Sangano risingabatsiri neGoogle nevamwe vanotsigira Mbudzi 5, 2019 ronga , iyo inodana "yekutanga-yakavhurika-sosi purojekiti yekugadzira yakavhurika, yemhando yepamusoro chip architecture ine mudzi wekuvimba (RoT) padanho rehardware."
OpenTitan yakavakirwa paRISC-V architecture ndeye yakakosha-chinangwa chip yekumisikidza pamaseva munzvimbo dzedata uye mune chero mimwe michina painodiwa kuve nechokwadi chebhutsu yechokwadi, chengetedza iyo firmware kubva kushanduko uye kubvisa mukana weiyo rootkits: aya maibhobho, network makadhi, marouters, IoT zvishandiso, nharembozha, nezvimwe.
Ehe, ma module akafanana aripo muma processors emazuva ano. Semuenzaniso, iyo Intel Hardware Boot Guard module ndiyo mudzi wekuvimba muIntel processors. Iyo inosimbisa huchokwadi hweiyo UEFI BIOS kuburikidza neketani yekuvimba isati yarodha OS. Asi mubvunzo ndewokuti, tingavimba zvakadii nemidzi yekuvimba, zvakapihwa kuti isu hatina vimbiso yekuti hapazove netsikidzi mukugadzira, uye hapana nzira yekuitarisa? Ona chinyorwa ine tsananguro ye " sei tsikidzi yave yakaumbwa kwemakore mukugadzirwa kwevatengesi vakati wandei inobvumira anogona kurwisa kushandisa tekinoroji iyi kugadzira yakavanzika rootkit muhurongwa isingagoni kubviswa (kunyangwe nemugadziri).
Kutyisidzira kwekukanganisa kwemidziyo mucheni yekugovera ichokwadi zvinoshamisa: sezviri pachena, chero mainjiniya emagetsi emagetsi. kushandisa michina inodhura isingadarike $200. Dzimwe nyanzvi dzinofungidzira kuti "masangano ane mabhajeti emazana emamiriyoni emadhora anogona kunge achiita izvi kwemakore akawanda." Kunyangwe pasina humbowo, zvinogoneka.
"Kana iwe usingakwanise kuvimba nehardware bootloader, mutambo wapera," Gavin Ferris, nhengo yebhodhi revatungamiriri ve lowRISC. -Hazvina basa kuti iyo inoshanda sisitimu inoita sei - kana panguva iyo sisitimu yekushanda inotakura iwe wakanganiswa, saka yasara inyaya yehunyanzvi. Wakatopedza."
Dambudziko iri rinofanirwa kugadziriswa neyekutanga yemhando yakavhurika hardware chikuva OpenTitan (, , ) Kuenda kure nemhinduro dzevaridzi kuchabatsira kushandura "usimbe uye unokanganisa indasitiri yeRoT," Google inodaro.
Google pachayo yakatanga kugadzira Titan mushure mekuwana iyo Minix inoshanda sisitimu yakavakirwa muIntel Management Engine (ME) machipi. Iyi yakaoma OS yakawedzera nzvimbo yekurwisa nenzira dzisingafungidzike uye dzisingadzoreki. Google , asi hazvina kubudirira.
Chii chiri mudzi wekuvimba?
Imwe neimwe nhanho yesystem boot process inotarisa huchokwadi hwechikamu chinotevera, nekudaro ichigadzira cheni yekuvimba.
Root of Trust (RoT) ndeye Hardware-based authentication inova nechokwadi chekuti sosi yerairo rekutanga rinoitwa muketani yekuvimba haigone kuchinjwa. RoT ndiyo yekutanga dziviriro kubva kune rootkits. Iyi ndiyo nhanho yakakosha yegadziriro yebhoti, iyo inobatanidzwa mukutanga kunotevera kwegadziriro - kubva kuBIOS kuenda kuOS uye kushandiswa. Inofanira kuonesa huchokwadi hweimwe neimwe inotevera nhanho yekurodha. Kuti uite izvi, seti yemakiyi akasainwa edhijitari anoshandiswa padanho rega rega. Imwe yeanonyanya kufarirwa zviyero zvehardware kiyi yekudzivirira ndeye TPM (Trusted Platform Module).
Kuumba mudzi wekuvimba. Pamusoro pane nhanho-nhanho nhanho dzebhutsu dzinogadzira cheni yekuvimba, kutanga nebootloader mundangariro isingachinji. Nhanho yega yega inoshandisa kiyi yeruzhinji kuratidza kuzivikanwa kwechikamu chinotevera chinotakurwa. Mufananidzo kubva mubhuku raPerry Lee
RoT inogona kutangwa nenzira dzakasiyana:
- kurodha mufananidzo uye midzi kiyi kubva firmware kana isingachinji ndangariro;
- kuchengetedza kiyi yemudzi mune imwe-nguva programmable memory uchishandisa fuse bits;
- Kurodha kodhi kubva munzvimbo yakachengetedzwa yendangariro kupinda munzvimbo yakachengetedzwa.
Akasiyana processors anoshandisa mudzi wekuvimba zvakasiyana. Intel uye ARM
tsigira tekinoroji inotevera:
- ARM TrustZone. ARM inotengesa silicon block kune chipmaker inopa mudzi wekuvimba uye dzimwe nzira dzekuchengetedza. Izvi zvinoparadzanisa microprocessor kubva kune isina kuchengeteka core; inoshandisa Trusted OS, yakachengeteka inoshanda sisitimu ine yakanyatsotsanangurwa interface yekudyidzana neyakachengetedzeka zvikamu. Zvishandiso zvakadzivirirwa zvinogara mumusimboti wakavimbika uye unofanirwa kuve wakareruka sezvinobvira. Kuchinja pakati pezvikamu zvemarudzi akasiyana-siyana kunoitwa uchishandisa hardware mamiriro ekushandura, kubvisa kudiwa kwekuchengetedzwa kwekuongorora software.
