Lennart Pottering (umdali we-Systemd) wazise muva nje isiphakamiso sokwenza inqubo yokuqalisa ibe yesimanjemanje kwezabelo ye-Linux, ngenhloso yokuxazulula izinkinga ezikhona futhi wenze kube lula ukuhlelwa kwebhuthi eqinisekisiwe egcwele, eqinisekisa ubuqiniso be-kernel kanye nemvelo yesistimu engaphansi.
Izinguquko Ezihlongozwayo zehliselwa ku ukudalwa kwesithombe esisodwa samazwe ngamazwe se-UKI (Isithombe Se-Kernel Ehlanganisiwe) ehlanganisa isithombe se-kernel Umshayeli we-Linux ukulayisha i-kernel kusuka ku-UEFI (UEFI boot stub) kanye nesistimu yemvelo initrd ilayishwe kumemori, esetshenziselwa ukuqaliswa kokuqala esiteji ngaphambi kokukhweza i-FS.
Esikhundleni sesithombe se-ramdisk initrd, lonke uhlelo lungagcwaliswa ku-UKI, okuvumela ukudalwa kwezindawo zesistimu eziqinisekiswe ngokugcwele ezilayishwa ku-RAM. Isithombe se-UKI sihlanganiswe njengefayela elisebenzisekayo ngefomethi ye-PE, engakwazi ukulayishwa kuphela ngama-bootloaders endabuko, kodwa futhi ingabizwa ngokuqondile ku-firmware ye-UEFI.
Amandla okushaya ucingo avela ku-UEFI avumela ukusetshenziswa kokufaneleka kwesiginesha yedijithali nokuhlola ubuqotho engahlanganisi i-kernel kuphela, kodwa futhi nokuqukethwe kwe-initrd. Ngesikhathi esifanayo, ukusekelwa kwamakholi asuka kuma-bootloader endabuko kuvumela izici zokulondoloza ezifana nokuletha izinguqulo eziningi ze-kernel nokuhlehla ngokuzenzakalelayo ku-kernel esebenzayo uma kwenzeka izinkinga nge-kernel entsha zitholwa ngemva kokufaka inguqulo yakamuva.
Okwamanje, ukusetshenziswa kokusabalalisa okuningi kwe-Linux uchungechunge "i-firmware → ungqimba lwe-Microsoft shim olusayinwe ngedijithali → ukusabalalisa okusayinwe ngedijithali I-GRUB bootloader → ukusabalalisa okusayinwe ngedijithali I-Linux kernel → indawo ye-initrd engasayiniwe → impande ye-FS" kunqubo yokuqalisa. Ukuhlola i-initrd akukho ekusatshalalisweni kwendabuko kudala izinkinga zokuphepha, njengoba, phakathi kwezinye izinto, le ndawo ikhipha izikhiye zokususa ukubethela impande ye-FS.
Ukuqinisekiswa kwesithombe se-initrd akusekelwe, njengoba leli fayela likhiqizwa ohlelweni lwasendaweni lomsebenzisi futhi alikwazi ukuqinisekiswa isiginesha yedijithali yokusabalalisa, okwenza kube nzima kakhulu ukuhlela ukuqinisekiswa lapho usebenzisa imodi ye-SecureBoot (ukuqinisekisa i-initrd, umsebenzisi udinga ukukhiqiza okhiye bakho futhi abalayishe kokuthi UEFI firmware).
Futhi, inhlangano ekhona yokuqalisa ayikuvumeli ukusetshenziswa kolwazi oluvela kumarejista e-TPM PCR (I-Platform Configuration Registry) ukuze ulawule ubuqotho bezingxenye ze-userspace ngaphandle kwe-shim, grub, ne-kernel. Phakathi kwezinkinga ezikhona, inkimbinkimbi yokubuyekeza i-bootloader kanye nokungakwazi ukukhawulela ukufinyelela kokhiye ku-TPM ezinguqulweni ezindala zesistimu yokusebenza eziye zangasenamsebenzi ngemva kokufaka isibuyekezo nazo ziyashiwo.
Izinjongo ezinkulu zokuqalisa isakhiwo esisha se-boot:
- Nikeza ngenqubo yokulanda eqinisekiswe ngokugcwele, ehlanganisa zonke izigaba ukusuka ku-firmware kuya esikhaleni somsebenzisi, nokuqinisekisa ukufaneleka nobuqotho bezingxenye ezilandiwe.
- Ukuxhumanisa izinsiza ezilawulwayo kumarejista e-TPM PCR ngokuhlukaniswa ngabanikazi.
- Ikhono lokubala kuqala amanani e-PCR asuselwa ku-kernel boot, initrd, ukumisa, kanye ne-ID yesistimu yendawo.
- Ukuvikelwa ekuhlaselweni kokuhlehliswa okuhlobene nokubuyela enguqulweni yangaphambili esengozini yesistimu.
- Yenza kube lula futhi uthuthukise ukwethembeka kwezibuyekezo.
- Ukusekela ukuthuthukiswa kwe-OS okungadingi ukuphinda kufakwe isicelo noma ukunikezela ngezinsiza ezivikelwe nge-TPM endaweni.
- Ilungiselela isistimu yesitifiketi sesilawuli kude ukuze kuqinisekiswe ukulunga kwesistimu yokusebenza nokucushwa kwe-boot.
- Ikhono lokunamathisela idatha ebucayi kuzigaba ezithile zokuqalisa, isibonelo ngokukhipha okhiye bokubethela bempande ye-FS ku-TPM.
- Nikeza ngenqubo ephephile, ezenzakalelayo nethule ukuze uvule okhiye ukuze ususe ukubethela idrayivu ene-root partition.
- Ukusetshenziswa kwama-chips asekela ukucaciswa kwe-TPM 2.0, okunekhono lokubuyela emuva kumasistimu ngaphandle kwe-TPM.
Izinguquko ezidingekayo ukusebenzisa i-architecture entsha sezivele zifakiwe ku-systemd codebase futhi ithinte izingxenye ezifana ne-systemd-stub, systemd-measure, systemd-cryptenroll, systemd-cryptsetup, systemd-pcrphase, kanye ne-systemd-creds.
Okokugcina uma unentshisekelo yokwazi kabanzi ngakho, ungabheka imininingwane kufayela le- isixhumanisi esilandelayo.
Udoti omningi ovela ku-lennart..