Lennart Poettering) published Modernization of the Linux-Distributive loading process aimed at solving existing problems and simplifying the organization of a full -fledged verified load confirming the reliability of the nucleus and the basic systemic environment. The changes necessary for the use of the new architecture are already included in the Systemd code base and affect components such as Systemd-STUB, SystemD-MEASURE, SYSTEMD-CRYPTENROLL, SYSTEMD-CRYPTSETUP, SYSTEMD-PCRPHASE and SYSTEMD-CREDS.
The proposed changes are reduced to the creation of a single universal image of the UKI (Unified Kernel Image), uniting the image of the Linux nucleus, a processor for loading the nucleus from UEFI (UEFI Boot Stub) and an Initrd system environment used for the initial initialization at the stage before mounting before mounting root fs. Instead of the image of the Initrd RAM-disk in UKI, the entire system can also be packed, which allows you to create fully verified systemic circles loaded into RAM. The UKI-image is made out in the form of an executable file in PE format, which can be
Loaded not only with the help of traditional boots, and directly caused by UEFI firmware.
The ability to call from UEFI allows you to use the integrity and reliability of the digital signature, covering not only the nucleus, but also the contents of the Initrd. At the same time, support for a call from traditional loaders allows you to save such opportunities as the supply of several versions of the nucleus and an automatic rollback to the working core in case of detection of problems with the new core after installing the update.
Currently, in most Linux distributions, the “Firmware is used in the initialization process,“ Firmware → Avated by the Microsoft Shim-layer → Grub Digital Digital signature of the Digital signature of the Linux nucleus → The root FS ”is certified. The absence of Initrd verification in traditional distributions creates safety problems, since, among other things, the keys are extracted in this environment to decipher the root fs.
Initrd verification is not supported since this file is formed on the local system of the user and cannot be certified by the digital signature of the distribution, which greatly complicates the organization of the check when using the Secureboot mode (to certify the Initrd, the user needs to generate their keys and load them into UEFI firmware ). In addition, the existing loading organization does not allow the use of information from the TPM PCR (Platform Configuration Register) to monitor the integrity of the components, in addition to the SHIM, GRUB and the kernel.
Of the available problems, a complication of updating the bootloader and the lack of the ability to restrict access to the keys in TPM for the old versions of the OS, which became irrelevant after installing the update.
is also mentioned.
The main goals of introducing new loading architecture:
- Providing a fully verified loading process covering all stages from the firmware to the user space, and confirming the reliability and integrity of the components.