ProHoster > Blog > Ulamuliro > Chip chotseguka cha OpenTitan chidzalowa m'malo mwa mizu yodalirika ya Intel ndi ARM

Chip chotseguka cha OpenTitan chidzalowa m'malo mwa mizu yodalirika ya Intel ndi ARM

Chip chotseguka cha OpenTitan chidzalowa m'malo mwa mizu yodalirika ya Intel ndi ARM

Bungwe lopanda phindu zochepaRISC mothandizidwa ndi Google ndi othandizira ena pa Novembara 5, 2019 представила kulemba OpenTan, chomwe chimachitcha "pulojekiti yoyamba yotseguka kuti apange mapangidwe otseguka, apamwamba kwambiri a chip ndi mizu yodalirika (RoT) pamlingo wa hardware."

OpenTitan, kutengera kamangidwe ka RISC-V, ndi cholinga chapadera cha microchip choyika pa ma seva m'malo a data ndi zida zina zilizonse zomwe zimafuna kukhulupirika kwa boot, chitetezo cha firmware, ndi chitetezo cha rootkit, kuphatikiza mamabodi, makhadi amtaneti, ma routers, zida za IoT, zida zam'manja, ndi zina zambiri.

Zoonadi, ma modules oterewa alipo mu mapurosesa amakono. Mwachitsanzo, gawo la hardware la Intel Boot Guard ndilo muzu wa kukhulupirira ma processor a Intel. Imatsimikizira zowona za UEFI BIOS isanayambitse OS kudzera muunyinji wodalirika. Koma kodi tingadalire bwanji mizu yodalirika, popeza tilibe chitsimikizo kuti mapangidwewo alibe nsikidzi ndipo palibe njira yoyesera? Onani nkhaniyo. Wodalirika Boot Schrödinger. Intel Boot Guard ndi malongosoledwe a "momwe kachilombo kamene kanapangidwa kwa zaka zambiri popanga ogulitsa angapo amalola wotsutsa kuti agwiritse ntchito lusoli kuti apange rootkit yobisika mu dongosolo lomwe liri losasinthika (ngakhale ndi mapulogalamu)."

Chiwopsezo cha kusokonekera kwa zida pazogulitsa ndizodabwitsa kwambiri: zikuwoneka kuti katswiri aliyense wamagetsi amateur. akhoza kugulitsa cholakwika mu boardboard ya seva, pogwiritsa ntchito zida zosaposa $200. Akatswiri ena amakayikira kuti "mabungwe omwe ali ndi ndalama zokwana madola mamiliyoni mazana ambiri angakhale akuchita izi kwa zaka zambiri." Ngakhale kuti palibe umboni, ndizotheka kunena.

"Ngati simungakhulupirire bootloader ya hardware, masewera atha," akuti Gavin Ferris, membala wa bungwe la oyang'anira ku lowRISC, anati, "Ziribe kanthu zomwe opareshoni imachita-ngati mutasokonezedwa ndi nthawi yomwe makina opangira opaleshoni amayambira, zina zonse ndi nkhani ya teknoloji. Mwachita kale."

Vuto ili ndi lomwe loyamba la mtundu wake wotseguka wa hardware OpenTitan (Malo a GitHub, zolemba, hardware specifications). Kuchoka pamayankho a eni ake kumathandizira kusintha "makampani osagwira ntchito komanso opanda ungwiro a RoT," Google imakhulupirira.

Google idayamba kupanga Titan pambuyo pozindikira makina opangira a Minix ophatikizidwa mu tchipisi ta Intel Management Engine (ME). OS yovutayi idakulitsa kuwukira kwa Google m'njira zosayembekezereka komanso zosalamulirika. adayesa kuchotsa Intel Management Engine (ME), koma sizinaphule kanthu.

Kodi muzu wa kukhulupirirana ndi chiyani?

Gawo lililonse la dongosolo la boot system limatsimikizira kutsimikizika kwa gawo lotsatira, ndikupanga chain of trust.