- Intel Boot Guard igadziriso yehardware yekuona huchokwadi hweiyo yekutanga boot block ne cryptographic nzira kana kuburikidza nekuyera maitiro. Kuti uone iyo yekutanga block, mugadziri anofanira kugadzira kiyi ye2048-bit, iyo ine zvikamu zviviri: zveruzhinji uye zvakavanzika. Kiyi yeruzhinji inodhindwa pabhodhi ne "detonating" fuse bits panguva yekugadzira. Aya mabhiti anoshandiswa kamwe chete uye haagone kuchinjwa. Iyo yakavanzika chikamu chekiyi inoburitsa siginecha yedhijitari yekuzotevera yechokwadi yedanho rekurodha.
Iyo OpenTitan chikuva inofumura zvikamu zvakakosha zveiyo hardware/software system, sezvakaratidzwa mumufananidzo uri pazasi.
OpenTitan Platform
Kuvandudzwa kweiyo OpenTitan papuratifomu inotungamirwa neiyo isiri-purofiti sangano yakadereraRISC. Chikwata cheinjiniya chakavakirwa muCambridge (UK), uye mubatsiri mukuru ndiGoogle. Vanotanga vadyidzani vanosanganisira ETH Zurich, G+D Mobile Security, Nuvoton Technology uye Western Digital.
Google purojekiti paGoogle Open Source corporate blog. Iyo kambani yakati OpenTitan yakazvipira "kupa hutungamiriri hwepamusoro-soro pakugadzira RoT uye kubatanidzwa kwekushandisa mumaseva epa data, kuchengetedza, midziyo yemupendero nezvimwe."
Mudzi wekuvimba ndiyo yekutanga chinongedzo muketani yekuvimba padanho rakaderera mune yakavimbika computing module, iyo inogara ichivimbwa zvizere nehurongwa.
RoT yakakosha kune zvikumbiro zvinosanganisira public key infrastructures (PKIs). Ndiyo hwaro hwekuchengetedza sisitimu iyo yakaoma sisitimu senge IoT application kana data data yakavakirwa. Saka zviri pachena kuti nei Google ichitsigira chirongwa ichi. Iko zvino ine 19 data centers pamakondinendi mashanu. Nzvimbo dzedata, chengetedzo, uye mishoni-yakakosha maapplication zvinopa yakakura kurwisa nzvimbo, uye kuchengetedza iyi masisitimu, Google pakutanga yakagadzira midzi yayo yekuvimba paTitan chip.
yeGoogle data centers yakatanga kuunzwa pamusangano weGoogle Cloud Next. "Makomputa edu anoita cryptographic cheki pane yega software package uye obva afunga kuti oibvumira kuwana kune network zviwanikwa. Titan inobatanidza mukuita uku uye inopa mamwe matanho ekudzivirira, "vamiriri veGoogle vakadaro pamharidzo iyoyo.
Titan chip muGoogle server
Iyo Titan architecture yaimbove yeGoogle, asi ikozvino yave kuitwa yeruzhinji dura seyakavhurika sosi purojekiti.
Nhanho yekutanga yepurojekiti kugadzirwa kweiyo inonzwisisika RoT dhizaini padanho rechip, kusanganisira yakavhurika sosi microprocessor. , cryptographic processors, hardware random number generator, key and memory hierarchies for non-volatile and non-volatile storage, security systems, I / O peripherals uye yakachengeteka mabhoti maitiro.
Google inoti OpenTitan yakavakirwa pamisimboti mitatu yakakosha:
- munhu wese ane mukana wekutarisa chikuva uye kugovera;
- kuwedzera kuchinjika nekuvhura dhizaini yakachengeteka isina kuvharwa nezvirambidzo zvevaridzi vevatengesi;
- mhando yakavimbiswa kwete chete nedhizaini pachayo, asiwo nereferenzi firmware uye zvinyorwa.
βMachipisi azvino ane midzi yekuvimba ane hunyanzvi. Vanozviti vakachengeteka, asi muchokwadi, unozviona sezvisina basa uye haugone kuzvisimbisa iwe pachako, anodaro Dominic Rizzo, nyanzvi yezvekuchengetedza inotungamira chirongwa cheGoogle Titan. "Zvino, kekutanga, zvinogoneka kupa chengetedzo pasina kutenda kweupofu mune vanogadzira mudzi wekuvimba wedhizaini. Saka hwaro hauna kusimba chete, unogona kusimbiswa. β
Rizzo akawedzera kuti OpenTitan inogona kutorwa se "yakajeka dhizaini kana ichienzaniswa nemamiriro ezvinhu aripo."
Sekureva kwevagadziri, OpenTitan haifanire kutorwa seyakapera chigadzirwa, nekuti budiriro haisati yapera. Vakavhura nemaune izvo zvakatemwa uye dhizaini yepakati-yekuvandudza kuitira kuti munhu wese akwanise kuiongorora, kupa ruzivo, uye kugadzirisa sisitimu isati yatanga.
Kuti utange kugadzira OpenTitan machipisi, unofanirwa kunyorera uye kupihwa chitupa. Sezviri pachena, hapana mari yerezinesi inodiwa.
Source: www.habr.com