Kwanan nan muna raba anan akan blog labarai game da matsala ta haifar da sabuntawar Microsoft a cikin boot biyu tare da rarrabawar Linux waɗanda ke amfani da GRUB. Game da abin da ya faru, mun ambata a cikin labarin cewa "manufa" na wannan sabuntawa shine don magance rashin lafiyar GRUB daga shekaru biyu da suka wuce, "CVE-2022-2601" wanda ke ba da damar maharan su ketare kariyar takalma masu tsaro, amma wanda ya yi nisa daga kasancewa. fa'ida, ya ƙare yana cutar da masu amfani da yawa.
Kwanaki bayan taron. Matthew Garrett, sanannen mai haɓaka kernel na Linux, Ina buga rubutu inda ya bayyana yadda tsarin SBAT yake aiki. A ciki, ya ambaci cewa an ƙirƙira SBAT don toshe lahani a cikin bootloader ba tare da buƙatar soke sa hannun dijital ba, kuma ya kasance babban abin da ya faru a kwanan nan lalacewa ta hanyar sabuntawar Windows wanda ya shafi wasu rarraba Linux akan tsarin tare da amintaccen taya na UEFI, yana hana su yin booting.
A cewar Garrett, duka Microsoft da wasu masu haɓaka Linux suna raba alhaki na matsalar: Microsoft don rashin gwada ingantaccen sabuntawa a duk yanayin yanayi da lMasu haɓaka Linux don rashin sabunta lambar tsarar GRUB da SBAT lokacin da aka gano rauni a cikin GRUB.
Garrett ya kuma ambaci cewa lokacin da aka ƙirƙiri ƙayyadaddun ƙayyadaddun UEFI Secure Boot, duk wanda ke da hannu ya yi la'akari da ƙayyadaddun sa.
Tsarin tsaro na Secure Boot na asali ya bayyana cewa duk lambar da aka aiwatar a cikin gatataccen yanayi a matakin kernel dole ne a tabbatar da su kafin aiwatarwa: firmware yana tabbatar da mai ɗaukar kaya, mai ɗaukar boot ɗin yana tabbatar da kernel, kuma kernel yana tabbatar da kowane ƙarin lambar da aka ɗora a lokacin aiki. Don haka, an kafa ingantaccen yanayi don amfani da ƙarin manufofin tsaro.
Bugu da ƙari, ya ƙayyade cewa ko da yake akwai yuwuwar "yin kurakurai" kamar haka, ƙayyadaddun ya haɗa da hanyar da za a soke abubuwan da ba a amince da su ba: zanta na lambar matsala kawai an ƙara shi zuwa wani m, da kuma loda kowane lamba tare da. wannan zanta, ko da an sanya hannu tare da amintaccen maɓalli.
Har zuwa wannan lokacin komai yana da kyau, amma Garrett ya ambaci cewa matsalar tana cikin ma'auni kuma galibi a cikin rarrabuwa na Secure Boot muhallin halittu, tun kowane rarraba yana samar da nasa fayilolin binaries don bootloader, kowanne da nasa zanta.
Shi ya sa ya bayyana hakan lokacin da aka sami rauni a cikin lambar tushe na bootloader, ana buƙatar soke babban adadin fayiloli daban-daban binaries. Bugu da ƙari, ƙwaƙwalwar ajiyar da ke akwai don adana canji mai ɗauke da duk waɗannan hashes iyakance ne, kuma babu isasshen sarari don ƙara sabon saitin hashes duk lokacin da aka gano rauni a cikin GRUB kuma shi ya sa ya zama dole a sami mafita daban.
Wannan maganin shine SBAT.
Ma'anar SBAT abu ne mai sauƙi: kowane muhimmin sashi a cikin sarkar taya yana bayyana lambar tsarar tsaro wacce ke cikin binary da aka sanya hannu. Lokacin da aka gano rauni kuma aka gyara, wannan adadin ƙarni yana ƙaruwa. Daga can, yana yiwuwa a ba da sabuntawa wanda ya kafa mafi ƙarancin tsarar da aka yarda. Abubuwan haɗin taya za su duba wannan lambar don sanin ko za su iya aiwatar da abu na gaba a cikin sarkar taya, kwatanta sunan da lambar ginawa zuwa ƙimar da aka adana a cikin madaidaicin firmware.
Maimakon a soke hashes da yawa, sabuntawa guda ɗaya na iya cewa: "Kowane sigar GRUB tare da tsarar tsaro ƙasa da wannan lambar ana ɗaukarsa maras amana."
Linux, ainihin alhakin
Garrett ya ambaci cewa kuskuren wanda ke hana wasu tsarin yin booting bayan sabuntawa, Ba ya fito daga lambar Microsoft ba, amma daga bangaren shim na Linux bootloader.
Kodayake Microsoft ya fitar da sabuntawar SBAT, Linux bootloader ne wanda ya ƙi gudanar da tsoffin juzu'in GRUB, yana sa komai yayi aiki kamar yadda ake tsammani daga mahangar fasaha.
Abin da ya sa kenan ainihin matsalar ta'allaka ne a cikin gaskiyar cewa da yawa Rarraba Linux ba su fitar da sabbin nau'ikan GRUB ba wanda ya haɗa gyare-gyaren tsaro da sababbin tsararrun SBAT. Wannan yana sa ana ɗaukar waɗannan nau'ikan GRUB marasa lafiya, tunda shim ya toshe aiwatar da su.
Yana da mahimmanci a lura cewa GRUB yana sanya hannu ta hanyar rarraba Linux da kansu, ba Microsoft ba, wanda ke kawar da duk wani jinkiri na waje na sabuntawa.
Dangane da bayanin Garrett, ya ambaci cewa Microsoft ya fitar da sabuntawa don haka za a yi amfani da shi a kan Windows kawai (kamar yadda ya kamata) kuma matsalar ta kasance daga ɓangaren rarrabawa wanda har yanzu ke sarrafa nau'ikan masu rauni da kuma haifar da matsala tare da dual boot
A karshe ya ambaci cewa a cikin wannan lamari. Abin takaici, manyan wadanda ke fama da wannan yanayin sune masu amfani da ƙarshen, wanda ba zato ba tsammani ya gano cewa ba za su iya yin booting tsarin da suke so ba.
Wannan abu ne da bai kamata ya faru ba. Yayin da na fahimci buƙatar UEFI Secure Boot don kunna ta tsohuwa, kuma ina goyan bayan shawarar Microsoft gabaɗaya, a bayyane yake cewa ƙoƙarin hana sabuntawa akan tsarin taya biyu bai yi aiki kamar yadda aka zata ba.
Idan kun kasance sha'awar ƙarin sani game da shi, Ina gayyatar ku don tuntuɓar bayanin asali na Matthew Garrett A cikin mahaɗin mai zuwa.