Root of Trust (RoT) ndi njira yotsimikizika yozikidwa pa Hardware yomwe imatsimikizira kuti gwero la malangizo oyamba omwe atha kukwaniritsidwa mu unyolo wa trust silingasinthidwe. RoT imapereka chitetezo chofunikira ku rootkits. Ndilo gawo lofunikira la boot process, lomwe limakhudzidwa ndi kuyambitsa kwadongosolo kotsatira-kuchokera ku BIOS kupita ku OS ndi mapulogalamu. Iyenera kutsimikizira zowona za gawo lililonse lotsatira la boot. Kuti muchite izi, makiyi osainidwa ndi digito amagwiritsidwa ntchito pagawo lililonse. Chimodzi mwazinthu zodziwika bwino zoteteza makiyi a hardware ndi TPM (Trusted Platform Module).

Chip chotseguka cha OpenTitan chidzalowa m'malo mwa mizu yodalirika ya Intel ndi ARM
Kukhazikitsa muzu wa kukhulupirirana. Njira ya boot ya magawo asanu pamwambapa imakhazikitsa chinsinsi chodalirika, kuyambira ndi bootloader, yomwe imakhala mu kukumbukira kosasinthika. Gawo lirilonse limagwiritsa ntchito kiyi yapagulu kutsimikizira zowona za gawo lotsatira kuti liyambitsidwe. Chithunzi chochokera m'buku la Perry Lee Zomangamanga za intaneti ya Zinthu

RoT ikhoza kukhazikitsidwa m'njira zosiyanasiyana:

  • kutsitsa chithunzi ndi fungulo la mizu kuchokera ku firmware kapena kukumbukira kosasunthika;
  • kusunga makiyi a mizu mu kukumbukira nthawi imodzi yokonzekera kugwiritsa ntchito ma fuse bits;
  • kutsitsa kachidindo kuchokera kumalo otetezedwa okumbukira kupita kumalo otetezedwa.

Muzu wa chidaliro umagwiritsidwa ntchito mosiyana m'mapurosesa osiyanasiyana. Intel ndi ARM
thandizirani matekinoloje awa:

  • ARM TrustZoneARM imagulitsa chipika cha silicon kwa opanga ma chipmaker omwe amapereka muzu wa chidaliro ndi njira zina zachitetezo. Izi zimachotsa microprocessor kuchokera pachimake chosatetezeka; imayendetsa Trusted OS-dongosolo lotetezedwa lokhala ndi mawonekedwe omveka bwino ku zigawo zosatetezeka. Zida zotetezedwa zimakhala pachimake chodalirika ndipo zidapangidwa kuti zikhale zopepuka momwe zingathere. Kusintha pakati pa mitundu yosiyanasiyana ya zigawo kumachitika pogwiritsa ntchito masiwichi a hardware, kuchotsa kufunikira kwa pulogalamu yowunikira yotetezeka.
  • Intel Boot Guard - ndi njira ya Hardware yotsimikizira zowona za boot block yoyambira pogwiritsa ntchito njira za cryptographic kapena njira yoyezera. Kuti atsimikizire chipika choyambirira, wopanga ayenera kupanga kiyi ya 2048-bit, yomwe ili ndi magawo awiri: gawo la anthu ndi gawo lachinsinsi. Gawo la anthu onse limasindikizidwa pa bolodi ndi "detonating" ma fuse bits panthawi yopanga. Ma bits awa ndi nthawi imodzi ndipo sangasinthidwe. Gawo lachinsinsi la fungulo limapanga siginecha ya digito kuti itsimikizire kutsimikizika kwa siteji ya boot.

Pulatifomu ya OpenTitan imawulula mbali zazikulu za hardware ndi pulogalamu yamapulogalamu, monga zikuwonetsedwa pazithunzi pansipa.

Chip chotseguka cha OpenTitan chidzalowa m'malo mwa mizu yodalirika ya Intel ndi ARM

OpenTitan Platform

Pulatifomu ya OpenTitan ikupangidwa ndi bungwe lopanda phindu lowRISC. Gulu la mainjiniya lili ku Cambridge, UK, ndipo Google ndi omwe amathandizira kwambiri. Omwe adayambitsa nawo akuphatikizapo ETH Zurich, G+D Mobile Security, Nuvoton Technology, ndi Western Digital.

Google adafalitsa chilengezo Ntchitoyi idalengezedwa pabulogu yamakampani ya Google Open Source. Kampaniyo inanena kuti OpenTitan ikufuna "kupereka mapangidwe apamwamba a RoT ndi chitsogozo chophatikizana kuti agwiritse ntchito ma seva a data center, yosungirako, zipangizo zam'mphepete, ndi zina."

