenya kernel ho tsoa ho UEFI (UEFI boot stub), setšoantšo sa Linux kernel le tikoloho ea initrd e kentsoeng mohopolong, e sebelisitsoeng. bakeng sa ho qala ho qala sethaleng pele o kenya motso oa FS . Setšoantšo sa UKI se phuthetsoe e le faele e le 'ngoe e ka phethisoang ka sebopeho sa PE, e ka jarolloang ho sebelisoa li-bootloader tsa setso kapa ho bitsoa ka kotloloho ho tsoa ho firmware ea UEFI. Ha o bitsoa ho tsoa ho UEFI, hoa khoneha ho netefatsa botšepehi le botšepehi ba signature ea digital ea kernel eseng feela, empa le likahare tsa initrd.

Ho bala litekanyo tsa lirejistara tsa TPM PCR (Trusted Platform Module Configuration Register) tse sebelisetsoang ho beha leihlo botšepehi le ho hlahisa signature ea digital ea setšoantšo sa UKI, ho kenyelelitsoe mokhoa o mocha oa mokhoa oa ho sebetsa. Senotlolo sa sechaba le lintlha tse tsamaeang le PCR tse sebelisitsoeng ho saena li ka kenngoa ka ho toba setšoantšong sa boot sa UKI (senotlolo le saena li bolokiloe faeleng ea PE '.pcrsig' le '.pcrkey' masimo) 'me a ntšoa ho eona ka ntle. kapa lisebelisoa tsa ka hare.

Haholo-holo, lisebelisoa tsa systemd-cryptsetup, systemd-cryptenroll le systemd-creds li fetotsoe ho sebelisa tlhahisoleseling ena, eo ka eona u ka netefatsang hore likarolo tsa disk tse kentsoeng li tlameletsoe ho kernel e saenneng ka dijithale (tabeng ena, phihlello ea karohano e patiloeng. e fanoa feela haeba setšoantšo sa UKI se fetile netefatso ka signature ea dijithale ho latela litlhophiso tse teng ho TPM).

Ntle le moo, ho kenyellelitsoe ts'ebeliso ea systemd-pcrphase, e u lumellang ho laola ho tlama ha methati e fapaneng ea boot ho li-parameter tse fumanehang mohopolong oa li-cryptoprocessors tse ts'ehetsang tlhaloso ea TPM 2.0 (mohlala, o ka etsa hore senotlolo sa decryption sa LUKS2 se fumanehe feela the initrd image and block access to it at later stages downloads).

Liphetoho tse ling:

