Bafuputsi Setsing sa Helmholtz bakeng sa Ts'ireletso ea Tlhahisoleseding (CISPA) ba phatlalalitse mokhoa o mocha oa tlhaselo ea CacheWarp ho sekisetsa mochini oa ts'ireletso oa AMD SEV (Secure Encrypted Virtualization) o sebelisoang lits'ebetsong tsa virtualization ho sireletsa mechini ea sebele hore e se ke ea sitisoa ke hypervisor kapa mookameli oa sistimi e amohelang. Mokhoa o reriloeng o lumella mohlaseli ea nang le phihlello ea hypervisor hore a phethe khoutu ea mokha oa boraro le ho eketsa litokelo mochining o sirelelitsoeng o sebelisa AMD SEV.
Tlhaselo e ipapisitse le ts'ebeliso ea ts'ebeliso ea ts'oaetso (CVE-2023-20592) e bakoang ke ts'ebetso e fosahetseng ea cache nakong ea ts'ebetso ea taelo ea processor ea INVD, ka thuso eo ho ka khonehang ho fihlela ho se lumellane ha data mohopolong le cache. , le mekhoa ea ho pota-pota bakeng sa ho boloka botšepehi ba mohopolo oa mochine oa sebele, o kenngoeng ts'ebetsong ho latela li-extensions tsa SEV-ES le SEV-SNP. Ho ba kotsing ho ama li-processor tsa AMD EPYC ho tloha molokong oa pele ho isa molokong oa boraro.
Bakeng sa li-processor tsa AMD EPYC tsa moloko oa boraro (Zen 3), bothata bo rarollotsoe ho ntlafatso ea microcode ea November e lokollotsoeng maobane ke AMD (tokiso ha e felle ka ho senyeha ha ts'ebetso leha e le efe). Bakeng sa moloko oa pele le oa bobeli oa AMD EPYC (Zen 1 le Zen 2), tšireletso ha e fanoe, kaha li-CPU tsena ha li tšehetse katoloso ea SEV-SNP, e fanang ka taolo ea botšepehi bakeng sa mechine ea sebele. Moloko oa bone oa li-processor tsa AMD AMD EPYC "Genoa" tse thehiloeng ho "Zen 4" microarchitecture ha e kotsing.
Theknoloji ea AMD SEV e sebelisoa bakeng sa ho itšehla thajana ha mochine ke bafani ba maru ba kang Amazon Web Services (AWS), Google Cloud, Microsoft Azure le Oracle Compute Infrastructure (OCI). Ts'ireletso ea AMD SEV e kengoa ts'ebetsong ka encryption ea boemo ba hardware ea memori ea mochini o hlakileng. Ho feta moo, katoloso ea SEV-ES (Encrypted State) e sireletsa lirekoto tsa CPU. Ke sistimi ea moeti ea hajoale feela e nang le phihlello ea data e sirelelitsoeng, 'me ha mechini e meng e fumanehang le hypervisor e leka ho fihlella mohopolo ona, ba fumana sete ea data e patiloeng.
Moloko oa boraro oa li-processor tsa AMD EPYC o hlahisitse katoloso e eketsehileng, SEV-SNP (Secure Nested Paging), e netefatsang ts'ebetso e bolokehileng ea litafole tsa maqephe a memori a behiloeng. Ntle le ho kenyelletsa mohopolo ka kakaretso le ho itšehla thajana, SEV-SNP e sebelisa mehato e eketsehileng ho sireletsa botšepehi ba mohopolo ka ho thibela liphetoho ho VM ka hypervisor. Linotlolo tsa encryption li laoloa ka lehlakoreng la processor e arohaneng ea PSP (Platform Security Processor) e hahiloeng ka har'a chip, e kentsoeng tšebetsong motheong oa meralo ea ARM.
Moko-taba oa mokhoa oa tlhaselo o reriloeng ke ho sebelisa taelo ea INVD ho etsa hore li-block (line) li se ke tsa sebetsa ka har'a cache ea maqephe a litšila ntle le ho lahlela data e bokeletsoeng ka har'a cache mohopolong (ngola-morao). Kahoo, mokhoa ona o u lumella ho leleka data e fetotsoeng ho cache ntle le ho fetola boemo ba memori. Ho etsa tlhaselo, ho khothaletsoa ho sebelisa mekhelo ea software (ente ea phoso) ho sitisa ts'ebetso ea mochini o sebetsang libakeng tse peli: sebakeng sa pele, mohlaseli o bitsa taelo ea "wbnoinvd" ho hlophisa lits'ebetso tsohle tsa memori tse bokelletsoeng cache, 'me sebakeng sa bobeli e bitsa taelo ea "invd" ea ho khutlisetsa ts'ebetso e sa bonahaleng mohopolong oa boemo ba khale.
Ho lekola lits'ebetso tsa hau bakeng sa bofokoli, ho hatisitsoe prototype e u fang monyetla oa ho kenya mokhelo mochining o sirelelitsoeng ka AMD SEV le ho khutlisa liphetoho ho VM tse so kang tsa khutlisoa mohopolong. Ho khutlisa phetoho ho ka sebelisoa ho fetola phallo ea lenaneo ka ho khutlisa aterese ea khale ea ho khutlisa ho stack, kapa ho sebelisa maemo a ho kena a seshene ea khale e neng e netefalitsoe ka ho khutlisa boleng ba netefatso.
Ka mohlala, bafuputsi ba bontšitse monyetla oa ho sebelisa mokhoa oa CacheWarp ho etsa tlhaselo ea Bellcore mabapi le ts'ebetsong ea algorithm ea RSA-CRT ka laebraring ea ipp-crypto, e leng se entseng hore ho khonehe ho fumana senotlolo sa poraefete ka ho fetola phoso ha ho baloa digital. tekeno. E boetse e bonts'a hore na u ka fetola liparamente tsa netefatso ea nako joang ho OpenSSH ha o hokela hole le sistimi ea baeti, ebe o fetola boemo ba netefatso ha o sebelisa ts'ebeliso ea sudo ho fumana litokelo tsa metso ho Ubuntu 20.04. Tšebeliso e 'nile ea lekoa ho litsamaiso tse nang le li-processor tsa AMD EPYC 7252, 7313P le 7443.
Source: opennet.ru