Muzu wa chidaliro ndi ulalo woyamba mu unyolo wodalirika pamlingo wotsika kwambiri mugawo lodalirika la makompyuta lomwe nthawi zonse limadaliridwa mokwanira ndi dongosolo.

RoT ndiyofunikira pamapulogalamu, kuphatikiza ma key mainfrastructures (PKIs). Ndilo maziko achitetezo omwe amathandizira machitidwe ovuta, monga ma IoT applications kapena data center. Chifukwa chake ndizomveka kuti Google ikuthandizira ntchitoyi. Pakali pano ikugwira ntchito 19 data centers pa makontinenti asanu. Malo osungiramo data, malo osungiramo zinthu, ndi mapulogalamu ofunikira kwambiri amawonetsa kuukira kwakukulu, ndipo pofuna kuteteza chitukukochi, Google poyamba inapanga mizu yake yodalirika, yomangidwa pa chip Titan.

Chip mwini wa Titan kwa Google data centers idayambitsidwa koyamba mu March 2017 Pamsonkhano wa Google Cloud Next, oimira Google adalongosola kuti, "Makompyuta athu amatsimikizira phukusi lililonse la pulogalamuyo mwachinsinsi ndikusankha ngati angawapatse mwayi wogwiritsa ntchito maukonde.

Chip chotseguka cha OpenTitan chidzalowa m'malo mwa mizu yodalirika ya Intel ndi ARM
Titan chip mu seva ya Google

Zomangamanga za Titan zinali za Google koma tsopano zikutulutsidwa pagulu ngati pulojekiti yotseguka.

Gawo loyamba la polojekiti ndikupanga mapangidwe omveka a RoT pamlingo wa chip, kuphatikiza microprocessor yotseguka. lowRISC chithunzi, cryptographic processors, hardware random number generator, key and memory hierarchies for non-voltage and non-voltage storage, security mechanisms, I / O peripherals, ndi njira zotetezera boot.

Google imati OpenTitan imamangidwa pa mfundo zitatu zofunika:

  • aliyense ali ndi mwayi woyesa nsanja ndikuthandizira;
  • Kuchulukirachulukira kosinthika kudzera pamapangidwe otseguka, otetezedwa mwanzeru omwe samatsekeredwa ndi zoletsa za eni ake;
  • khalidwe silinatsimikizidwe kokha ndi mapangidwe okha, komanso ndi firmware yofotokozera ndi zolemba.

"Tchipisi chamakono chazikhulupiliro ndi eni ake kwambiri. Amadzinenera kuti ndi otetezeka, koma zoona zake, mukuzitenga mwachikhulupiriro ndipo simungathe kuzitsimikizira nokha, "akutero Dominic Rizzo, injiniya wotsogolera chitetezo cha polojekiti ya Titan ya Google. "Tsopano, kwa nthawi yoyamba, mukhoza kutsimikizira chitetezo popanda kukhulupirira mwachimbulimbuli opanga mapangidwe a mizu ya chidaliro. Choncho mazikowo sali olimba, ndi otsimikizika."

Rizzo adawonjezeranso kuti OpenTitan ikhoza kuonedwa ngati "mapangidwe owonekera bwino poyerekeza ndi momwe zinthu zilili pano."

Malinga ndi opanga, OpenTitan sayenera kuonedwa ngati chinthu chomalizidwa, chifukwa chitukuko sichinathe. Adatsegula mwadala zomwe zafotokozedwa ndikukonzekera pakati pa chitukuko kuti aliyense athe kuwonanso, kupereka nawo, ndikuyeretsa dongosololi lisanapangidwe.

Kuti muyambe kupanga tchipisi ta OpenTitan, muyenera kutumiza fomu ndikulandila satifiketi. Mwachiwonekere, palibe malipiro a chilolezo omwe amafunika.

Source: www.habr.com

Gulani kuchititsa kodalirika kwamasamba okhala ndi chitetezo cha DDoS, ma seva a VPS VDS Gulani malo odalirika osungira mawebusayiti okhala ndi chitetezo cha DDoS, ma seva a VPS VDS | ProHoster