Pulogalamu ya ProHoster > Blog > Ulamuliro > Chip chotseguka cha OpenTitan chidzalowa m'malo mwa mizu yodalirika ya Intel ndi ARM

Chip chotseguka cha OpenTitan chidzalowa m'malo mwa mizu yodalirika ya Intel ndi ARM

Chip chotseguka cha OpenTitan chidzalowa m'malo mwa mizu yodalirika ya Intel ndi ARM

Bungwe lopanda phindu zochepaRISC ndi Google ndi othandizira ena Novembala 5, 2019 прСдставила kulemba OpenTan, yomwe imatcha "pulojekiti yoyamba yotseguka yopangira mapangidwe otseguka, apamwamba kwambiri a chip okhala ndi mizu yodalirika (RoT) pamlingo wa hardware."

OpenTitan yozikidwa pa kamangidwe ka RISC-V ndi chipangizo chapadera chopangira ma seva m'malo opangira ma data ndi zida zina zilizonse pomwe pakufunika kuwonetsetsa kutsimikizika kwa boot, kuteteza fimuweya kuti isasinthe ndikuchotsa kuthekera kwa rootkits: awa ndi ma boardards, makhadi ochezera, ma router, zida za IoT, zida zam'manja, ndi zina zambiri.

Inde, ma modules ofanana alipo m'mapurosesa amakono. Mwachitsanzo, gawo la Intel Hardware Boot Guard ndiye muzu wodalira ma processor a Intel. Imatsimikizira zowona za UEFI BIOS kudzera mumndandanda wodalirika musanakweze OS. Koma funso ndilakuti, tingadalire bwanji mizu yodalirika yodalirika, popeza tilibe chitsimikizo kuti sipadzakhala nsikidzi pamapangidwewo, ndipo palibe njira yowonera? Onani nkhani "Kutsitsa Kodalirika kwa SchrΓΆdinger. Intel Boot Guard" ndi malongosoledwe a "momwe kachilombo kamene kanapangidwa kwa zaka zambiri popanga ogulitsa angapo amalola wotsutsa kuti agwiritse ntchito lusoli kuti apange rootkit yobisika mu dongosolo lomwe silingachotsedwe (ngakhale ndi mapulogalamu).

Chiwopsezo cha kusokonekera kwa zida pazogulitsa ndizodabwitsa kwambiri: mwachiwonekere, mainjiniya aliwonse amateur zamagetsi. akhoza kugulitsa cholakwika mu boardboard ya sevakugwiritsa ntchito zida zosaposa $200. Akatswiri ena amakayikira kuti "mabungwe omwe ali ndi ndalama zokwana madola mamiliyoni mazanamazana angakhale akuchita izi kwa zaka zambiri." Ngakhale palibe umboni, ndi theoretically zotheka.

"Ngati simungakhulupirire bootloader ya hardware, masewera atha," akuti Gavin Ferris, membala wa board of directors a lowRISC. - Ziribe kanthu zomwe opareshoni imachita - ngati pofika nthawi yomwe opareshoni imakulowetsani mwasokonezedwa, ndiye kuti zina zonse ndi nkhani yaukadaulo. Mwatha kale."

Vutoli liyenera kuthetsedwa ndi nsanja yoyamba yamtundu wake yotseguka ya OpenTitan (Malo a GitHub, zolemba, hardware specifications). Kuchoka pamayankho a eni ake kudzathandiza kusintha "makampani a RoT aulesi komanso olakwika," akutero Google.

Google yokha idayamba kupanga Titan itazindikira makina opangira a Minix omangidwa mu tchipisi ta Intel Management Engine (ME). OS yovutayi idakulitsa kuukira m'njira zosayembekezereka komanso zosalamulirika. Google adayesa kuchotsa Intel Management Engine (ME), koma sizinaphule kanthu.

Kodi muzu wa kukhulupirirana ndi chiyani?

Gawo lirilonse la dongosolo la boot system limayang'ana zowona za gawo lotsatira, motero limapanga chain of trust.

