After five months of development presented the release of the system manager Systemd 252 . The key change in the new version was the integration of support for the modernized loading process, allowing to verify the digital signatures not only the kernel and bootloader, but also the components of the basic systemic environment.
The proposed method involves the use of the unified image of the UKI (Unified Kernel Image) when loading the unified image of the nucleus to load the kernel from UEFI (UEFI Boot Stub), the image of the Linux nucleus and the Initrd system environment used for the initial initialization at the stage before mounting root fs. The UKI-image is designed in the form of one executable file in PE format, which can be uploaded using traditional loaders or directly caused by UEFI firmware. When calling from UEFI, it is possible to check the integrity and reliability of the digital signature of not only the nucleus, but also the contents of Initrd.
for calculating the parameters of the TPM PCR (Trusted Platform Module Platform Configuration Register) used to control the integrity and formation of the UKI digital signature, the new SystemD -Measure utility is included. The open key and related information about the PCR used in the signature can be built directly into the UKI boot image (the key and signature are stored in the fields ‘.pcrsig’ and ‘.pcrkey’ file in the PE format) and extracted from it by external or internal utilities. Including the Systemd-Cryptsetup, Systemd-Cryptenroll and Systemd-Creds utilities, are adapted for the use of this information, with the help of which you can ensure the encrypted digital nucleus signature (in this case, access to the encrypted section is provided only if the UKI image was verified digital signature based on parameters placed in TPM).
SystemD-PCRPHASE utility includes additionally included in the composition, which allows you to control the linking of various stages of loading to the parameters placed in the memory of cryptop processors that support the specification of TPM 2.0 (for example, you can decipher the LUKS2 section available only in the INITRD image for it on it. later stages of loading).
changes violating compatibility:
- When checking the nuclear version of the nucleus using the Condition Crush Directive in Operators’ = ‘and’! = ‘, a simple string comparison is used, and if the comparison operator is not indicated at all, a Glob mask is used using symbols’*’, ‘ ? ‘ and ‘[‘, ‘]’. For comparing versions in the style of the StversCmp () function, the operators should be used ”, ‘=’.
- Selinux label, used to check access from the Unit file, is now read at the stage of uploading the file, and not at the time of checking.