  • E netefatsa hore sebaka sa kamehla ke C.UTF-8 ntle le haeba ho boletsoe sebaka se fapaneng litlhophisong.
  • Hona joale hoa khoneha ho etsa ts'ebetso e feletseng ea tšebeletso ("systemctl preset") nakong ea bootla ea pele. Ho nolofalletsa li-presets ka nako ea ho qalisa ho hloka ho aha ka khetho ea "-Dfirst-boot-full-preset", empa e reriloe hore e khonehe ka ho sa feleng likhatisong tse tlang.
  • Diyuniti tsa taolo ya mosebedisi li kenyelletsa molaoli oa lisebelisoa tsa CPU, tse entseng hore ho khonehe ho netefatsa hore litlhophiso tsa CPUWeight li sebelisoa ho likarolo tsohle tsa lilae tse sebelisetsoang ho arola tsamaiso ka likarolo (app.slice, background.slice, session.slice) ho arola lisebelisoa pakeng tsa lits'ebeletso tse fapaneng tsa basebelisi, tse qothisanang lehlokoa le lisebelisoa tsa CPU. CPUWeight e boetse e ts'ehetsa boleng ba "ho se sebetse" ho kenya tšebetsong mokhoa o nepahetseng oa ho fana ka lisebelisoa.
  • Likarolong tsa nakoana ("nakoana") le ts'ebelisong ea li-systemd-repart, litlhophiso tse fetelletseng li lumelloa ka ho theha lifaele tse theohang /etc/systemd/system/name.d/ directory.
  • Bakeng sa litšoantšo tsa tsamaiso, folakha e phethiloeng ka tšehetso e behiloe, ho khetholla ntlha ena ho latela boleng ba parameter e ncha "SUPPORT_END=" faeleng ea /etc/os-release.
  • E kenyellelitsoe "ConditionCredential=" le "AssertCredential=", e ka sebelisoang ho hlokomoloha kapa ho senya likarolo haeba lintlha tse itseng li le sieo tsamaisong.
  • E kentse "DefaultSmackProcessLabel=" le "DefaultDeviceTimeoutSec=" litlhophiso ho system.conf le user.conf ho hlalosa boemo ba ts'ireletso ba SMACK ba kamehla le nako ea ts'ebetso ea yuniti.
  • Litlhophisong tsa "ConditionFirmware=" le "AssertFirmware=", ho ekelitsoe bokhoni ba ho hlakisa likarolo tsa SMBIOS ka bomong, mohlala, ho qala yuniti ha feela sebaka sa /sys/class/dmi/id/board_name se na le boleng "Custom Board”, o ka hlakisa “ConditionFirmware=smbios” -field(board_name = "Custom Board").
  • Nakong ea ts'ebetso ea ho qala (PID 1), bokhoni ba ho kenya mangolo-tsoibila ho tsoa masimong a SMBIOS (Mofuta oa 11, "likhoele tsa morekisi oa OEM") li ekelitsoe ho kenyelletsa tlhaloso ea bona ka qemu_fwcfg, e nolofatsang ho fana ka mangolo a netefatso ho mechini ea sebele le ho felisa tlhokahalo ea lisebelisoa tsa mokha oa boraro tse kang cloud -init le ignition.
  • Nakong ea ho koala, mohopolo oa ho theola litsamaiso tsa faele (proc, sys) o fetotsoe mme tlhahisoleseling mabapi le lits'ebetso tse thibelang ho theoha ha litsamaiso tsa lifaele li bolokoa ho log.
  • Setlhopha sa mehala sa sistimi (SystemCallFilter) se u lumella ho fihlella mohala oa riscv_flush_icache ka mokhoa o ikhethileng.
  • Sd-boot bootloader e eketsa bokhoni ba ho qala ka mokhoa o tsoakiloeng, moo 64-bit Linux kernel e tsamaeang ho tloha ho 32-bit UEFI firmware. Bokhoni bo ekelitsoeng ba liteko ba ho sebelisa linotlolo tsa SecureBoot ka bo eona ho tsoa lifaeleng tse fumanehang ho ESP (karohano ea sistimi ea EFI).
  • Likhetho tse ncha li kenyellelitsoe sesebelisoa sa bootctl: "-architectures" bakeng sa ho kenya li-binaries bakeng sa meralo eohle ea EFI e tšehetsoeng, "-root =" le "-image =" bakeng sa ho sebetsa ka bukana kapa setšoantšo sa disk, "-install-source =” bakeng sa ho hlalosa mohloli oa ho kenya, "-efi-boot-option-description=" ho laola mabitso a ho kena ha boot.
  • Taelo ea 'list-automounts' e kenyellelitsoe ho sesebelisoa sa systemctl ho bonts'a lethathamo la li-directory tse itlhommeng ka bo eona le "--image=" kgetho ea ho phethahatsa litaelo mabapi le setšoantšo sa disk se boletsoeng. E kenyellelitsoe "--state=" le "--type=" dikgetho ho litaelo tsa 'show' le 'maemo'.
  • systemd-networkd e ekelitse likhetho "TCPCongestionControlAlgorithm=" ho khetha algorithm ea TCP congestion control, "KeepFileDescriptor=" ho boloka tlhaloso ea faele ea li-interface tsa TUN/TAP, "NetLabel=" ho seta NetLabels, "RapidCommit=" ho potlakisa tlhophiso ka DHCPv6 (RFC 3315). "RouteTable =" parameter e lumella ho bolela mabitso a litafole tsa ho tsamaisa.
  • systemd-nspawn e lumella tšebeliso ea litsela tsa lifaele tse amanang ho "--bind=" le "--overlay=" dikgetho. Ts'ehetso e kentsoeng bakeng sa paramethara ea 'rootidmap' ho "--bind=" khetho ea ho tlama ID ea mosebelisi ka har'a sets'oants'o ho mong'a bukana e kentsoeng lehlakoreng la moamoheli.
  • Systemd-resolved e sebelisa OpenSSL joalo ka ts'ebeliso ea eona ea morao-rao ka mokhoa o ikhethileng (ts'ehetso ea gnutls e bolokiloe e le khetho). Li-algorithms tse sa tšehetsoeng tsa DNSSEC joale li nkuoa li sa sireletseha ho fapana le ho khutlisa phoso (SERVFAIL).
  • systemd-sysusers, systemd-tmpfiles le systemd-sysctl li kenya ts'ebetsong bokhoni ba ho fetisetsa litlhophiso ka mochine oa polokelo ea boitsebiso.
  • E kentse taelo ea 'bapisa-liphetolelo' ho systemd-analyse ho bapisa likhoele le linomoro tsa mofuta (tse ts'oanang le 'rpmdev-vercmp' le 'dpkg --compare-versions'). E kentse bokhoni ba ho sefa likarolo ka mask ho taelo ea 'systemd-analyze dump'.
  • Ha u khetha mokhoa oa ho robala oa mekhahlelo e mengata (emisa-ebe-hibernate), nako e sebelisitsoeng boemong ba standby e se e khethiloe ho latela ponelopele ea bophelo ba betri e setseng. Phetoho ea hang-hang ho ea ho mokhoa oa ho robala e etsahala ha tefiso ea betri e ka tlase ho 5% e sala.
  • Mokhoa o mocha oa tlhahiso "-o short-delta" o kentsoe ho 'journalctl', o bonts'a phapang ea nako lipakeng tsa melaetsa e fapaneng ho log.
  • systemd-repart e eketsa ts'ehetso ea ho theha likarolo ka sistimi ea faele ea Squashfs le likarolo tsa dm-verity, ho kenyeletsoa le li-signature tsa dijithale.
  • E kenyellelitsoe "StopIdleSessionSec=" setting to systemd-logind ho felisa nako e sa sebetseng ka mor'a nako e behiloeng.
  • Systemd-cryptenroll e kentse "--unlock-key-file = "khetho ea ho ntša senotlolo sa decryption faeleng ho fapana le ho susumetsa mosebelisi.
  • Hona joale hoa khoneha ho tsamaisa ts'ebeliso ea systemd-growfs libakeng tse se nang udev.
  • systemd-backlight e ntlafalitse tšehetso bakeng sa litsamaiso tse nang le likarete tse ngata tsa litšoantšo.
  • Laesense ea mehlala ea khoutu e fanoeng litokomaneng e fetotsoe ho tloha ho CC0 ho ea ho MIT-0.