Root of Trust (RoT) ndi chitsimikiziro chozikidwa pa hardware chomwe chimatsimikizira kuti gwero la malangizo oyamba omwe angakwaniritsidwe mu unyolo wodalirika sangasinthidwe. RoT ndiye chitetezo chofunikira ku rootkits. Ichi ndi gawo lofunikira la boot process, lomwe limakhudzidwa ndikuyambitsanso dongosolo - kuchokera ku BIOS kupita ku OS ndi kugwiritsa ntchito. Iyenera kutsimikizira zowona za sitepe iliyonse yotsitsa. Kuti muchite izi, makiyi osainidwa ndi digito amagwiritsidwa ntchito pagawo lililonse. Imodzi mwamiyezo yodziwika bwino yoteteza makiyi a hardware ndi TPM (Trusted Platform Module).

Chip chotseguka cha OpenTitan chidzalowa m'malo mwa mizu yodalirika ya Intel ndi ARM
Kukhazikitsa muzu wa kukhulupirirana. Pamwambapa pali njira zisanu zoyambira zomwe zimapanga chidaliro, kuyambira ndi bootloader mu kukumbukira kosasinthika. Gawo lirilonse limagwiritsa ntchito kiyi yapagulu kuti zitsimikizire kuti gawo lotsatira lomwe liyenera kukwezedwa ndi ndani. Chithunzi kuchokera m'buku la Perry Lee "Intaneti ya Zinthu Zomangamanga"

RoT ikhoza kukhazikitsidwa m'njira zosiyanasiyana:

  • kutsitsa chithunzi ndi fungulo la mizu kuchokera ku firmware kapena kukumbukira kosasinthika;
  • kusunga makiyi a mizu mu kukumbukira nthawi imodzi yokonzekera kugwiritsa ntchito ma fuse bits;
  • Kutsegula kachidindo kuchokera kumalo otetezedwa okumbukira kupita kumalo otetezedwa.

Mapurosesa osiyanasiyana amakhazikitsa muzu wa chidaliro mosiyana. Intel ndi ARM
thandizani matekinoloje awa:

  • ARM TrustZone. ARM imagulitsa chipika cha silicon kwa opanga ma chipmaker omwe amapereka muzu wa chidaliro ndi njira zina zachitetezo. Izi zimalekanitsa microprocessor kuchokera pachimake chosatetezeka; imayendetsa Trusted OS, makina ogwiritsira ntchito otetezeka omwe ali ndi mawonekedwe omveka bwino kuti agwirizane ndi zigawo zosatetezeka. Zida zotetezedwa zimakhala pachimake chodalirika ndipo ziyenera kukhala zopepuka momwe zingathere. Kusintha pakati pa zigawo zamitundu yosiyanasiyana kumachitika pogwiritsa ntchito kusintha kwa hardware, kuchotsa kufunikira kwa pulogalamu yowunikira yotetezeka.
  • Intel Boot Guard ndi njira ya Hardware yotsimikizira kutsimikizika kwa chipika choyambirira cha boot pogwiritsa ntchito njira zachinsinsi kapena poyesa. Kuti atsimikizire chipika choyambirira, wopanga ayenera kupanga kiyi ya 2048-bit, yomwe ili ndi magawo awiri: pagulu ndi payekha. Kiyi yapagulu imasindikizidwa pa bolodi ndi "kuphulika" ma fuse bits panthawi yopanga. Ma bitswa amagwiritsidwa ntchito kamodzi ndipo sangasinthidwe. Mbali yachinsinsi ya kiyi imapanga siginecha ya digito kuti itsimikizidwe motsatira siteji yotsitsa.

Pulatifomu ya OpenTitan imawulula mbali zazikuluzikulu zamakina a hardware/mapulogalamu, monga momwe tawonetsera pa chithunzi pansipa.

Chip chotseguka cha OpenTitan chidzalowa m'malo mwa mizu yodalirika ya Intel ndi ARM

OpenTitan Platform

Kukula kwa nsanja ya OpenTitan kumayendetsedwa ndi bungwe lopanda phindu lowRISC. Gulu la mainjiniya lili ku Cambridge (UK), ndipo wothandizira wamkulu ndi Google. Omwe adayambitsa nawo akuphatikizapo ETH Zurich, G+D Mobile Security, Nuvoton Technology ndi Western Digital.

