Ndị na-eme nchọpụta na Helmholtz Center for Information Security (CISPA) ebipụtala usoro mwakpo CacheWarp ọhụrụ iji mebie usoro nchekwa AMD SEV (Secure Encrypted Virtualization) ejiri na sistemụ arụmọrụ iji chebe igwe mebere site na ndabichi nke hypervisor ma ọ bụ onye na-ahụ maka sistemụ nnabata. Usoro a tụrụ aro na-enye onye na-awakpo ohere ịnweta hypervisor ka o mebie koodu ndị ọzọ wee bulie ohere na igwe mebere nke echekwara site na iji AMD SEV.
Mwakpo a dabere na iji adịghị ike (CVE-2023-20592) kpatara site na arụ ọrụ na-ezighi ezi nke cache n'oge a na-eme ihe nhazi ntuziaka INVD, site n'enyemaka nke ọ ga-ekwe omume iji nweta data adịghị mma na ebe nchekwa na cache. , na usoro ngafe maka idowe iguzosi ike n'ezi ihe nke ebe nchekwa igwe mebere, etinyere dabere na ndọtị SEV-ES na SEV-SNP. Ọdịmma ahụ na-emetụta ndị nrụpụta AMD EPYC site na ọgbọ mbụ ruo ọgbọ nke atọ.
Maka ọgbọ nke atọ AMD EPYC processors (Zen 3), a na-edozi okwu ahụ na mmelite microcode November nke AMD wepụtara ụnyaahụ (ndozi ahụ anaghị ebute mmebi arụmọrụ ọ bụla). Maka ọgbọ mbụ na nke abụọ nke AMD EPYC (Zen 1 na Zen 2), adịghị enye nchebe, ebe ọ bụ na CPU ndị a anaghị akwado ndọtị SEV-SNP, nke na-enye njikwa iguzosi ike n'ezi ihe maka igwe mebere. Ọgbọ nke anọ nke AMD AMD EPYC “Genoa” processors dabere na microarchitecture “Zen 4” adịghị mfe.
A na-eji teknụzụ AMD SEV maka ikewapụ igwe mebere igwe site na ndị na-eweta igwe ojii dị ka Amazon Web Services (AWS), Google Cloud, Microsoft Azure na Oracle Compute Infrastructure (OCI). A na-emejuputa nchekwa AMD SEV site na izo ya ezo n'ọkwa ngwaike nke ebe nchekwa igwe mebere. Na mgbakwunye, ndọtị SEV-ES (Encrypted State) na-echebe ndekọ CPU. Naanị sistemụ ndị ọbịa ugbu a nwere ike ịnweta data decrypted, na mgbe igwe ndị ọzọ mebere na hypervisor na-agbalị ịnweta ebe nchekwa a, ha na-enweta data ezoro ezo.
Ọgbọ nke atọ nke AMD EPYC processors webatara mgbakwunye mgbakwunye, SEV-SNP (Secure Nested Paging), nke na-eme ka ọrụ nchekwa dị na tebụl ibe ebe nchekwa akwụ. Na mgbakwunye na nzuzo nzuzo izugbe na ịdebanye aha iche, SEV-SNP na-emejuputa usoro ndị ọzọ iji kpuchido iguzosi ike n'ezi ihe site na igbochi mgbanwe na VM site na hypervisor. A na-ejikwa igodo nzuzo n'akụkụ PSP dị iche iche (Platform Security Processor) nke arụnyere n'ime mgbawa, arụnyere na ndabere nke ARM architecture.
Isi ihe dị na usoro mbuso agha a tụrụ aro bụ iji ntuziaka INVD mebie blocks (akara) n'ime oghere nke ibe ruru unyi na-etinyeghị data echekwara na cache n'ime ebe nchekwa (dee azụ). Ya mere, usoro ahụ na-enye gị ohere ịchụpụ data gbanwere na cache na-agbanweghị ọnọdụ ebe nchekwa. Iji mee mbuso agha, a na-atụ aro ka iji sọftụwia ewepu (ntụtụ mmejọ) kwụsị ọrụ nke igwe mebere n'ebe abụọ: na mbụ, onye na-awakpo ahụ na-akpọ ntuziaka "wbnoinvd" iji tọgharịa ọrụ ide ihe nchekwa niile agbakọtara na ya. cache ahụ, na ebe nke abụọ na-akpọ ntụziaka "invd" na-alọghachite ọrụ ederede adịghị egosipụta na ebe nchekwa na steeti ochie.
Iji lelee sistemụ gị maka adịghị ike, ebipụtala ụdị nrigbu nke na-enye gị ohere itinye ihe dị iche n'ime igwe mebere nke echekwara site na AMD SEV wee tụgharịa mgbanwe na VM na-edobebeghị na ebe nchekwa. Enwere ike iji mweghachi nke mgbanwe gbanwee usoro mmemme site na iweghachi adreesị nloghachi ochie na ngwugwu ahụ, ma ọ bụ iji akara nbanye nke nnọkọ ochie nke enwetara na mbụ site na iweghachi uru njirimara nyocha.
Dịka ọmụmaatụ, ndị nchọpụta gosipụtara na enwere ike iji usoro CacheWarp mee mwakpo Bellcore na mmejuputa RSA-CRT algorithm na ọba akwụkwọ ip-crypto, nke mere ka o kwe omume ị nwetaghachi igodo nzuzo site na ngbanwe njehie mgbe ị na-agbakọ dijitalụ. mbinye aka. Ọ na-egosikwa otu ị nwere ike isi gbanwee paramita nkwenye nnọkọ na OpenSSH mgbe ị na-ejikọta na sistemụ ndị ọbịa, wee gbanwee ọnọdụ nkwenye mgbe ị na-agba ọsọ sudo iji nweta ikike mgbọrọgwụ na Ubuntu 20.04. A nwalere nrigbu a na sistemụ nwere AMD EPYC 7252, 7313P na 7443 processors.
isi: opennet.ru