Ku-GRUB2 bootloader 8 ubuthakathaka. Okuyingozi kakhulu (), ebizwa nge-BootHole, dlula indlela ye-UEFI Secure Boot bese ufaka i-malware engaqinisekisiwe. Okukhethekile kwalokhu kuba sengcupheni ukuthi ukuyiqeda akwanele ukubuyekeza i-GRUB2, njengoba umhlaseli angasebenzisa imidiya esebenzayo enenguqulo endala esengozini egunyazwe isiginesha yedijithali. Umhlaseli angakwazi ukufaka engozini inqubo yokuqinisekisa hhayi ye-Linux kuphela, kodwa namanye amasistimu okusebenza, okuhlanganisa .
Inkinga ingaxazululwa kuphela ngokubuyekeza uhlelo (dbx, Uhlu Lokuhoxiswa kwe-UEFI), kodwa kulesi simo amandla okusebenzisa imidiya yokufaka endala nge-Linux azolahleka. Abanye abakhiqizi bemishini sebevele bafake uhlu olubuyekeziwe lwezitifiketi zokuhoxiswa ku-firmware yabo; kumasistimu anjalo, ukwakhiwa okubuyekeziwe kuphela kokusatshalaliswa kwe-Linux okungalayishwa kumodi ye-UEFI Secure Boot.
Ukuze uqede ubungozi ekusatshalalisweni, uzodinga futhi ukubuyekeza izifaki, izilayishi, amaphakheji we-kernel, i-firmware ye-fwupd kanye nongqimba lwe-shim, ubenzele amasignesha amasha edijithali. Abasebenzisi kuzodingeka babuyekeze izithombe zokufaka nezinye imidiya ebhuthayo, kanye nokulayisha uhlu lokuhoxiswa kwesitifiketi (dbx) ku-firmware ye-UEFI. Ngaphambi kokubuyekeza i-dbx ku-UEFI, uhlelo luhlala lusengozini kungakhathaliseki ukufakwa kwezibuyekezo ku-OS.
Ukuba sengozini ukuchichima kwebhafa okungase kusetshenziswe ukwenza ikhodi engafanele phakathi nenqubo yokuqalisa.
Ukuba sengozini kwenzeka lapho kuncozululwa okuqukethwe kwefayela lokucushwa le-grub.cfg, elivame ukutholakala ku-ESP (EFI System Partition) futhi lingahlelwa umhlaseli onamalungelo omlawuli ngaphandle kokwephula ubuqotho be-shim esayiniwe kanye namafayela asebenzisekayo angu-GRUB2. Ngenxa yokuthi kukhodi yokuhlaziya yokulungiselela, isibambi samaphutha okuhlaziya abulalayo YY_FATAL_ERROR sibonise isexwayiso kuphela, kodwa asizange sinqamule uhlelo. Ubungozi bokuba sengozini buncishiswa isidingo sokufinyelela okukhethekile ohlelweni, nokho-ke, inkinga ingase idingeke ukuze wethule ama-rootkits afihliwe uma unokufinyelela ngokomzimba kumishini (uma kungenzeka ukuthi uqalise kumidiya yakho).
Ukusabalalisa okuningi kwe-Linux kusebenzisa okuncane , esayinwe ngedijithali yi-Microsoft. Lesi sendlalelo siqinisekisa i-GRUB2 ngesitifiketi sayo, esivumela abathuthukisi bokusabalalisa ukuthi bangabi nayo yonke i-kernel nesibuyekezo se-GRUB esigunyazwe yi-Microsoft. Ukuba sengozini kuvumela, ngokushintsha okuqukethwe kwe-grub.cfg, ukufeza ukusetshenziswa kwekhodi yakho esigabeni ngemva kokuqinisekiswa okuyimpumelelo kwe-shim, kodwa ngaphambi kokulayisha isistimu yokusebenza, ukungenela uchungechunge lokwethembeka lapho Imodi Yokuqalisa Okuvikelekile isebenza futhi ithola ukulawula okugcwele. ngenqubo eqhubekayo yokuqalisa, okuhlanganisa ukulayisha enye i-OS , ukuguqulwa kwezingxenye zesistimu yokusebenza nokuvikelwa kokudlula .
Okunye ubungozi ku-GRUB2:
- - Ukuchichima kwe-buffer ngenxa yokuntuleka kokuhlola usayizi wendawo yememori eyabelwe ku-grub_malloc;
- - ukuchichima okuphelele ku-grub_squash_read_symlink, okungaholela ekubhalweni kwedatha ngale kwebhafa eyabelwe;
- - ukuchichima okuphelele kokuthi read_section_from_string, okungaholela ekubhaleni idatha ngale kwebhafa eyabelwe;
- - ukuchichima okuphelele ku-grub_ext2_read_link, okungaholela ekubhalweni kwedatha ngale kwebhafa eyabelwe;
- - ikuvumela ukuthi ulayishe ama-kernels angasayiniwe ngesikhathi sokuqalisa okuqondile ku-Secure Boot mode ngaphandle kwesendlalelo se-shim;
- — ukufinyelela endaweni yenkumbulo esivele ikhululiwe (uyisebenzise ngemva kokukhululeka) lapho uchaza kabusha umsebenzi ngesikhathi sokusebenza;
- — ukuchichima okuphelele kusibambi sikasayizi wokuqala.
Izibuyekezo zephekhi le-Hotfix sezikhishiwe , , и . Okwe-GRUB2 isethi yamapheshana.
Source: opennet.ru