Google adafalitsa chilengezo pulojekiti pa Google Open Source corporate blog. Kampaniyo inati OpenTitan yadzipereka "kupereka chitsogozo chapamwamba pa mapangidwe a RoT ndi kuphatikiza kuti agwiritse ntchito ma seva a data center, yosungirako, zipangizo zam'mphepete ndi zina."

Muzu wa chidaliro ndi ulalo woyamba mu unyolo wa chidaliro pamlingo wotsika kwambiri mu gawo lodalirika la makompyuta, lomwe nthawi zonse limadaliridwa mokwanira ndi dongosolo.

RoT ndiyofunikira pamapulogalamu kuphatikiza ma key mainfrastructures (PKIs). Ndilo maziko a chitetezo chomwe dongosolo lovuta monga IoT application kapena data center likuchokera. Chifukwa chake ndizomveka chifukwa chake Google imathandizira ntchitoyi. Tsopano ili ndi malo opangira ma data 19 m'makontinenti asanu. Malo osungiramo data, kusungirako, ndi ntchito zofunikira kwambiri zimakhala ndi malo ambiri owukira, ndipo pofuna kuteteza izi, Google poyamba idapanga mizu yake yodalirika pa chipangizo cha Titan.

Chip cha Titan kwa Google data centers idayambitsidwa koyamba mu March 2017 pa msonkhano wa Google Cloud Next. "Makompyuta athu amayesa macheke pa pulogalamu iliyonse ndikusankha ngati angawapatse mwayi wogwiritsa ntchito maukonde. Titan imaphatikizana ndi izi ndikuwonjezera chitetezo, "atero oimira Google pamwambowu.

Chip chotseguka cha OpenTitan chidzalowa m'malo mwa mizu yodalirika ya Intel ndi ARM
Titan chip mu seva ya Google

Zomangamanga za Titan m'mbuyomu zinali za Google, koma tsopano zikuperekedwa kwa anthu ngati pulojekiti yotseguka.

Gawo loyamba la polojekiti ndikupanga mapangidwe omveka a RoT pamlingo wa chip, kuphatikiza microprocessor yotseguka. lowRISC chithunzi, cryptographic processors, hardware random number generator, key and memory hierarchies for non-voltage and non-volatory storage, security mechanisms, I / O peripherals ndi njira zotetezera boot.

Google imati OpenTitan idakhazikitsidwa pa mfundo zitatu zofunika:

  • aliyense ali ndi mwayi wowona nsanja ndikuthandizira;
  • kusinthasintha kowonjezereka potsegula mapangidwe otetezedwa bwino omwe satsekedwa ndi zoletsa zamalonda;
  • Ubwino sunatsimikizidwe kokha ndi kapangidwe kake, komanso ndi mafotokozedwe a firmware ndi zolemba.

"Chipisi chamakono chokhala ndi mizu yodalirika ndi eni ake kwambiri. Amadzinenera kuti ndi otetezeka, koma zoona zake, mumaziona mopepuka ndipo simungathe kuzitsimikizira nokha, atero a Dominic Rizzo, katswiri wotsogolera zachitetezo cha projekiti ya Google Titan. "Tsopano, kwa nthawi yoyamba, ndizotheka kupereka chitetezo popanda chikhulupiliro chakhungu kwa omwe akupanga muzu wodalirika wokhulupirira. Chifukwa chake mazikowo si olimba okha, atha kutsimikiziridwa. ”

Rizzo adawonjezeranso kuti OpenTitan imatha kuonedwa ngati "mapangidwe owonekera bwino poyerekeza ndi momwe zinthu zilili pano."

Malinga ndi opanga, OpenTitan sayenera kuonedwa ngati chinthu chomaliza, chifukwa chitukuko sichinathe. Iwo adatsegula mwadala zofotokozera ndi kupanga mapangidwe apakati pa chitukuko kuti aliyense athe kuunikanso, kupereka zowonjezera, ndi kukonza dongosolo lisanayambe kupanga.

Kuti muyambe kupanga tchipisi cha OpenTitan, muyenera kuyikapo ndikupeza satifiketi. Mwachiwonekere, palibe malipiro omwe amafunikira.

Source: www.habr.com

Kuwonjezera ndemanga