U-Lennart Poettering ushicilele isiphakamiso sokwenza inqubo yebhuthi ibe yesimanjemanje yokusabalalisa kwe-Linux, okuhloswe ngayo ukuxazulula izinkinga ezikhona kanye nokwenza lula ukuhlelwa kwebhuthi egcwele eqinisekisiwe eqinisekisa ukwethembeka kwe-kernel kanye nemvelo yesistimu engaphansi. Izinguquko ezidingekayo ukuze kusetshenziswe isakhiwo esisha sezivele zifakiwe ku-codebase ye-systemd futhi zithinta izingxenye ezifana ne-systemd-stub, systemd-measure, systemd-cryptenroll, systemd-cryptsetup, systemd-pcrphase kanye ne-systemd-creds.
Izinguquko ezihlongozwayo ziqhubekela ekwakhiweni kwesithombe esisodwa sendawo yonke i-UKI (Isithombe Sekernel Esihlanganisiwe), esihlanganisa isithombe se-Linux kernel, isibambi sokulayisha i-kernel esuka ku-UEFI (UEFI boot stub) kanye nemvelo yesistimu ye-initrd elayishwe kumemori, esetshenziselwa ukuqaliswa kokuqala esiteji ngaphambi kokukhweza impande ye-FS. Esikhundleni sesithombe sediski ye-RAM ye-initrd, lonke uhlelo lungahlanganiswa ku-UKI, okukuvumela ukuthi udale izindawo zesistimu eziqinisekiswe ngokugcwele ezilayishwe ku-RAM. Isithombe se-UKI sifomethwe njengefayela elisebenzisekayo ngefomethi ye-PE, engalayishwa hhayi kuphela ngokusebenzisa ama-bootloaders endabuko, kodwa ingabizwa ngokuqondile ku-firmware ye-UEFI.
Ikhono lokushaya ucingo luvela ku-UEFI likuvumela ukuthi usebenzise isheke lobuqotho lesiginesha yedijithali elingavali nje i-kernel, kodwa futhi nokuqukethwe kwe-initrd. Ngasikhathi sinye, ukusekelwa kokushaya ucingo kusuka kuma-bootloader endabuko kukuvumela ukuthi ugcine izici ezinjengokulethwa kwezinguqulo ezimbalwa ze-kernel kanye nokuhlehlisa okuzenzakalelayo ku-kernel esebenzayo uma izinkinga zitholwa nge-kernel entsha ngemuva kokufaka isibuyekezo.
Okwamanje, ekusabalaliseni okuningi kwe-Linux, inqubo yokuqalisa isebenzisa iketango βi-firmware β isendlalelo se-Microsoft shim esayiniwe ngedijithali β I-GRUB boot loader esayinwe ngedijithali ukusatshalaliswa β i-Linux kernel esayiniwe ngedijithali β indawo ye-initrd engasayiniwe β impande FS.β Ukuntuleka kokuqinisekisa kwe-initrd ekusabalaliseni okungokwesiko kudala izinkinga zokuphepha, njengoba, phakathi kwezinye izinto, kule ndawo okhiye bokukhipha ukubethela kwesistimu yefayela lempande bayabuyiswa.
Ukuqinisekiswa kwesithombe se-initrd akusekelwe njengoba leli fayela likhiqizwa ohlelweni lwasendaweni lomsebenzisi futhi alikwazi ukuqinisekiswa ngesiginesha yedijithali yekhithi yokusabalalisa, okwenza kube nzima kakhulu inhlangano yokuqinisekisa uma usebenzisa imodi ye-SecureBoot (ukuqinisekisa i-initrd, i- umsebenzisi udinga ukukhiqiza okhiye bakhe futhi abalayishe ku-firmware ye-UEFI). Ukwengeza, inhlangano yamanje yokuqalisa ayikuvumeli ukusetshenziswa kolwazi olusuka kurejista ye-TPM PCR (i-Platform Configuration Register) ukuze kulawulwe ubuqotho bezingxenye zesikhala somsebenzisi ngaphandle kwe-shim, grub ne-kernel. Phakathi kwezinkinga ezikhona, inkimbinkimbi yokubuyekeza i-bootloader kanye nokungakwazi ukukhawulela ukufinyelela kokhiye ku-TPM ezinguqulweni ezindala ze-OS eziye zangabalulekile ngemva kokufaka isibuyekezo nazo ziyashiwo.
Izinjongo eziyinhloko zokwethula isakhiwo esisha sokulayisha yilezi:
- Ihlinzeka ngenqubo yokuqalisa eqinisekiswe ngokugcwele esukela ku-firmware iye esikhaleni somsebenzisi, okuqinisekisa ukufaneleka nobuqotho bezingxenye eziqaliswayo.
- Ukuxhumanisa izinsiza ezilawulwayo kumarejista e-TPM PCR, ahlukaniswe umnikazi.
- Ikhono lokubala kusengaphambili amanani e-PCR ngokususelwa ku-kernel, i-initrd, ukucushwa kanye ne-ID yesistimu yendawo esetshenziswa ngesikhathi sokuqalisa.
- Ukuvikelwa ekuhlaselweni kokuhlehliswa okuhlobene nokuhlehlela emuva enguqulweni yangaphambili esengozini yesistimu.
- Yenza kube lula futhi ukhulise ukwethembeka kwezibuyekezo.
- Ukusekelwa kwezibuyekezo ze-OS ezingadingi ukuphinda kufakwe isicelo noma ukunikezwa kwendawo kwezisetshenziswa ezivikelwe yi-TPM.
- Isistimu isilungele ukunikezwa isitifiketi kwesilawuli kude ukuze kuqinisekiswe ukulunga kwe-OS elayishiwe nezilungiselelo.
- Ikhono lokunamathisela idatha ebucayi ezigabeni ezithile zokuqalisa, isibonelo, ukukhipha okhiye bokubethela besistimu yefayela lempande ku-TPM.
- Ihlinzeka ngenqubo evikelekile, ezenzakalelayo, nengenamsebenzisi yokuvula okhiye ukuze kuqashwe idrayivu yokuhlukanisa impande.
- Ukusetshenziswa kwama-chips asekela ukucaciswa kwe-TPM 2.0, okunekhono lokuhlehlisa kumasistimu ngaphandle kwe-TPM.
Source: opennet.ru