Liphetoho tse senyang litšebelisano:

  • Ha u hlahloba nomoro ea mofuta oa kernel u sebelisa taelo ea ConditionKernelVersion, papiso e bonolo ea khoele e se e sebelisoa ho li-operator tsa '=' le '!=', 'me haeba papiso e sa hlalosoa ho hang, ho bapisa le glob-mask ho ka sebelisoa ho sebelisa litlhaku '*', '?' Le '[', ']'. Ho bapisa liphetolelo tsa setaele sa stverscmp() sebelisa '<', '>', '<=' le '>=' lisebelisi.
  • Letšoao la SELinux le sebelisetsoang ho hlahloba phihlello ho tsoa faeleng ea yuniti le se le baloa ka nako eo faele e kentsoeng ka eona, ho fapana le nakong ea tlhahlobo ea phihlello.
  • Boemo ba "ConditionFirstBoot" hona joale bo hlahisoa ka booting ea pele ea tsamaiso feela ka ho toba sethaleng sa bootle 'me e khutlisa "bohata" ha u letsetsa lihlopha ka mor'a hore boot e felile.
  • Ka 2024, systemd e rera ho emisa ho ts'ehetsa mokhoa oa ho fokotsa lisebelisoa tsa cgroup v1, o neng o theohile ka ho lokolloa ha systemd 248. Batsamaisi ba eletsoa hore ba hlokomele esale pele ho falla litšebeletso tse thehiloeng ho sehlopha sa v2 ho ea ho cgroup v1. Phapang e ka sehloohong pakeng tsa lihlopha tsa v2 le v1 ke tšebeliso ea lihlopha tse tloaelehileng tsa lihlopha bakeng sa mefuta eohle ea lisebelisoa, ho e-na le lihlopha tse arohaneng tsa ho fana ka lisebelisoa tsa CPU, bakeng sa ho laola tšebeliso ea mohopolo, le bakeng sa I / O. Maemo a arohaneng a lebisa mathateng a ho hlophisa litšebelisano lipakeng tsa batho ba sebetsanang le litjeho tse ling tsa kernel ha ho sebelisoa melao bakeng sa ts'ebetso e boletsoeng maemong a fapaneng.
  • Karolong ea bobeli ea 2023, re rera ho felisa tšehetso bakeng sa lihlopha tsa lihlopha tse arohaneng, moo / usr e behiloeng ka thōko ho motso, kapa / bin le / usr / bin, /lib le /usr/lib li arohane.

Source: opennet.ru

Eketsa ka tlhaloso